In spite of its attack vector, the new worm exploiting a shortcut processing vulnerability becomes very popular. It would seem that this malware distribution vector was to become inefficient long ago, because this method of spreading worms has been used since the time of Elk Cloner (1982). However, 28 years later, we face this attack vector again, but the infection speed has become much higher and the scale has become much wider.
The Byelorussian antivirus company VirusBlokAda (VBA) reports detection of a new malicious program.
The US-CERT receives notification of an attack exploiting a 0-day vulnerability in Microsoft Windows.
Information about the vulnerability becomes publicly available
Microsoft issues a security bulletin that confirms the vulnerability presence
- Microsoft Windows XP SP2/SP3
- Microsoft Windows 2003 SP2
- Microsoft Windows Vista SP1/SP2
- Microsoft Windows 2008 SP0/SP2
- Microsoft Windows 7
- Windows Server 2008 R2 for x64-based Systems
Currently, antivirus products identify the worm as:
- Eset: Win32/Stuxnet.A
- Symantec: W32.Temphid
- Kaspersky: Rootkit.Win32.Stuxnet.a
- TrendMicro: RTKT_STUXNET.A
- F-Secure: Rootkit.Stuxnet.A
- Sophos: W32/Stuxnet-B
- Bitdefender: Rootkit.Stuxnet.A
- Avast: Win32:Stuxnet-B
- Microsoft: Trojan:WinNT/Stuxnet.A
- AVG: Rootkit-Pakes.AG
- PCTools: Rootkit.Stuxnet
- GData: Rootkit.Stuxnet.A
- AhnLab: Backdoor/Win32.Stuxnet
- DrWeb: Trojan.Stuxnet.1
- Fortinet: W32/Stuxnet.A!tr.rkit
- Ikarus: Rootkit.Win32.Stuxnet
- Norman: W32/Stuxnet.D
The worm propagation rate: 1000 hosts per day. The main propagation method: USB drives.
The infection scale is clearly illustrated with a diagram from the MMPC web site:
The vulnerability exists due to an error when handling file shortcuts (.lnk and .pif). The worm spreads via USB devices. The system becomes infected when a user opens an infected drive automatically with the autorun mechanism or when the drive is opened directly in Windows Explorer or another file manager. A crafted shortcut will force Windows Shell to load an external dynamic-link library that executes arbitrary code with the privileges of the user who launched Windows Explorer.
The current worm version performs the following actions in the system:
1. The worm copies itself to the following files:
Some samples have Realtek Semiconductor Corporation digital signatures.
2. The worm registers itself (mrxcls.sys) as a service called MRXCLS.
3. The worm generates a register key
HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\MRxCls\\\”ImagePath\” = \”%System%\\drivers\\mrxcls.sys\”
4. The worm registers the mrxnet.sys file as a service called MRXNET.
5. The worm generates a register key
6. The worm hides the files named
by overwriting the following APIs:
After successful launching, the worm shuts down the services that contain the following names:
The worm gathers information about network settings and local network servers. It can connect to the following sites:
The worm is spreading by creating the following files:
A PoC code is publicly available now. As you can see on Figs. 1 and 2, the debugging data is represented with a string that confirms code execution.
Here is a video demonstrating the vulnerability exploitation:
While Microsoft is preparing patches, let’s consider the following workarounds.
1. Deny displaying shortcut icons
- If you perform the actions described below, the shortcut icons will not be displayed any more. Disabling of icon displaying will prevent vulnerability exploitation.
- Open the registry editor (Start->Run->regedit).
- Go to the key
- Delete data for the (Default) value.
- Restart Windows Explorer.
2. Disable the WebClient service
Disabling of this service eliminates the attack vector by blocking the most probable attack source via the Web Distributed Authoring and Versioning (WebDAV).
- sc stop WebClient
- sc config WebClient start= disabled
If you disable this service, the WebDav resources become unavailable.
3. Block the download of LNK and PIF files from the Internet
4. Fix it
You can also use a Fix it utility from Microsoft.
Microsoft updated their advisory with new information about possible attack vectors.
- Internet Explorer. In the Web-based scenario, a remote attacker can set up a malicious Web site and try to load malicious components when a user visits the Web site with the browser such as Internet Explorer.
- Microsoft Office. An attacker could embed an exploit in a document that supports embedded shortcuts.
This means that in the nearest future we will see e-mails with malicious attachments exploiting this vulnerability.