Microsoft declares a victory against autorun malware

With new safeguards in place, Microsoft saw 1.3 million fewer infections over three months from autorun, which automatically executes commands when an external device is plugged in.

Lance Whitney Contributing Writer
Lance Whitney is a freelance technology writer and trainer and a former IT professional. He's written for Time, CNET, PCMag, and several other publications. He's the author of two tech books--one on Windows and another on LinkedIn.
Lance Whitney
3 min read

Microsoft appears to be winning a major battle against autorun malware.

A blog post this week by Microsoft's Malware Protection Center said the company discovered 1.3 million fewer infections on Windows Vista and XP caused by autorun malware from mid-February to mid-May, compared with the three months prior.

A persistent security threat for the past several years, autorun malware typically spreads through flash drives, memory cards, and other external devices courtesy of Microsoft's autorun feature, which automatically executes a command when the device is plugged in.

Autorun has been a trigger for some of the "top families" of malware, including Conficker, Rimecud, and Taterf, according to Microsoft.

In February, Microsoft started pushing out updates for Windows XP and Vista to lock down the autorun feature. The company had already rolled out a similar update for the release candidate of Windows 7 early in 2009.

Following the updates to XP and Vista, Microsoft said it started seeing a drop in the number of autorun-based infections. In May, there were 59 percent fewer infections on XP and 74 percent fewer on Vista, compared with May 2010. Infections in versions of Windows with the latest service packs, such as Windows XP SP3 and Windows Vista SP1 and SP2, showed even greater declines.

The year-over-year rates for Windows 7 stayed about the same because it already had autorun lockdown in place. They also remained similar for Windows XP SP2, which didn't get the update because Microsoft no longer supports it.

Overall, the company said, the number of infections found across all operating systems by Microsoft in May had dropped by 68 percent compared with the 2010 numbers.


Of course, the larger war against malware continues to rage, but the battle against autorun infections seems to have scored a victory, according to Microsoft.

"Abusing Autorun was only one trick up their [the malware writers'] collective sleeve," Microsoft said in its blog. "However, judging by the numbers in our data, it was a lucrative one."

Though Microsoft may be proud of its achievement, one third-party antivirus vendor seems less than impressed with the company's actions.

"This isn't a victory, it is a very late response to a well known problem that had a very predictable result," said Randy Abrams, director of technical education, for ESET North America, in a statement e-mailed to CNET.

Abrams, who said he blogged about the problems of autorun back in 2007, "applauded" Microsoft for doing the right thing. But he feels the company should apologize for taking so long to fix this problem in the first place.

"It is obvious that the moment the autorun patches were available for XP and Vista they should have been critical updates," Abrams told CNET. "Not one other extremely critical vulnerability in any operating system had been left unaddressed for so long after its potential for abuse was widely known and exploited."

Another third-party vendor disputed the dramatic drop in autorun malware that Microsoft touted.

Looking at some of the top autorun families, including Palevo, Autorun, Kido, and Magania, antivirus company Kapersky found only a 15 percent average drop in them from January to May of this year.

"We are not sure what detections, counts, regions, or systems may be left out of Microsoft's numbers, but we are not seeing the same abrupt drop in similar autorun malware detections that Microsoft is seeing," Kapersky's statistics infrastructure project manager, Sergey Mineev, and senior malware researcher, Kurt Baumgartner, told CNET. "While Microsoft's statistics are different from what it has reported in the past, our findings are consistent with what we've seen historically."

Updated June 18 at 7:00 a.m. PT: Added comments from third-party antivirus vendors.