Windows zero-day vulnerability uses shortcut files on USB

[Bugbatter]

From SOPHOS:
The security community has been buzzing about a potential new zero-day vulnerability in Windows. The attack that exploits the vulnerability was originally discovered by VirusBlokAda  in Belarus. It contains several components and is still being analyzed by SophosLabs.

It starts with a yet unexplained flaw in Windows that allows a Windows shortcut file (.lnk) placed on a USB device to run a DLL simply by being viewed. This means that, even with AutoRun and AutoPlay disabled, you can open a removable media device (USB) and execute malicious code without user interaction. The danger associated with this attack is large considering how many computers were infected through USB devices by Conficker using the AutoPlay functionality. If you can execute malware even when AutoPlay is disabled, the risk is very high.

Continued Here:
http://www.sophos.com/blogs/chetw/g/2010/07/15/windows-day-vulnerability-shortcut-files-usb/

[ky331]

Microsoft's response:
http://www.microsoft.com/technet/security/advisory/2286198.mspx

they offer a two-phase (temporary) "work-around":
1) Disable the displaying of icons for shortcuts
2) Disable the WebClient service

[ky331]

Please note the consequences of these workarounds:

Impact of workaround 1.  Disabling icons from being displayed for shortcuts prevents the issue from being exploited on affected systems. When this workaround is implemented, shortcut files and Internet Explorer shortcuts will no longer have an icon displayed.

Impact of workaround 2. When the WebClient service is disabled, Web Distributed Authoring and Versioning (WebDAV) requests are not transmitted. In addition, any services that explicitly depend on the Web Client service will not start, and an error message will be logged in the System log. For example, WebDAV shares will be inaccessible from the client computer.

[ky331]

Chester Wisniewsky has written an exellent blog about all this, which includes a short video demonstation of the vulnerability in action.

Among other things, he notes that:

"This rootkit is particularly nasty as it infects all Windows versions since XP, and ... it bypasses all Windows 7 security mechanisms, including UAC, and doesn't require administrative privilege to run."
workaround 1:   "is highly impractical for most environments. While it would certainly solve the problem, it would also cause mass confusion among many users and might not be worth the support calls".
workaround 2:  "If you are not a Microsoft SharePoint customer this may be a solution, but many organizations rely on SharePoint so this is limiting as well".

full blog:   http://www.sophos.com/blogs/chetw/g/2010/07/16/windows-day-attack-works-windows-systems/

[ky331]

VeriSign Revokes Certificate Used to Sign Stuxnet Malware

http://djtechnocrat.blogspot.com/2010/07/verisign-revokes-certificate-used-to.html

========================================

As of 18 July, most (almost 71%) anti-virus programs are picking-up on the file  mrxcls.sys   as being infected:

http://www.virustotal.com/analisis/1635ec04f069ccc8331d01fdf31132a4bc8f6fd3830ac94739df95ee093c555c-1279441634

Notes:  21/41 are using the name Stuxnet

but 5/41 are using some other designation ; and

3 are detecting it only via a generic method.

[ky331]

The revoking of certificates "accomplishes absolutely nothing... except giving the appearance that the powers-that-be are taking actions to protect us....

[because] a driver [that was] signed with a certificate during its validity period will never expire....  This means all existing copies of Stuxnet [that were signed before revocation of their certificate] that are [currently] in the wild will still happily load".

http://www.sophos.com/blogs/chetw/g/2010/07/20/certified-uncertainty/

[ky331]

Okay, here's a "mixed-bag" report.   Please consider everything carefully, before taking any action.   [Personally, I am NOT taking any action at this time.]

Microsoft has released an enhanced and automated "FixIt" #50486 for this issue, which can be obtained from http://support.microsoft.com/kb/2286198

HOWEVER, while this might prevent the attack from being exploited, be advised that "When this workaround is implemented, the system may display most icons as a "white" default object icon, which does impact usability... [but] When the workaround is undone, all icons will reappear".

If you want to get a good sense of what will happen, see the screenshot of what your desktop and taskbar will look like, here:   http://www.sophos.com/blogs/chetw/g/2010/07/20/shortcut-mitigation-certificate-revocation/

Not something I would like to live with.

