Microsoft sees huge success combatting "autorun" malware

[neiltc13]

(MSRT = Malicious Software Removal Tool)

The Windows AutoRun updates for Vista and XP SP3 that Microsoft released in February have so far proven successful in thwarting your file corrupting ways. Although Windows 7 was updated to disable AutoPlay within AutoRun for USB drives -- freezing the ability for a virus to exploit it -- the aforementioned versions had remained vulnerable up until right after January.

Fast-forward to the period between February and May of this year, and the updates have reduced the number of incidents by 1.3 million compared to the three months prior for the supported Vista and XP builds. Amazingly, when stacked against May of last year, there was also a 68 percent decline in the amount of incidents reported across all builds of Windows using Microsoft's Malicious Software Remove Tool.

http://blogs.technet.com/b/mmpc/archive/2011/06/14/autorun-abusing-malware-where-are-they-now.aspx

http://www.engadget.com/2011/06/18/microsoft-to-malware-your-autorunning-days-on-windows-are-numbe/

----

Looks like they stubbed out one of the main ways things like this can spread. I haven't had a problem with malware or viruses at all on Windows 7.

 

[munkery]

Autorun is abused to provide an easy vector to execute malicious code without having to initially exploit a vulnerable process in memory.

All the malware vectors related to autorun were eliminated except in relation to USB which looks to be finally fixed.

Unfortunately, most malware, such as browser exploits, achieves code execution by exploiting processes in memory as opposed to abusing autorun.

This fix will not impact malware that does not propagate via USB.

 

[roadbloc]

That is very impressive. Grats to Microsoft, they've done a great job here.

 

[maflynn]

I read that article and was quite impressed myself.

I think MS has turned the corner on malware and is starting to have a fully robust OS that has few vulnerabilities

 

[Peteman100]

I think we can all agree that less malware is better for everyone

 

[munkery]

I think MS has turned the corner on malware and is starting to have a fully robust OS that has few vulnerabilities

In reality, Autorun ceased to be an big issue with the release of Windows versions that use UAC. Although, it still affected Windows XP, which does dominate in market share.

Prior to UAC, Autorun allowed the installation of malware to the system level in the typical Windows XP setup without requiring user interaction (other than inserting USB in this case) or exploitation of a process in memory.

Discretionary access controls implemented with UAC prevent system level access via autorun. Of course, autorun could have been used prior to this fix to deliver a payload that achieved privilege escalation to the system level. But, those payloads can also be delivered via other vectors, such as browser exploits.

This achievement in the battle of MS against malware is not very newsworthy.

 

[neiltc13]

This achievement in the battle of MS against malware is not very newsworthy.

It is newsworthy because it provides real figures that show that even a small change can make a huge difference.

 

[PlaceofDis]

It is newsworthy because it provides real figures that show that even a small change can make a huge difference.

agreed, and good work on Microsoft's part. Any, and every, step in combating malware is a positive one.

lets hope that we can one day get to the point where we don't have to worry about malware on our computers.

 

[munkery]

It is newsworthy because it provides real figures that show that even a small change can make a huge difference.

The graphs are biased in that the data presented only shows a small subset of the type of infections that target Windows systems to make it appear like MS has made big impact on malware infecting the platform. This is not a "huge difference" in concerns to the bigger picture.

This type of malware would have never been such as big issue if MS would have used a better default implementation of discretionary access controls in Windows XP in the first place.

So, are we really going to give MS props for fixing an issue that could have been mostly prevented prior to the release of Windows XP?

 

[KingCrimson]

The graphs are biased in that the data presented only shows a small subset of the type of infections that target Windows systems to make it appear like MS has made big impact on malware infecting the platform. This is not a "huge difference" in concerns to the bigger picture.

This type of malware would have never been such as big issue if MS would have used a better default implementation of discretionary access controls in Windows XP in the first place.

So, are we really going to give MS props for fixing an issue that could have been mostly prevented prior to the release of Windows XP?

Is OS X immune to all malware?

