Disable Autorun

Before the Internet was as popular as it is today, the primary means of transferring information from one computer to another was by floppy disk. Floppy disks were passed from person to person and computer to computer all time time. Every disk had a little switch you could open or close to mark the disk write-protected or write-enabled. Viruses were frequently copied onto these disks and set to run when they were inserted into a new computer. Over time the Internet proved to be much faster and floppy disks were replaced by CD-ROMs and the popularity of this type of virus waned.

Fast forward to the present day. The Internet is big and fast but is recognized as an obvious entry point for viruses. Microsoft is putting increasing restrictions (or protective measures, depending on your point of view) on Internet Explorer. At the same time, vendors are giving away writable USB thumbdrives everywhere. iPods and other mp3 players offer vast amounts of storage at a reasonable price. It turns out the virus writers have noticed this trend and are taking advantage.

At the University, a recent incident has brought this issue to the forefront. A server administrator was using Identity Finder to scan a server for sensitive data. The administrator mapped a drive to a file server and shortly after the local firewall and anti-spyware program began alerting on outbound Internet connections and registry changes.

Now alerted that something was wrong, the system administrator began looking around and discovered a autorun.inf file on the root of the share that was previously mapped for scanning. The autorun.inf started an autorun.exe that turned out to be a trojan that was not recognized by Symantec Antivirus. The system administrator contacted the University Information Security Office at it-incident@iu.edu. Working with the system administrator, we searched for other compromised computers and submitted a virus sample to Symantec, who quickly released a virus definition update that recognizes the Trojan W32.SillyFDC.

There are three things a system administrator can do to prevent this situation. They are all listed in the Microsoft KB document 953252.

  1. Disable the autorun feature on your computer. This means that CDs and USB devices will not autoplay when inserted and you will not be prompted for action every time any device is connected to the computer.
  2. Prevent autorun.inf creation on file shares. Do not allow users to write to the root of file shares. Instead create a folder structure inside the share for users.
  3. Prevent use of USB devices on computers. With group policy you can easily prevent USB devices from mounting on Windows computers. With a little more work, you can also allow pre-approved devices. This will help stop the spread of any virus through USB devices since the devices themselves will no longer work on these computer.

Security & Policy Blog Posts

  • May 17, 2013 at 12:52 PM

    • Critical Linux Kernel Security Update
    A local, unprivileged user can use a Linux kernel flaw to gain escalated privileges, without authentication, on a system running a Linux kernel. Technical details, as well as exploit code, have been publically released.
  • April 10, 2013 at 4:07 PM

    • S/MIME certificates available
    S/MIME certificates are now available to all IU personnel at no cost.
  • March 13, 2013 at 4:00 PM

    • Policy Draft IT-28 Provisioning of IT Services
    IU VP for IT and Chief Information Officer, Brad Wheeler, spoke at a town hall meeting on March 8th on the subject of, “Mitigating Cyber Risks,” including the current risk environment, and the development of IT-28.
  • March 1, 2013 at 5:06 PM

    • Domain 12: Compliance
    As Jacqueline Simmons explains, IU operates in a complex legal, regulatory, & contractual environment, with responsibilities to comply with applicable legal, regulatory, & contractual requirements regarding safeguards over information and information assets. Doing so protects the university's reputation & minimizes the risk of negative financial consequences associated with noncompliance.

    Recent Security Bulletins

  • February 12, 2013 at 11:03 AM

    • Vulnerabilities in Adobe ColdFusion
    This bulletin details four recently published, critical rated, vulnerabillies in Adobe ColdFusion and ways to mitigate the risk of them being exploited including the hotfix for supported versions.
  • January 22, 2013 at 9:02 AM

    • Java Security Recommendations
    As the use of Java applets on websites continues to diminish and in light of the rash of recent vulnerability exploits, the implications of installing Java for use in web browsers should be considered carefully.
  • January 10, 2013 at 1:59 PM

    • Zero Day Java 7 Vulnerability
    On January 10, 2013, security researchers reported a zeroday vulnerability in Oracle Java 1.7u10.
  • November 8, 2012 at 3:50 PM

    • Vulnerability in Symantec Endpoint Protection
    On November 5th, 2012, the United States Computer Emergency Readiness Team (US-CERT) website announced their researcher had discovered a vulnerability in the way some versions of Symantec Endpoint Protections handle CAB files. This vulnerability may allow an unauthenticated remote or local attacker to execute arbitrary code with SYSTEM privileges on a targeted computer.