Experts: Microsoft's advice won't stop Downadup

The US-Cert team has criticised Microsoft's suggestion to disable AutoRun, saying it will not halt the fast-spreading worm
Written by Tom Espiner, Contributor

The US Computer Emergency Response Team has criticised security advice given by Microsoft, saying the guidelines will not stop a worm that has infected millions of computers.

The worm, known as Downadup or Conficker, spreads via USB, fileshares and email. It takes advantage of the Microsoft vulnerability detailed in MS08-067, for which a patch was made available in October.

To spread via USB, the worm creates an autorun.inf file on the root of the USB drive. The .inf file then uses either AutoRun or AutoPlay to infect any unpatched systems, either when the stick is plugged into the system or when the user double-clicks on the USB icon in My Computer in Windows Explorer.

On Wednesday, US-Cert criticised Microsoft's advice on enabling and disabling AutoRun. "Microsoft's guidelines for disabling AutoRun are not fully effective, which could be considered a vulnerability," said the US-Cert advisory.

According to US-Cert, the AutoRun and NoDriveTypeAutoRun registry values are both ineffective for fully disabling AutoRun on Microsoft Windows systems. "Setting the AutoRun registry value to 0 will not prevent newly connected devices from automatically running code specified in the autorun.inf file," said US-Cert. "It will, however, disable Media Change Notification (MCN) messages, which may prevent Windows from detecting when a CD or DVD is changed."

US-Cert said the Microsoft advice was that setting the NoDriveTypeAutorun registry value to 0xFF "disables Autoplay on all types of drives". However, even with this value set, Windows may execute arbitrary code when the user clicks the USB icon in Windows Explorer, according to US-Cert.

The US-Cert advisory gives code it says will disable AutoRun effectively.

Microsoft had not responded to a request for comment at the time of writing. However, Microsoft told Computerworld on Thursday that US-Cert was criticising old advice from Microsoft, which the software maker updated in May 2008 in Knowledge Base Article 953252.

F-Secure has been tracking the progress of the worm, and last week the security company estimated that over eight million machines had been infected. F-Secure's chief research officer, Mikko Hyppönen, told ZDNet UK on Thursday that the company could no longer be sure of the total compromised. "It's in the millions," said Hyppönen. "It's getting hard to give a complete number, as our algorithm doesn't take into account how many machines have been disinfected."

F-Secure estimates the number of systems affected by monitoring infected IP addresses. Hyppönen said a minimum of one million to two million computers had been hit by Downadup at the time of writing, assuming each IP address F-Secure was tracking was for one computer, and not a proxy for a number of computers.

Hyppönen said he had been looking at a list of infected UK organisations, which he declined to name. "We can see exactly which domains have infected machines, and there are plenty of big names," he said. "Companies, educational networks, government networks. This is far from over."

Editorial standards