 

[PlaceofDis]

The graphs are biased in that the data presented only shows a small subset of the type of infections that target Windows systems to make it appear like MS has made big impact on malware infecting the platform. This is not a "huge difference" in concerns to the bigger picture.

This type of malware would have never been such as big issue if MS would have used a better default implementation of discretionary access controls in Windows XP in the first place.

So, are we really going to give MS props for fixing an issue that could have been mostly prevented prior to the release of Windows XP?

hindsight is 20/20. they finally worked away around fixing a way that malware has spread, while keeping the functionality that they wanted. as far as i can tell at least. no one, and nothing is perfect.

 

[munkery]

Is OS X immune to all malware?

No OS will be immune to all malware.

Malware that the user actively installs via an installer will never be eliminated from any OS.

Malware that exploits processes in memory will exist as long as methods exist to bypass security mitigations that prevent this type of exploitation.

Malware that can be prevented with a better default implementation of DAC shouldn't occur in the first place. It's not like knowledge of how to do so was not available at the time Windows XP was released.

hindsight is 20/20. they finally worked away around fixing a way that malware has spread, while keeping the functionality that they wanted. as far as i can tell at least. no one, and nothing is perfect.

Wow, it only took 10 years!

 

[*LTD*]

Is OS X immune to all malware?

OS X is immune to every single instance of Windows viruses and Windows malware in existence.

There is currently no way to remotely infect (a destructive, spreading virus) even a vanilla OS X installation. This has been the case for OS X's entire existence, and has always been the case for xNIX systems.

All we have for OS X that have been in the wild are around 2-3 trojans since 2001. That's it. Apparently we get a new one every two years or so. OS X isn't really immune to those specifically.

 

[roadbloc]

and has always been the case for xNIX systems.

You do realise that the first virus was for UNIX?

 

[Jagardn]

You do realise that the first virus was for UNIX?

Although true, Microsoft is just learning how to avoid it now.

 

[Rodimus Prime]

OS X is immune to every single instance of Windows viruses and Windows malware in existence.

There is currently no way to remotely infect (a destructive, spreading virus) even a vanilla OS X installation. This has been the case for OS X's entire existence, and has always been the case for xNIX systems.

All we have for OS X that have been in the wild are around 2-3 trojans since 2001. That's it. Apparently we get a new one every two years or so. OS X isn't really immune to those specifically.

Just like Windows is immune to every single instance of OSX malware and do we need do not need to go back any farther than Mac Defender to prove OSX is not immune to Malware. Also you do not get one every 2 years. It just ever few years a new on makes the news and spreads really fast in the wild. Most malware just like the window Malware has very few installs and never really makes the news. Macdefender just spread pretty far and wide.

Techelocally speaking what is being spread by this Autorun is a trojan if you want to go by definitions and on Vista and windows 7 it required you the user clicking yes to it installing.

 

[*LTD*]

You do realise that the first virus was for UNIX?

It was a proof-of-concept.

 

[SandynJosh]

Malware that can be prevented with a better default implementation of DAC shouldn't occur in the first place. It's not like knowledge of how to do so was not available at the time Windows XP was released.

Wow, it only took 10 years!

My thoughts exactly!

MS wanted to have the same plug and play functionality that MacOS has enjoyed for a long time, they just did some serious foot dragging in fixing how to get there.

 

[roadbloc]

It was a proof-of-concept.

And that changes anything how? And what about the rest? There has been more for UNIX strains. Why do you think there is is a 'virscan' command in IBM's AIX?

 

[*LTD*]

And that changes anything how? And what about the rest? There has been more for UNIX strains. Why do you think there is is a 'virscan' command in IBM's AIX?

Same reason theres antivirus software for Macs.

 

[KingCrimson]

Just like Windows is immune to every single instance of OSX malware and do we need do not need to go back any farther than Mac Defender to prove OSX is not immune to Malware. Also you do not get one every 2 years. It just ever few years a new on makes the news and spreads really fast in the wild. Most malware just like the window Malware has very few installs and never really makes the news. Macdefender just spread pretty far and wide.

