14 DAY TRIAL // While Microsoft building Windows 7 as the evolution of Windows Vista has its obvious advantages in terms of performance, compatibility and support, it also has a downside when it comes down to security, exposing users of the next iteration of the Windows client to the same risks as its precursor. An illustrative example in this context is the fact that Windows 7 and Windows Vista both deal in the same manner with malicious autoplay options from infected USB drives.
Security researchers from F-Secure revealed that Vista and Windows 7 Beta permitted the Downadup worm to create a malicious aultoplay option in the operating systems' AutoPlay dialog box, which popped up automatically when the end-user inserted an USB drive into a machine. Worm:W32/Downadup.gen uses USB sticks, but also additional removable devices to spread, by creating a malicious autorun.inf files.
“The autorun.inf uses some tricks, such as variable size, to help avoid detection. Downadup attempts a social engineering trick in Windows Vista. Downadup's autorun.inf file uses an action keyword andicon extracted from shell32.dll,” the F-Secure specialist stated, explaining that the malware would feature the “Open folders to view files” option in the AutoPlay dialog box for removable devices infected with Worm:W32/Downadup.gen.
Users clicking this option will actually get infected, as it allows to “install or run program.” What they have to click in order not to execute the malicious payload is the “Open folder to view files” under General options.
“The category is 'Install or run program,' but the text and icon are for 'Open folder to view files.' The first option will run Downadup, not good. The second 'general' option is the choice that will safely open the USB drive,” the F-Secure representative stated, adding that even on Windows 7 “Downadup attempts to disguise the installation option as an open folder action.”
Windows 7 Beta is available for download here.
