Security firms warn of spreading Windows AutoRun malware

Antivirus vendors are warning customers of a spreading malware that can infect computers through a well-known bug in the Windows AutoRun software used to automatically launch programs on a DVD or USB device.

The significant increase in infection is curious because Windows 7 and Windows 8 PCs will not launch autorun.inf files, and Microsoft has released two patches for older systems. Therefore, security experts believe infections are happening through a combination of unpatched computers, shared folders and files and social media.

Someone inserting a USB drive or memory stick carrying the malware can infect unpatched PCs. On other systems, an infection can occur once the malware travels to a network share and someone clicks on an infected file or folder. Trend Micro reported that malware was also spreading on Facebook.

Other vendors tracking the malware include McAfee, Symantec and Sophos. While it is interesting that cybercriminals are still exploiting a four-year-old AutoRun bug, Sophos says most corporate PCs are being infected through network sharing.

Clicking the malware on Facebook would certainly open a quick path to a shared folder on a corporate network, said Chester Wisniewski, a senior security adviser for Sophos.

[How to: 10 commandments of Windows security]

“I would say the AutoRun part of it is probably not the source of the majority of infections,” Wisniewski said on Friday. “It’s just an interesting note that [criminals] are still using it. I think spreading through the file shares is probably the primary vector to get people in trouble.”

Microsoft released an AutoRun patch in 2009, a month after the U.S. Computer Emergency Readiness Team (US-CERT) issued a warning that Windows 2000, XP and Server 2003 did not properly disable the feature. Microsoft had patched AutoRun a year earlier in Vista and Windows Server 2008.

The infamous Stuxnet malware created an autorun.inf file to infect computers via USB drives. Stuxnet, created jointly in 2009 by U.S. and Israel, reports The New York Times, damaged Iranian nuclear facilities.

The latest malware disguises itself as files and folders in writeable network shares and removable devices, while hiding the originals. The application will also create .exe files named “porn” and “sexy” and a folder called “passwords,” to entice people to click on them, Sophos said.

The malware adds a registry key, so it can start when a PC is booted up. Variants of the application will disable Windows Update to prevent the victim from downloading patches to disable the malware.

Once a PC is infected, the application follows the typical procedure for such malicious software. It contacts a command-and-control server for instructions and to receive other applications. Malware downloaded include Trojans in the Zeus/Zbot family, which steals online banking credentials, Sophos said

To combat the malware, security experts recommend disabling AutoRun on all Windows operating systems and restricting write permissions to file shares. Depending on the AV vendor, the malware has several names, including W32/VBNA-X, W32/Autorun.worm.aaeb, W32.ChangeUp and WORM_VOBFUS.

The latest outbreak arrives about a year and a half after Microsoft reported big declines in AutoRun infection rates. In the first five months of 2011, the number of AutoRun-related malware detected by Microsoft fell 59% on XP computers and 74% on Vista PCs, compared with 2010.