Significant increase in infection is curious because Windows 7 and Windows 8 PCs will not launch autorun.inf files Antivirus vendors are warning customers of a spreading malware that can infect computers through a well-known bug in the Windows AutoRun software used to automatically launch programs on a DVD or USB device.The significant increase in infection is curious because Windows 7 and Windows 8 PCs will not launch autorun.inf files, and Microsoft has released two patches for older systems. Therefore, security experts believe infections are happening through a combination of unpatched computers, shared folders and files and social media.Someone inserting a USB drive or memory stick carrying the malware can infect unpatched PCs. On other systems, an infection can occur once the malware travels to a network share and someone clicks on an infected file or folder. Trend Micro reported that malware was also spreading on Facebook.Other vendors tracking the malware include McAfee, Symantec and Sophos. While it is interesting that cybercriminals are still exploiting a four-year-old AutoRun bug, Sophos says most corporate PCs are being infected through network sharing. Clicking the malware on Facebook would certainly open a quick path to a shared folder on a corporate network, said Chester Wisniewski, a senior security adviser for Sophos.[How to: 10 commandments of Windows security] “I would say the AutoRun part of it is probably not the source of the majority of infections,” Wisniewski said on Friday. “It’s just an interesting note that [criminals] are still using it. I think spreading through the file shares is probably the primary vector to get people in trouble.”Microsoft released an AutoRun patch in 2009, a month after the U.S. Computer Emergency Readiness Team (US-CERT) issued a warning that Windows 2000, XP and Server 2003 did not properly disable the feature. Microsoft had patched AutoRun a year earlier in Vista and Windows Server 2008.The infamous Stuxnet malware created an autorun.inf file to infect computers via USB drives. Stuxnet, created jointly in 2009 by U.S. and Israel, reports The New York Times, damaged Iranian nuclear facilities.The latest malware disguises itself as files and folders in writeable network shares and removable devices, while hiding the originals. The application will also create .exe files named “porn” and “sexy” and a folder called “passwords,” to entice people to click on them, Sophos said.The malware adds a registry key, so it can start when a PC is booted up. Variants of the application will disable Windows Update to prevent the victim from downloading patches to disable the malware.Once a PC is infected, the application follows the typical procedure for such malicious software. It contacts a command-and-control server for instructions and to receive other applications. Malware downloaded include Trojans in the Zeus/Zbot family, which steals online banking credentials, Sophos said To combat the malware, security experts recommend disabling AutoRun on all Windows operating systems and restricting write permissions to file shares. Depending on the AV vendor, the malware has several names, including W32/VBNA-X, W32/Autorun.worm.aaeb, W32.ChangeUp and WORM_VOBFUS.The latest outbreak arrives about a year and a half after Microsoft reported big declines in AutoRun infection rates. In the first five months of 2011, the number of AutoRun-related malware detected by Microsoft fell 59% on XP computers and 74% on Vista PCs, compared with 2010. Related content feature 3 ways to fix old, unsafe code that lingers from open-source and legacy programs Code vulnerability is not only a risk of open-source code, with many legacy systems still in use — whether out of necessity or lack of visibility — the truth is that cybersecurity teams will inevitably need to address the problem. By Maria Korolov Nov 29, 2023 9 mins Security Practices Vulnerabilities Security news Amazon’s AWS Control Tower aims to help secure your data’s borders As digital compliance tasks and data sovereignty rules get ever more complicated, Amazon wants automation to help. By Jon Gold Nov 28, 2023 3 mins Regulation Cloud Security news North Korean hackers mix code from proven malware campaigns to avoid detection Threat actors are combining RustBucket loader with KandyKorn payload to effect an evasive and persistent RAT attack. By Shweta Sharma Nov 28, 2023 3 mins Malware feature How a digital design firm navigated its SOC 2 audit L+R's pursuit of SOC 2 certification was complicated by hardware inadequacies and its early adoption of AI, but a successful audit has provided security and business benefits. By Alex Levin Nov 28, 2023 11 mins Certifications Compliance Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe