Autoplay and Autorun Exploit Artifacts

Monday, January 10, 2011 Posted by Corey Harrell
Artifact Name

Autoplay & Autorun Exploit Artifacts

Attack Vector Category

Exploit

Description

Microsoft stated the main purpose of Autorun is "to provide a software response to hardware actions that you start on a computer". The software response is to start media or applications on a computer when a drive is mounted to the operating system. Prior to Windows XP, Windows only had the Autorun feature which would start items based on commands in the autorun.inf file located in the root of the drive.

With the release of Windows XP, a new feature called autoplay was included and this feature is enabled by default starting with XP SP2. Autoplay will review a mounted drive for content such as multimedia and will prompt the user to display the content using the appropriate application. Autoplay will start to examine a drive as soon as the drive is mounted and will parse an autorun.inf file if the is present.

The Autorun and Autoplay features have been leverage to automatically start malicious software. One example of this is the w32/Autorun.worm.g (McAfee’s detection). According to McAfee’s write-up, the worm spreads using an autorun.inf to automatically start the worm when the media (removable media or network shares) is connected to a computer.

Attack Description

1. Create an autorun.inf file with a command to launch the intended application.

2. Place the autorun.inf in the root of a drive that will be mounted such as removable media or a network share.

3. Place the application in a location where it can be executed.

4. Have the drive mounted on the target computer in order for the autorun.inf file to be parsed.

Exploits Tested

Two custom autorun.inf files, one file used the open command while the other file used the shellexecute command. A renamed Windows command prompt was the payload of both files.

The open command specifies the application to be started when a drive is mounted. The picture below shows the entire autorun.inf file with the open command.

The shellexecute command uses file association to determine what application is used to launch the file listed in the command. The picture below shows the entire autorun.inf file with the shellexecute command.

Target System Information

* Two Windows XP SP3 virtual machines using an administrative user account (one VM was used for each autorun.inf)

* Two Windows XP SP3 virtual machines using an administrative user account (one VM was used for each autorun.inf)

* Two Windows XP SP2 virtual machines using an administrative user account (one VM was used for each autorun.inf)

* Two Windows XP SP2 virtual machines using an administrative user account (one VM was used for each autorun.inf)

Different Artifacts based on Administrator Rights

No

Different Artifacts based on Tested Software Versions

No difference between XP SP2 and XP SP3

Potential Artifacts

The potential artifacts include the changes in the operating system environment. The artifacts can be grouped in the following two categories:

        * Windows Parsing the Autorun.inf File
        * Registry Modification When Autoplay Window Closes

Note: The testing to locate the exploit artifacts involved using the Autoplay window in XP SP3 while in XP SP2 the removable media icon in My Computer was double clicked to launch the payload. There were minimal exploit artifacts as compared to the artifacts left by the delivery mechanism (removable media) and payload (Windows command prompt). The identified artifact  filenames and values are inside of brackets in order to distinguish what may be unique to the testing environment.

        * Windows Parsing the Autorun.inf File

Windows makes modifications under \Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{GUID}\ registry key of the user account that mounted the drive. The modifications are made based on the contents of the autorun.inf file. The picture below highlights the relationship between the commands in the autorun.inf file and the registry modifications.


           - Autorun.inf action command altered the data in MountPoints2\{GUID}\Shell\AutoRun\command\(Default). [data for the open command was E:\dmc-test.exe while data for the shellexecute command was C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL dmc-test.exe]

           - Autorun.inf icon command altered the data in MountPoints2\{GUID}\_Autorun\DefaultIcon\(Default). [data was E:\dmc-test.exe,0]

           - Autorun.inf shell open command altered the data in MountPoints2\{GUID}\Shell\open\command\(Default). [data was E:\dmc-test.exe]

           - Autorun.inf shell explore command altered the data in MountPoints2\{GUID}\Shell\explore\command\(Default). [data was E:\dmc-test.exe]

           - Data in MountPoints2\{GUID}\Shell\Autoplay\DropTarget\CLSID was modified. [data was {f26a669a-bcbb-4e37-abf9-7325da15f931}]

        * Registry Modification When Autoplay Window Closes

           - The registry key MountPoints2\{GUID} was modified when the autoplay window closes (the window closes when the payload is executed).

Timeline View of Potential Artifacts

The image below show the above artifacts in a timeline of the registry (system, software, and ntuser.dat hives) from the Windows XP SP3 with an administrator user account (autorun.inf file with the open command). A few entries from the file system timeline were added.

References

   Autoplay Information

Microsoft support article on how to disable autorun http://support.microsoft.com/kb/967715

   Other information

Autorun.inf Wikipedia http://en.wikipedia.org/wiki/Autorun.inf

Autoplay Wikipedia http://en.wikipedia.org/wiki/AutoRun

McAfee W32/Autorun.worm.g AV write-up http://vil.nai.com/vil/content/v_142616.htm

Post a Comment