# New Windows Flaw - Execute by Viewing Shortcut



## Marlin Guy (Apr 8, 2009)

http://www.sophos.com/blogs/chetw/g/2010/07/15/windows-day-vulnerability-shortcut-files-usb/

_The security community was buzzing today about a potential new zero-day vulnerability in Windows. The attack that exploits the vulnerability was originally discovered by VirusBlokAda in Belarus. It contains several components and is still being analyzed by SophosLabs.

It starts with a yet unexplained flaw in Windows that allows a Windows shortcut file (.lnk) placed on a USB device to run a DLL simply by being viewed. This means that, even with AutoRun and AutoPlay disabled, you can open a removable media device (USB) and execute malicious code without user interaction. The danger associated with this attack is large considering how many computers were infected through USB devices by Conficker using the AutoPlay functionality. If you can execute malware even when AutoPlay is disabled, the risk is very high. Sophos detects these malicious .lnk files as W32/Stuxnet-B.

Although analysis is not complete, it would appear that the flaw is in how Windows Explorer loads the image to display when showing a shortcut. This feature is being used to exploit a vulnerability and execute a DLL to load the malware on the system.

The DLL that is loaded in this case is a rootkit dressed up as a device driver. It is able to load undetected into the system because it is digitally signed by RealTek Semiconductors, a legitimate hardware vendor. Why RealTek would digitally sign a driver that is in fact a rootkit, or whether their systems were compromised has yet to be determined. The rootkit, once loaded, disguises the malicious files on the USB device, making further investigation difficult.

The .lnk files used to spread the infection via USB are specific to each USB key infected. The malware dynamically generates the .lnk file for each device it infects. At this time it is unclear whether this is necessary for the exploit to work, or whether it is a control mechanism for the perpetrators of this attack.

Brian Krebs reported on his blog that the payload appears to be looking for content specific to Siemens SCADA software. SCADA systems control much of our nations' critical infrastructure. If this is the case, it's a disturbing turn of events. The implication would be that the samples that we are looking at are part of a true "Advanced Persistent Threat" attack against specific targets. Knowledge of this exploit could also lead to widespread adoption by opportunistic malware writers similar to what happened in the Google Aurora attacks.

This is why we need to be careful not to call every data-stealing piece of malware an Advanced Persistent Threat. We need to be sure that when a wolf really does come along -- when our adversaries target critical infrastructure providers with malware designed to steal information or disrupt their operations -- our cries don't go unheeded._


----------



## harsh (Jun 15, 2003)

There aren't any new problems -- only problems that Microsoft has thus far managed to keep quiet.


----------



## Greg Alsobrook (Apr 2, 2007)

harsh said:


> There aren't any new problems -- only problems that Microsoft has thus far managed to keep quiet.


:lol:


----------



## hdtvfan0001 (Jul 28, 2004)

It's just a random feature.


----------



## Marlin Guy (Apr 8, 2009)

:lol: at both of those!


----------



## clueless (Dec 6, 2004)

Looking for SCADA software!! This doesn't sound good at all....


----------



## HIPAR (May 15, 2005)

harsh said:


> There aren't any new problems -- only problems that Microsoft has thus far managed to keep quiet.


I'll empathize with the Microsoft people who write the code that accomplishes difficult to do things. Not only do they need to think out the problems and get the code debugged and working but now they need to think like a hacker while doing so.

How do these hackers discover such unobtrusive flaws in the code?

--- CHAS


----------



## harsh (Jun 15, 2003)

HIPAR said:


> I'll empathize with the Microsoft people who write the code that accomplishes difficult to do things.


It is folly to assume that the code necessarily performs some sort of magic. Most of the time, the exploits simply use the code in a way that it wasn't intended to be used.

