Removable media is very much a part of every day life for most of us. USB storage devices come in all shapes and sizes, from the traditional USB stick, to digital cameras, to phones, right through to the wacky and wonderful. A quick google (or your search engine of choice) search for 'novelty usb storage' throws up a plethora of options: USB burgers, beer bottles, watermelon slices, diamond necklaces, even uzi 9mm shaped devices - all of which can pose a serious malware risk, not to mention DLP risk, to a corporate environment. An w32/autorun.worm can easily cause total havoc on a network and can regularly contain a downloader component which can pull down literally hundreds of bad files and new threats if it successfully connects out to a malware ridden server.

 

Many companies now operate strict USB controls via device or portal control software - some even go as far as to put superglue in the USB ports to stop users from connecting their devices - but many are still allowing their users to plug in whatever they like. If autoruns are enabled in the environment then all it takes to cause a serious outbreak is the connection of one infected USB device to one machine. Clean up can take days or even weeks, especially if secondary or tertiary infections occur due to additional malware downloads.

 

Threats that can spread via autorun come in many flavours, and we regularly see new variants on a theme so are constantly adding new detections to our DAT update files.  These threats include: w32/rimecud, w32/autorun.worm (there are almost 12700 VIL pages related to the signatures we have for w32/autorun.worms - the majority of which are generic signatures, each of which can cover literally 1000s of variants), w32/Conficker and variants thereof, the list goes on....

 

Disabling autoruns is a good way of reducing the risk of these infections to your network and there are multiple ways you can achieve this: from disabling it on a per machine basis in the registry, on a mass scale via GPO, or you can use the Access Protection features of VirusScan Enterprise. The attached guide goes into a lot of detail about how you can proactively use the Access Protection features to protect your environment against all kinds of threats, not just autoruns (which are covered on pages 7 and 11).

 

For further reading please have a look over our research whitepaper available here.