[Bugbatter]

More malware exploiting Windows shortcut vulnerability:
Article here:
http://www.sophos.com/blogs/gc/g/2010/07/23/malware-exploiting-windows-shortcut-vulnerability/

[ky331]

Microsoft is now categorizing this vulnerability as falling into several "classifications" of malware...
in addition to Stuxnet variations
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fStuxnet.A and
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fStuxnet.B
and CplLink variations
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Exploit:Win32/CplLnk.A and
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Exploit:Win32/CplLnk.B

they now talk of Vobfus  http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm:Win32/Vobfus.H
and
Chymine http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan:Win32/Chymine.A

Full article:  http://www.facebook.com/notes/microsoft-malware-protection-center/protection-for-new-malware-families-using-lnk-vulnerability/416395638925

[Bugbatter]

Thank you for keeping us updated. 

[faith_michele]

Thanks! 

[ky331]

SOPHOS releases a free Windows Shortcut Exploit Protection Tool http://www.sophos.com/blogs/gc/g/2010/07/26/shortcut-exploit-free-tool/

Note:  Current release of this tool protects only for LNK files. PIF files will be reviewed for a later release.

"Here are the details in a nutshell:

1. It intercepts LNK shortcut files that contain the exploit, telling you which executable code it was attempting to run. That means it will stop malicious threats which use this vulnerability if they are on non-local disks, such as a USB stick for instance.

2. You can run the tool alongside your existing anti-virus product. No need to throw the baby out with the bathwater. The tool supports Windows XP, Vista and Windows 7. It doesn’t support Windows 2000.

3. Unlike Microsoft's workaround, it doesn't blank out all the shortcuts on your Windows Start Menu - meaning your life (and that of your users) will be easier.

4. It's free to download:"  http://www.sophos.com/products/free-tools/sophos-windows-shortcut-exploit-protection-tool.html

Note:  when Microsoft releasees their official fix, the Sophos tool can be UNinstalled via Control Panel, Add/Remove Programs.

[ky331]

1) Microsoft has annonced plans to release an "out-of-band" security update to address this vulnerability on Monday, August 2, 2010 at or around 10 AM PDT. http://blogs.technet.com/b/msrc/archive/2010/07/29/out-of-band-release-to-address-microsoft-security-advisory-2286198.aspx

2) In addition to the "families" of malware already cited above, Microsoft has taken special note of a newly discovered "highly virulent strain [called Sality].  It is known to infect other files (making full removal after infection challenging), copy itself to removable media, disable security, and then download other malware".   http://blogs.technet.com/b/mmpc/archive/2010/07/30/stuxnet-malicious-lnks-and-then-there-was-sality.aspx

Virus:Win32/Sality.AT is "a detection for a virus that spreads by infecting Windows executable files and by copying itself to removable and remote drives. It also terminates various security products, prevents certain Windows utilities from executing and attempts to download additional files from a predefined remote Web server". http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Virus%3aWin32%2fSality.AT

[ky331]

Now available through windows updates:

MS10-046 Vulnerability in Windows Shell Could Allow Remote Code Execution (2286198)

This security update resolves a publicly disclosed vulnerability in Windows Shell.

The vulnerability could allow remote code execution if the icon of a specially crafted shortcut is displayed.

-----------------

NOTE:   The presumption is that anyone who applied the SOPHOS (or other work-around) "tools" should UNdo them before applying Microsoft's solution.

[ky331]

there seems to be a slight "controversy" brewing here, about whether one needs to UNdo the Microsoft work-around ( FixIt 50486 ).
Calendar of Updates is advising people that "you do not need to undo the work-around"  (i.e., "you do not need to use FixIt solution 50487 to disable the work-around").   http://www.calendarofupdates.com/updates/index.php?app=calendar&module=calendar&cal_id=&do=showevent&event_id=76441

However, Microsoft itself indicates that they are leaving the "Fix-It" on line "so that [users] can undo the  Fix It  after you install the security update".  http://support.microsoft.com/kb/2286198     If Microsoft suggests the plausibility/necessity of undoing the FixIt after installing the security update, it seems to me all the more reasonable for one to remove it [even]  before  installing the security update.

The bottom line:   even if today's Security Update automatically undoes the FixIt --- which I don't believe it does ---  it couldn't hurt anything to manually undo the FixIt first.

As for people who used an alternative FixIt tool, such as the one by SOFOS, I would certainly advocate that this be undone PRIOR to applying the Microsoft Update.