This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Autorun update leads to a huge decline in malicious infections

Share this article:

There has been a significant drop in the number of malware infections that exploit the Windows Autorun feature.

The Autorun feature was updated in February and as of May 2011 the number of infections found by the Malicious Software Removal Tool (MSRT) per scanned computer declined by 59 per cent on Windows XP machines and by 74 per cent on Windows Vista machines. These figures are in comparison to the 2010 infection rates on those platforms.

Initial research by Microsoft found that there were a proportion of infected machines with malware that uses Autorun to propagate. With Microsoft not wanting to shut off Autorun altogether, because of its positive uses for removable media, it put an existing update into the Windows Update channel.

Windows 7 already disables Autorun for devices such as USB thumb drives, which prevents malware lurking on such drives from loading itself onto computers without user interaction.

Research by Avast found that Autorun is a way to spread more than two-thirds of current malware, with the threat of USB-distributed malware much more widespread than the Stuxnet attacks on enterprise computers, which were also spread via infected memory sticks.

Angela Gunn, security response communications manager at Microsoft, said: “The advisory made changes to how Autorun handles ‘non-shiny' media (eg. USB thumb drives). The change was expected to make a significant difference to infection rates by malware that uses Autorun to propagate and we've been monitoring those rates ever since.”

Holly Stewart, a senior program manager with the Microsoft Malware Protection Center, said that the infections started their decline when the update was released and in May hit an all-time low. She said that a decline was expected but what was unexpected is that there appears to have been a residual effect on adjacent systems that were already protected with proactive defences - in Microsoft's case: Forefront Client Security; Forefront Endpoint Security; and Microsoft Security Essentials.

Stewart said: “The overall infection rates changed, too. By May of 2011, the number of infections found by the MSRT per scanned computer was reduced by 68 per cent (all operating systems, all service packs) in comparison to the 2010 infection rates.

“Some people have wondered why the change to Autorun hasn't reduced infections and infection attempts to zero. The answer to that question is that these families use multiple infection vectors to arrive at a computer. In addition to Autorun, they replicate on network shares, they guess passwords, they exploit old vulnerabilities in hopes they'll find one or more systems without an update, they even get placed there by other malware families (downloaders and droppers) and let's not forget about good old social engineering trickery. They use that, too.

“Abusing Autorun was only one trick up their collective sleeve. However, judging by the numbers in our data, it was a lucrative one. It's not every day that you have such strong confirmation that something you were a part of made a difference in the world, but I have to say that seeing 1.3 million fewer infections over the past few months and all of these trend lines going down just feels good.”

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

34 European banks hit by Android app security attacks

34 European banks hit by Android app security ...

Banks need to put their heads together to develop common and more secure methodologies says Sarb Sembhi, STORM Guidance, following operation Emmental.

Entrepreneur develops hacked data search engine

Entrepreneur develops hacked data search engine

A Portuguese entrepreneur is said to have developed a specialised search engine that can allow access to leaked or allegedly stolen access credentials.

Insider threat levels from ex-staffers greater than expected

Insider threat levels from ex-staffers greater than expected

A third of of ex-employees have access to company data and 9 percent have used their access privileges, says new research.