Techelocally speaking what is being spread by this Autorun is a trojan if you want to go by definitions and on Vista and windows 7 it required you the user clicking yes to it installing.

So basically what you're saying is if you click "NO" you'll never get a trojan on Windows 7?

 

[Rodimus Prime]

So basically what you're saying is if you click "NO" you'll never get a trojan on Windows 7?

yep. That is exactly what I am saying. Windows 7 account controls force you to say yes or no. Admins get a just yes or no question. Non admins get a box that says enter admin user name and password.

 

[munkery]

yep. That is exactly what I am saying. Windows 7 account controls force you to say yes or no. Admins get a just yes or no question. Non admins get a box that says enter admin user name and password.

Admin accounts in Windows 7 should still be password protected for two reasons:

1) The API in Windows 7 that encrypts user data related to protected storage incorporates the user's password into the encryption key to strengthen the encryption. If no password is set, then the encryption algorithms applied to the user account are not as strong.

2) UAC authentication can be stolen via spoofed windows in admin accounts where a unique identifier (user account password) is not contingent to successful UAC authentication. UAC prompts that do not ask for a password are less secure due to the potential to be spoofed.

Also, UAC itself, regardless if a password is required, has not shown itself to be very robust. UAC bypass vulnerabilities are common.

Within the list of public and unpatched zero-days linked below, there is an example of a "win32k.sys" vulnerability that could potentially be exploited to bypass UAC. It has been known for 318 days and counting.

http://www.vupen.com/english/zerodays/

Below is a guide to help turn that vulnerability into an exploit.

http://www.exploit-db.com/bypassing-uac-with-user-privilege-under-windows-vista7-mirror/

This following link shows all the "win32k.sys" vulnerabilities that have been found so far in just this year.

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=win32k+2011

 

[Rodimus Prime]

Admin accounts in Windows 7 should still be password protected for two reasons:

1) The API in Windows 7 that encrypts user data related to protected storage incorporates the user's password into the encryption key to strengthen the encryption. If no password is set, then the encryption algorithms applied to the user account are not as strong.

2) UAC authentication can be stolen via spoofed windows in admin accounts where a unique identifier (user account password) is not contingent to successful UAC authentication. UAC prompts that do not ask for a password are less secure due to the potential to be spoofed.

Also, UAC itself, regardless if a password is required, has not shown itself to be very robust. UAC bypass vulnerabilities are common.

Within the list of public and unpatched zero-days linked below, there is an example of a "win32k.sys" vulnerability that could potentially be exploited to bypass UAC. It has been known for 318 days and counting.

http://www.vupen.com/english/zerodays/

Below is a guide to help turn that vulnerability into an exploit.

http://www.exploit-db.com/bypassing-uac-with-user-privilege-under-windows-vista7-mirror/

This following link shows all the "win32k.sys" vulnerabilities that have been found so far in just this year.

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=win32k+2011

I believe Admin accounts in windows 7 require a password (not a 100% sure as my account is always passworded)
Just you do not have to enter a password if you are log in as an admin.
Now on my computer my admin accounts have always had a password and I always have 2 admin accounts. One that I use and one that is called zBackup. It is exactly that. An admin account created but never used. It is there just in case I do something stupid and screw up my setting on my primary.

 

[munkery]

I believe Admin accounts in windows 7 require a password (not a 100% sure as my account is always passworded)
Just you do not have to enter a password if you are log in as an admin.
Now on my computer my admin accounts have always had a password and I always have 2 admin accounts. One that I use and one that is called zBackup. It is exactly that. An admin account created but never used. It is there just in case I do something stupid and screw up my setting on my primary.

The admin accounts in Windows 7 do not require a password by default and having the admin account in Windows 7 password protected at login only solves issue #1 but not issue #2.

UAC must require password authentication to prevent issue #2.

No account type prevents against UAC being bypassed via exploitation.