Correct: It is because of malware getting into a system, that Windows blocks the autorun.inf. Another example that I have used, is a USB hotspot device from a telephone carrier. These devices also perform an installation of drivers and software when the device is plugged in. These devices are composite (hybrid) devices that appears as multiple devices when plugged into a system. You can see this in device manager as the devices is plugged in. As you probably have noticed, one of the devices that appear is a CD ROM. The PnP ID are programmed into the USB controller of the device.
Your question is: "how are they able to kick off the installer?" From past experience, it is when the CD-ROM portion of the composite device is loaded that Windows kicks off the installer, thus the autorun/autoplay feature. One guess is that autorun.inf is still enabled for CD-ROM devices.
What you might be experiencing is that Windows Update searches for the driver and kicks off the installer. I have seen this happen with my HP printer. Windows will install HP software from Windows Update automatically when the printer is attached.