Autorun update leads to a huge decline in malicious infections

News by Dan Raywood

There has been a significant drop in the number of malware infections that exploit the Windows Autorun feature.

There has been a significant drop in the number of malware infections that exploit the Windows Autorun feature.

The Autorun feature was updated in February and as of May 2011 the number of infections found by the Malicious Software Removal Tool (MSRT) per scanned computer declined by 59 per cent on Windows XP machines and by 74 per cent on Windows Vista machines. These figures are in comparison to the 2010 infection rates on those platforms.

Initial research by Microsoft found that there were a proportion of infected machines with malware that uses Autorun to propagate. With Microsoft not wanting to shut off Autorun altogether, because of its positive uses for removable media, it put an existing update into the Windows Update channel.

Windows 7 already disables Autorun for devices such as USB thumb drives, which prevents malware lurking on such drives from loading itself onto computers without user interaction.

Research by Avast found that Autorun is a way to spread more than two-thirds of current malware, with the threat of USB-distributed malware much more widespread than the Stuxnet attacks on enterprise computers, which were also spread via infected memory sticks.

Angela Gunn, security response communications manager at Microsoft, said: “The advisory made changes to how Autorun handles ‘non-shiny' media (eg. USB thumb drives). The change was expected to make a significant difference to infection rates by malware that uses Autorun to propagate and we've been monitoring those rates ever since.”

Holly Stewart, a senior program manager with the Microsoft Malware Protection Center, said that the infections started their decline when the update was released and in May hit an all-time low. She said that a decline was expected but what was unexpected is that there appears to have been a residual effect on adjacent systems that were already protected with proactive defences - in Microsoft's case: Forefront Client Security; Forefront Endpoint Security; and Microsoft Security Essentials.

Stewart said: “The overall infection rates changed, too. By May of 2011, the number of infections found by the MSRT per scanned computer was reduced by 68 per cent (all operating systems, all service packs) in comparison to the 2010 infection rates.

“Some people have wondered why the change to Autorun hasn't reduced infections and infection attempts to zero. The answer to that question is that these families use multiple infection vectors to arrive at a computer. In addition to Autorun, they replicate on network shares, they guess passwords, they exploit old vulnerabilities in hopes they'll find one or more systems without an update, they even get placed there by other malware families (downloaders and droppers) and let's not forget about good old social engineering trickery. They use that, too.

“Abusing Autorun was only one trick up their collective sleeve. However, judging by the numbers in our data, it was a lucrative one. It's not every day that you have such strong confirmation that something you were a part of made a difference in the world, but I have to say that seeing 1.3 million fewer infections over the past few months and all of these trend lines going down just feels good.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews