Researchers have discovered a sophisticated new strain of malicious software that piggybacks on USB storage devices and leverages what appears to be a previously unknown security vulnerability in the way Microsoft Windows processes shortcut files.
Update, July 16, 7:49 p.m. ET: Microsoft just released an advisory about this flaw, available here. Microsoft said it stems from a vulnerability in the “Windows shell” (Windows Explorer, e.g.) that is present in every supported version of Windows. The advisory includes steps that can mitigate the threat from this flaw.
VirusBlokAda, an anti-virus company based in Belarus, said that on June 17 its specialists found two new malware samples that were capable of infecting a fully-patched Windows 7 system if a user were to view the contents of an infected USB drive with a common file manager such as Windows Explorer.
USB-borne malware is extremely common, and most malware that propagates via USB and other removable drives traditionally has taken advantage of the Windows Autorun or Autoplay feature. But according to VirusBlokAda, this strain of malware leverages a vulnerability in the method Windows uses for handling shortcut files.
Shortcut files — or those ending in the “.lnk” extension — are Windows files that link (hence the “lnk” extension) easy-to-recognize icons to specific executable programs, and are typically placed on the user’s Desktop or Start Menu. Ideally, a shortcut doesn’t do anything until a user clicks on its icon. But VirusBlokAda found that these malicious shortcut files are capable of executing automatically if they are written to a USB drive that is later accessed by Windows Explorer.
“So you just have to open infected USB storage device using [Windows] Explorer or any other file manager which can display icons (for i.e. Total Commander) to infect your Operating System and allow execution of the malware,” wrote Sergey Ulasen, an anti-virus expert with the company, in an advisory published this month.
Ulasen said the malware installs two drivers: “mrxnet.sys” and “mrxcls.sys.” These so-called “rootkit” files are used to hide the malware itself so that it remains invisible on the USB storage device. Interestingly, Ulasen notes that both driver files are signed with the digital signature of Realtek Semiconductor Corp., a legitimate hi-tech company.
Ulasen said he reached out to Microsoft and to Realtek but got a response from neither. Jerry Bryant, group manager of response communications at Microsoft, told KrebsOnSecurity.com Wednesday that “Microsoft is investigating new public claims of malware propagating via USB storage devices. When we have completed our investigations we will take appropriate action to protect users and the Internet ecosystem.”
If this truly is a new vulnerability in Windows, it could soon become a popular method for spreading malware. But for now, this threat seems fairly targeted: Independent security researcher Frank Boldewin said he had an opportunity to dissect the malware samples, and observed that they appeared to be looking for Siemens WinCC SCADA systems, or machines responsible for controlling the operations of large, distributed systems, such as manufacturing and power plants.
“Looks like this malware was made for espionage,” Boldewin said.
Could this vulnerability be attacked through a website drive by? If it is all based on Windows proccessing the malicious LNK file could an attacker not setup a script to download the file to the user’s machine when they visited the site. Then once Windows proccess the LNK file it would try and execute its payload? Also, what about sending the malicious LNK files out as part of an email?
VeriSign’s Tim Callan just wrote a blogpost on this issue: Code signing certificates used in repeat attacks
If you want to check it out, here you go:
I want to say thanks for your interest to this problem. Your blog has helped to draw attention of community on tmphider/stuxnet and problems that connected with it.
I hope for collaboration in the future.
VirusBlokAda, Minsk, Belarus
I am SO TIRED of nothing working on Vista which was NEW, and finding more and more problems, and sites like this find a flaw. HOW ABOUT A LINK OR D/L TO FIX IT? FOR ONE THING EVEN
Disgusted Blogs, bulletins, warnings but not ONE PLACE to tell you what to do or a fix. Flaw in links, Power grid, certificates, etc, al l mentioned do you think that the average person has the TIME or KNOWLEDGE to know where to go or how to fix it. A Microsoft Bulletin, Great. No fix though.
Bea- Check out my latest post. It includes a fix-it tool.
Thanks for that SOPHOS link Brian! That tool will really do the trick if Sophos claims are correct. It will provide a pop-up to tell you critical shortcut files are attempting to be changed.
After installation my icons went blank, but popped back automatically after coming out of standby!
Regarding the Siemens WinCC SCADA sw trojan, why not block execution of mrxnet.sys & mrxctl.sys via registry to mitigate spread? See Marcelo Fartura’s blog http://goo.gl/kK0Z
OMG! Thanks for sharing it. Its the first time I heard about this treat.
Thanks to the fix tool too.
I have all my defenses patched up. how it will do it.
Cool shortcuts, very useful. Thanks a bunch!!! I found a few move shortcuts here: http://www.usingcomputers.co.uk/tutorials/useful-windows-shortcuts.php its worth taking a look at combined with this article. Thanks, keep up the good posts!
Very Cool Brian! I just read the April 2011 Vanity Fair article giving you credit for the first publication of Stuxnet, which this turned out to be. Just noticed that in Serjey’s comment though at the time it never hit me when I read your blog.
Keep up the great work,
Thanks, Curt. My biggest regret with that story is not knowing it would be called “Stuxnet” and including that in the headline! At the time, it looked like yet another Windows 0day, albeit with a potentially interesting twist.
The Vanity Fair article is here: