Buy loggers
New championship
Open championship
Championship settings
Task settings
Connecting a logger
Logger settings
Track and Altitude display
Protecting against malware
Modes of operation
Disconnecting a logger
File locations
Release notes
AMOD 3080
CIMA spec

Protecting against malware

The type of logger FRDL will download from appears to Windows exactly like an ordinary memory stick. Info

Microsoft, by trying to make make things 'simple' - meaning 'automatic', means hackers have found a very simple way to spread their Viruses, Trojans and Worms about on memory sticks by exploiting the way Windows looks at them when they are first plugged in.

These worms pretty much all reproduce the same way, they have an AUTORUN.INF file and an executable of some kind. When you put the stick in the PC, Windows finds AUTORUN.INF 'automagically' and executes the instructions it contains.

An infected AUTORUN.INF will either run the executable immediately, or modify the Windows Explorer default behaviour so that the worm will run as soon as you open the stick by double-clicking on it. The executable will make a copy of itself and AUTORUN.INF on all the disk partitions and shared drive connections which it can see, and then open the root folder normally. (This takes a fraction of a second, so you won't notice it.) The executable will then sit around in memory and every time you insert a removable storage volume (such as another memory stick) or map a network drive, it will copy the worm 'kit' to it.

Sometimes the executable will live in a fake \RECYCLED folder, which is quite clever because hardly anyone ever opens the recycle bin on a memory stick, and because the folder doesn't contain a real recycle bin structure, the worm will be safe, even if you empty the bin while the stick is in the drive.

FRDL defence

When FRDL recognizes a logger has been plugged in, the first thing it does is delete any AUTORUN.INF file it finds. It then creates a new folder called AUTORUN.INF. This should prevent most worms/viruses from creating a file of the same name, because when the worm sets out to create this file, it will probably use Windows file system methods which either delete, or truncate to zero any existing regular file with that name; but those methods don't work for folders.

This simple method should protect against most AUTORUN.INF attacks and means that any logger which has just been read by FRDL is not infected.

What FRDL cannot do If a logger is already infected before it is inserted into a computer, then it will already be too late by the time FRDL gets to it because Auto-play will already have read the infected AUTORUN.INF file and executed its dastardly deed. Warning


Whatever happens, you should have some good anti-virus software running.

Holding down the shift key when you insert a logger or memory stick will prevent Auto-play from running.

You can find plenty of advice online which says "in Windows Explorer, right click drive, Properties, Autoplay tab, select an action and set to None.". You can also find just as much advice that this is not very reliable.

Microsoft has a free add-on called Tweak-UI which apparently is quite good, but it only stops Auto-play, not Auto-run which is an older version of the same thing.

A permanent Solution

This is a permanent solution which will protect you against all attacks of this type from loggers and memory sticks and all other devices which are seen by Windows as 'removable media'.

By using this procedure, then once you have done it, if you insert a CD with software on it, you have to explore it manually to find the setup program, but CD audio, DVD Video Etc. will all still work as before.

All you do is:

  1. Copy the three lines of code below into a text editor like Notepad.
  2. Save it as a file called NOAUTRUN.REG (or anything.REG).
  3. Double-click on the file.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]

This tells Windows to treat AUTORUN.INF as if it were a configuration file from a pre-Windows 95 application.

IniFileMapping is a key which tells Windows how to handle the .INI files which those applications typically used to store their configuration data. In this case it says "whenever you have to handle a file called AUTORUN.INF, don't use the values from the file. You'll find alternative values at HKEY_LOCAL_MACHINE\SOFTWARE\DoesNotExist." And since that key does not exist, it's as if AUTORUN.INF is completely empty, and so nothing autoruns, and nothing is added to the Explorer double-click action.

Result: worms cannot get in - unless you start double-clicking executables to see what they do, in which case, you deserve to have your PC infected. Good
Credit to http://nick.brown.free.fr/blog/2007/10/memory-stick-worms.html for this solution.