1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

New Windows Flaw - Execute by Viewing Shortcut

Discussion in 'Tech Talk - Gadgets, Gizmos and Technology' started by Marlin Guy, Jul 16, 2010.

  1. Marlin Guy

    Marlin Guy Hall Of Fame

    2,129
    7
    Apr 8, 2009
    http://www.sophos.com/blogs/chetw/g/2010/07/15/windows-day-vulnerability-shortcut-files-usb/

    The security community was buzzing today about a potential new zero-day vulnerability in Windows. The attack that exploits the vulnerability was originally discovered by VirusBlokAda in Belarus. It contains several components and is still being analyzed by SophosLabs.

    It starts with a yet unexplained flaw in Windows that allows a Windows shortcut file (.lnk) placed on a USB device to run a DLL simply by being viewed. This means that, even with AutoRun and AutoPlay disabled, you can open a removable media device (USB) and execute malicious code without user interaction. The danger associated with this attack is large considering how many computers were infected through USB devices by Conficker using the AutoPlay functionality. If you can execute malware even when AutoPlay is disabled, the risk is very high. Sophos detects these malicious .lnk files as W32/Stuxnet-B.

    Although analysis is not complete, it would appear that the flaw is in how Windows Explorer loads the image to display when showing a shortcut. This feature is being used to exploit a vulnerability and execute a DLL to load the malware on the system.

    The DLL that is loaded in this case is a rootkit dressed up as a device driver. It is able to load undetected into the system because it is digitally signed by RealTek Semiconductors, a legitimate hardware vendor. Why RealTek would digitally sign a driver that is in fact a rootkit, or whether their systems were compromised has yet to be determined. The rootkit, once loaded, disguises the malicious files on the USB device, making further investigation difficult.

    The .lnk files used to spread the infection via USB are specific to each USB key infected. The malware dynamically generates the .lnk file for each device it infects. At this time it is unclear whether this is necessary for the exploit to work, or whether it is a control mechanism for the perpetrators of this attack.

    Brian Krebs reported on his blog that the payload appears to be looking for content specific to Siemens SCADA software. SCADA systems control much of our nations' critical infrastructure. If this is the case, it's a disturbing turn of events. The implication would be that the samples that we are looking at are part of a true "Advanced Persistent Threat" attack against specific targets. Knowledge of this exploit could also lead to widespread adoption by opportunistic malware writers similar to what happened in the Google Aurora attacks.

    This is why we need to be careful not to call every data-stealing piece of malware an Advanced Persistent Threat. We need to be sure that when a wolf really does come along -- when our adversaries target critical infrastructure providers with malware designed to steal information or disrupt their operations -- our cries don't go unheeded.
     
  2. harsh

    harsh Beware the Attack Basset

    21,192
    183
    Jun 14, 2003
    Salem, OR
    There aren't any new problems -- only problems that Microsoft has thus far managed to keep quiet.
     
  3. Greg Alsobrook

    Greg Alsobrook Lifetime Achiever

    10,453
    0
    Apr 1, 2007
    :lol:
     
  4. hdtvfan0001

    hdtvfan0001 Well-Known Member

    32,456
    258
    Jul 28, 2004
    It's just a random feature. :D
     
  5. Marlin Guy

    Marlin Guy Hall Of Fame

    2,129
    7
    Apr 8, 2009
    :lol: at both of those!
     
  6. clueless

    clueless Legend

    150
    0
    Dec 6, 2004
    Looking for SCADA software!! This doesn't sound good at all....
     
  7. HIPAR

    HIPAR Icon

    749
    0
    May 15, 2005
    I'll empathize with the Microsoft people who write the code that accomplishes difficult to do things. Not only do they need to think out the problems and get the code debugged and working but now they need to think like a hacker while doing so.

    How do these hackers discover such unobtrusive flaws in the code?

    --- CHAS
     
  8. harsh

    harsh Beware the Attack Basset

    21,192
    183
    Jun 14, 2003
    Salem, OR
    It is folly to assume that the code necessarily performs some sort of magic. Most of the time, the exploits simply use the code in a way that it wasn't intended to be used.

    The problem arises when assumptions about the input data are made and provisions for errors in the input aren't sufficient. You'll often see references to the term "overflow" when reading the details of an exploit. Input data that is out of range or nonsensical isn't hard to filter out, but your programming discipline needs to include validation of the data. If that's not something that starts at fundamental levels, it can be difficult to cobble in.
     
  9. hdtvfan0001

    hdtvfan0001 Well-Known Member

    32,456
    258
    Jul 28, 2004
    This is going to kill me to admit....and it's the second time this week. :eek2:

    But.... I agree. :D
     
  10. harsh

    harsh Beware the Attack Basset

    21,192
    183
    Jun 14, 2003
    Salem, OR
    Think of it in terms of monkeys and typewriters.
     
  11. Nick

    Nick Retired, part-time PITA DBSTalk Club

    21,899
    207
    Apr 23, 2002
    The...
    What's a typewriter? :whatdidid
     
  12. hdtvfan0001

    hdtvfan0001 Well-Known Member

    32,456
    258
    Jul 28, 2004
    I prefer "even a blind squirrel..." :D
     
  13. harsh

    harsh Beware the Attack Basset

    21,192
    183
    Jun 14, 2003
    Salem, OR
    My recent cataract surgery leaves that one out.
     
  14. hdtvfan0001

    hdtvfan0001 Well-Known Member

    32,456
    258
    Jul 28, 2004
    Oops... :eek2:

    OK...we'll run with yours then. :D
     
  15. Marlin Guy

    Marlin Guy Hall Of Fame

    2,129
    7
    Apr 8, 2009
    Please note the level of SUCK on Windows LUA and UAC.

    [YOUTUBEHD]1UxN7WJFTVg[/YOUTUBEHD]
     
  16. hdtvfan0001

    hdtvfan0001 Well-Known Member

    32,456
    258
    Jul 28, 2004
    Great video explanation.

    Wondering how Microsoft Security Essentials, Norton, etc. react to the same virus...

    I ran my own test with a known virus on a flash drive attached to a Word file, and Microsoft Security Essentials caught it and blocked it right away.
     
  17. Marlin Guy

    Marlin Guy Hall Of Fame

    2,129
    7
    Apr 8, 2009
  18. harsh

    harsh Beware the Attack Basset

    21,192
    183
    Jun 14, 2003
    Salem, OR
  19. hdtvfan0001

    hdtvfan0001 Well-Known Member

    32,456
    258
    Jul 28, 2004
  20. harsh

    harsh Beware the Attack Basset

    21,192
    183
    Jun 14, 2003
    Salem, OR

Share This Page