Major windows exploit in the wild

[Modelworks]

ChiefCrowe posted in the security forum about this new malware. Originally it only targeted specific industrial systems so it wasn't much of a concern for most people.
http://forums.anandtech.com/showthread.php?t=2090206

Now it has been adapted by other malware creators and is going to spread like wildfire. I knew it would because when it was announced the boards where people request malware samples were going crazy with request for copies and most of them wanted it not for research but even saying they were going to use it to create, malware to steal information, generate spam, download malware, etc.

MS has no patch right now and is trying to get one out by Aug 10 but this is one that is going to be hard to patch because it is a feature in the core of the operating system. The MS fix for now is basically to disable icons completely since it needs the kernel to process the icon to run the malware.

MS patch to disable icons
http://support.microsoft.com/kb/2286198


http://isc.sans.edu/diary.html?storyid=9181

The exploit uses a specially crafted LNK file. This file allows the attacker to execute an arbitrary file by carefully specifying its location – the LNK file in itself does not exploit any vulnerability such as buffer overflows, for example, so it is a legitimate LNK file. The LNK file used in targeted attacks was manually crafted as some fields that are normally present, such as CreationTime, AccessTime or WriteTime are all set to 0.

The exploit is triggered every time a folder containing a malicious LNK files is opened (for example, with Windows Explorer). It does not matter where this folder is – it does not have to be on a USB device, but in order to execute to malicious binary, the attacker has to specify its location correctly.

What makes this vulnerability extremely serious is the fact that it can be opened from any place, including remote shares, for example. The victim just has to browse to the remote share in order to trigger the vulnerability. So double check permissions on any remote shares you use in your companies (you shouldn't allow users to write in root folders, for example).

http://www.theregister.co.uk/2010/07/23/win_shortcut_vuln_goes_mainstream/

Virus writers have begun using the unpatched shortcut flaw in Windows first exploited by the Stuxnet worm, which targets power plant control systems, to create malware that infects the general population of vulnerable Windows machines.

Slovakian security firm Eset reports the appearance of two malware strains that exploit security vulnerabilities in the way Windows handles .lnk (shortcut) files, first used by Stuxnet to swipe information from Windows-based SCADA systems from Siemens.

The Chymine-A Trojan uses the same security hole to install a keystroke logger while the Autorun-VB-RP worm has been updated to use the shortcut vulnerability as an infection method. The original hackers developed a technique to embed malicious code in shortcut files in such a way that this code is run when an icon is viewed, an approach now followed by less skilled VXers.

Stuxnet featured rootlet functionality and digitally signed malware, techniques that mark it out as highly sophisticated. The latest malware to use the shortcut vulnerability is, by contrast, much more basic.

"The new malware we're seeing is far less sophisticated, and suggests bottom feeders seizing on techniques developed by others," writes Pierre-Marc Bureau, a senior researcher at Eset, in a blog post.

The shortcut vulnerability is likely to become a mainstay of malware distribution techniques, Bureau warns.

"This new development follows a typical path of evolution in malware. Often there are only days between the initial release of information regarding a critical vulnerability, and the discovery of its exploitation being executed in the wild by malware authors. It is safe to assume that more malware operators will start using this exploit code in order to infect host systems and increase their revenues," he concludes.

Trend Micro warns that the hole can be exploited by a wide variety of techniques including network shares, malicious websites and booby-trapped Office documents, as well as USB drive infection, the technique associated with the Stuxnet worm.

"File formats that support embedded shortcuts (eg Microsoft Office documents) can now be used to spread exploits as well," writes Trend Micro threat researcher David Sancho. "This means that users who download and open such files could find themselves the latest victim of this vulnerability. It has also been reported that this attack could be used in drive-by attack scenarios, further increasing risks."

Microsoft has issued temporary workarounds and security advice to customers as a stop-gap measure while its security researchers work on developing a fix. The vulnerability involves a security hole in core Windows functionality, so developing and testing a patch by the next scheduled Patch Tuesday, 10 August, will be tricky but not out of the question. Redmond's security team will have had a month by this point to go through a process that more typically takes two months or longer.

I know we have a security forum but I also know that most people do not read it and this one I think is serious enough that people really need to know it exist.

 

[dfuze]

Thanks for the heads up

 

[Tristicus]

I quickly skimmed, but if we don't have remote share on, we're fine? And the obvious no downloading random files or using random USB sticks....

 

[dpodblood]

Thanks for the heads up, but shouldn't this thread be in OS, or security?

 

[darkswordsman17]

Thanks for the heads up, but shouldn't this thread be in OS, or security?

Yeah, but few people go there and so it'll be better to have this in OT so more people see it.

Actually can we get this stickied?

 

[Modelworks]

I quickly skimmed, but if we don't have remote share on, we're fine? And the obvious no downloading random files or using random USB sticks....

As long as you are careful what you download and what USB sticks are used you should be okay and are not on a network with other people that might not be as careful as you.

 

[rasczak]

Yeah, but few people go there and so it'll be better to have this in OT so more people see it.

agreed. saw this the other day in the security forum. what a nasty piece of business that is.

 

[Modelworks]

It continues to spread , now in emails, be a little more careful on what you let download to your pc until MS gets the patch out.

http://blog.trendmicro.com/zeuszbot-and-sality-jump-on-the-lnk-exploit-bandwagon/

The message claims to come from Microsoft and suggests that users apply the attached update to protect them from a threat that is currently proliferating in the wild. It even gives the password to the protected .ZIP file attachment as well as instructions for installing the supposed security update. Note, however, that Microsoft has not issued a patch to resolve the said vulnerability, only a “fix tool” which which disables .LNK and .PIF.

On investigation, we found that the attached archive contains a malicious .LNK file that Trend Micro proactively detects as LNK_STUXNET.SM. Also included is a malicious .DLL file detected as TROJ_ZBOT.BXW.

When the exploit code in the shortcut is triggered, it runs the malware component, which then downloads and executes the main malware, TROJ_ZBOT.BXW. TROJ_ZBOT.BXW is one of the ZBOT 2.0 variants that we spotted earlier this year, highlighting how widespread the vulnerability is now being exploited.

SALITY file infectors are now using this vulnerability as well

It should be made clear, however, that malware using the LNK vulnerability can spread more easily than those that use the AUTORUN.INF file. Until a patch to resolve the vulnerability is released, even more malware families are likely to exploit it.