You may be surprised to discover that Virus Bulletin‘s recent malware prevalence report claims autorun malwares (autorun worms) as the most prevalent malware thus far in 2010, with over 10.7% of all globally reported infections being of the autorun nature. In second place were visual basic scripts and in third Conficker / Downadup. Since the autorun and VB scripts are generalizations, Conficker still remains on top of the world as the single most prevalent piece of malware this year (over 6.5% of all infections). Interesting to note that Conficker has been aggressively spread by autorun worms.
McAfee recently released a lengthy report about the rise of autorun malware. (read it here, PDF), here is an excerpt:
What are autorun malware?
“Most people associate today’s computer viruses and other prevalent malware with the Internet. But that’s not where they started. Lest we forget, the earliest computer threats came from the era of floppy disks and removable media. With the arrival of the Internet, email and network-based attacks became the preferred infection vector for hackers to spread malicious code–while security concerns about removable media took a back seat. Now, however, our attention is returning to plug-in media. Over the years, floppy disks have been replaced by portable hard drives, flash media cards, memory sticks, and other forms of data storage. Today’s removable devices can hold 10,000 times more data than yesterday’s floppy disks. Not only can they store more data, today’s devices are “smart”–with the ability to run portable software programs1 or boot operating systems. 2,3 Seeing the popularity of removable storage, virus authors realized the potential of using this media as an infection vector. And they are greatly aided by a convenience feature in operating systems called AutoRun, which launches the content on a removable disk without any user interaction. This paper traces the advancements in AutoRun-based malware. We also discuss methods to proactively detect and stop malware that spreads via removable drives, using a combination of traditional antimalware and cloud-computing techniques.”
Since autoruns do not require ‘clicks’ to be activated, they are especially dangerous. Obviously with a lot of USB drive usage these days there is a huge potential for threat and infection. In 2008 there were some high-profile incidents in which certain devices (MP3 players and some digital photo frames) were sold to customers with autorun malware pre-installed! In a major embarrassment, Telstra distributed worm-infected USB drives to participants at the AusCERT security conference. Luckily the worm did not have a payload, and no serious damage was done.
Being informed about the threat of autoruns is critical, pass this warning on to friends and family. Of course it is only users running Vista SP1 or older OS that are vulnerable as the threat has been addressed in Vista SP2 and Windows 7, perhaps if you are running an older OS you would want to consider disabling your OS autorun features?