The problem arises when assumptions about the input data are made and provisions for errors in the input aren't sufficient. You'll often see references to the term "overflow" when reading the details of an exploit. Input data that is out of range or nonsensical isn't hard to filter out, but your programming discipline needs to include validation of the data. If that's not something that starts at fundamental levels, it can be difficult to cobble in.


----------



## hdtvfan0001 (Jul 28, 2004)

harsh said:


> It is folly to assume that the code necessarily performs some sort of magic. Most of the time, the exploits simply use the code in a way that it wasn't intended to be used.
> 
> The problem arises when assumptions about the input data are made and provisions for errors in the input aren't sufficient. You'll often see references to the term "overflow" when reading the details of an exploit. Input data that is out of range or nonsensical isn't hard to filter out, but your programming discipline needs to include validation of the data. If that's not something that starts at fundamental levels, it can be difficult to cobble in.


This is going to kill me to admit....and it's the second time this week. :eek2:

But.... I agree.


----------



## harsh (Jun 15, 2003)

hdtvfan0001 said:


> This is going to kill me to admit....and it's the second time this week. :eek2:


Think of it in terms of monkeys and typewriters.


----------



## Nick (Apr 23, 2002)

What's a typewriter? :whatdidid


----------



## hdtvfan0001 (Jul 28, 2004)

harsh said:


> Think of it in terms of monkeys and typewriters.


I prefer "even a blind squirrel..."


----------



## harsh (Jun 15, 2003)

hdtvfan0001 said:


> I prefer "even a blind squirrel..."


My recent cataract surgery leaves that one out.


----------



## hdtvfan0001 (Jul 28, 2004)

harsh said:


> My recent cataract surgery leaves that one out.


Oops... :eek2:

OK...we'll run with yours then.


----------



## Marlin Guy (Apr 8, 2009)

Please note the level of SUCK on Windows LUA and UAC.

[YOUTUBEHD]1UxN7WJFTVg[/YOUTUBEHD]


----------



## hdtvfan0001 (Jul 28, 2004)

Marlin Guy said:


> Please note the level of SUCK on Windows UAC.


Great video explanation.

Wondering how Microsoft Security Essentials, Norton, etc. react to the same virus...

I ran my own test with a known virus on a flash drive attached to a Word file, and Microsoft Security Essentials caught it and blocked it right away.


----------



## Marlin Guy (Apr 8, 2009)

I keep an old USB drive that has a manual write lock on it for working on infected PC's. Learned my lesson some time ago when one exploited autorun and burned me.

Sadly, such drives are now difficult to find.

edit.../but not impossible!
https://www.kanguru.com/index.php/flash-drives/basic-flash/kanguru-flashblu-ii


----------



## harsh (Jun 15, 2003)

hdtvfan0001 said:


> Wondering how Microsoft Security Essentials, Norton, etc. react to the same virus...


http://www.microsoft.com/security/portal/

http://www.symantec.com/security_response/writeup.jsp?docid=2010-071400-3123-99

http://www.avira.com/en/threats/section/fulldetails/id_vir/5318/rkit_stuxnet.a.html


----------



## hdtvfan0001 (Jul 28, 2004)

harsh said:


> http://www.microsoft.com/security/portal/
> 
> http://www.symantec.com/security_response/writeup.jsp?docid=2010-071400-3123-99
> 
> http://www.avira.com/en/threats/section/fulldetails/id_vir/5318/rkit_stuxnet.a.html


Thanks....figures....I search the Microsft site for that info on Wednesday...and Thursday...they post the info. :lol:


----------



## harsh (Jun 15, 2003)

Here's the CNet summary:

http://news.cnet.com/8301-27080_3-20011159-245.html?tag=topStories1


----------



## Marlin Guy (Apr 8, 2009)

Now they're saying it can be executed from websites and docs with embedded shortcuts as well.

http://www.sophos.com/blogs/gc/g/2010/07/21/malicious-shortcuts-documents-webpages-risky/

http://www.microsoft.com/technet/security/advisory/2286198.mspx


----------

