Autorun attacks, like that by the Stuxnet worm, have become a common attack form. That common, that Microsoft has started to patch the autorun functionality in Windows.

Panda Security released USB Vaccine a while ago which offered to vaccinate a computer or USB drive to protect the computer from autorun based attacks.

Bitdefender, another popular security developer, has now released a similar program called Bitdefender Immunizer.

The program offers the same functionality as Panda USB Vaccine. Users can either immunize the computer as a whole, or immunize a connected removable drive.

The product page describes what happens if you immunize an USB drive:

The Immunize option allows you to immunize your USB storage device or SD card against infections with autorun-based malware. Even if your storage device has been plugged into an infected computer, the piece of malware will be unable to create its autorun.inf file, thus annihilating any chance of auto-launching itself.

This basically blocks the creation of autorun.inf files on immunized USB devices.

The computer immunization has the following effect:

The Immunize Computer slider allows you to toggle the autorun feature On or Off for any removable media (except for CD/DVD-ROM devices). If you accidentally plug in an infected USB drive that has not been immunized, the computer will not auto-execute the piece of malware located on the USB storage device.

The security patch linked above seems to have the same effect as the Immunize Computer option.

It has to be noted that immunizing removable devices or computers does not protect the system if the user executes malicious software on the device or computer manually. It only protects against autorun-based attack forms that require no user interaction.

Interested users can download USB Immunizer from the Bitdefender Labs website.

Update: Bastik has posted his findings in the comments, they are important and need to be mentioned in the article. Thanks Bastik for the helpful insight.

The tool does not offer to remove the protection from drives that it has immunized. To unprotect a drive you need to display hidden files in Windows and hidden system files. This can be done via Tools > Folder Options > View in Windows Explorer. You then need to delete the folder autorun.ini on the drive.

The tool displays an email prompt on exit with no apparent option to close it. Just click the ok button without entering an email address to close the program for good.

The update for Windows Autorun has been available for some time. To be precise, it was first released on February 24 by Microsoft and originally made available from the Microsoft Download Center.

Yesterday changed that by offering the update via automatic updating through Windows Update. Affected are all Microsoft operating systems pre-Windows 7, including Windows XP, Windows Vista and the server operating systems Windows Server 2003 and 2008. Windows 7 is not affected as it already has the restrictions in place.

The update restricts AutoPlay functionality to “CD and DVD media”. This protects customers “from attack vectors that involve the execution of arbitrary code by Autorun when inserting a USB flash drive, network shares, or other non-CD and non-DVD media containing a file system with an Autorun.inf file”.

It basically blocks AutoPlay on all devices and media except CD and DVD media even if they contain an autorun.inf file.

Customers may experience several issues after applying the update, including:

• Many existing devices in market, and many upcoming devices, use the Autorun feature with the AutoPlay dialog box to present and install software when DVDs, CDs, and USB flash drives are inserted. The AutoPlay behavior with CD and DVD media is not affected by this update.
• Users who install this update will no longer receive a setup message that prompts them to install programs that are delivered by USB flash drives. Users will have to manually install the software. To do this, users click Open folder to view the files, browse to the software’s setup program, and then double-click the setup program to run the program manually.
• Some USB flash drives have firmware that present these USB flash drives as CD drives when you insert them into computers. The AutoPlay behavior with these USB flash drives is not affected by this update.

The update is only offered if it has not already been installed on the system. Additional information about the update are available at Microsoft’s Security Advisory and the blog post Deeper insight into the Security Advisory 967940 update by Adam Shostack.

There is however another solution in the form of the USB security software USB Cop which has been uploaded to Sourceforge yesterday. USB Cop blocks all attempts to run an autorun.inf file on the computer system. It will instead display the contents of the file to the user giving a recommendation what the user should do with it.

Available options are to browse the contents of the disk or to close the dialog without performing an action. The interface itself will display all entries that are located in the autorun.inf file.

The option to execute the autorun.inf file is normally missing from the available options. What this application currently does is block all attempts of running an autorun.inf file on the computer system. The only difference between disabling that option in Windows and using the software is the ability to browse and see the contents of the autorun.inf file a bit faster and automatic with the software. In reality it would simply mean a few additional clicks for the same result without running a software in the background all the time.

The software itself uses about 4.5 Megabytes of computer memory while running.

Update: Development has continued in recent years, the latest version of the program, dubbed USB Cop 1.0 Alpha 1, has been uploaded to the Sourceforge servers in March 2011. It is definitely an alternative for inexperienced users who want recommendations what they should do when they insert a disc or stick with autorun information.

Here is a short explanation if you have never heard of autorun.inf files before: It contains information about files and processes that are automatically executed when a disk is inserted or double-clicked. Autorun is often confused with autoplay but they are not the same. Autorun is directly related to the autorun.inf file on the disk while autoplay automatically reacts to new devices or media, for example a music CD is automatically played in Windows when inserted.

Autorun Eater takes care of autorun.inf files before it can be executed on the system. This is done my actively monitoring the system in real time. It will automatically remove suspicious autorun.inf files and store them in a secure space in case of a false positive.

I know that some of you do not like to run a lot of programs in the background which is also my preferred way. It is possible to disable the autorun.inf system wide which is the only protection that works flawlessly. The common Registry keys NoDriveAutoRun and NoDriveTypeAutoRun do not eliminate the dangers of autorun.inf files. When properly configured they prevent that the autorun.inf file on USB devices gets executed automatically but it will still be executed when a user double-clicks the drive.

The only real autorun.inf protection which disables it completely is the following Registry setting. Just copy the following lines into a text document and name it auto.reg.

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"

Double-click that file and restart your computer afterwards. Autorun should now be disabled for all drives on your system.