New interesting windows exploit spread by USB keys

G

Grall

Invisible Member
Legend
Ars Technica has an interesting piece today on a flaw that allows silent installation of software on any windows machine by using specially crafted shortcut (.LNK) files. The exploit is triggered when an application (such as the windows shell) attempts to display the shortcut icon.

Affected windows versions include XP, Server 03 and 08 versions, Vista and 7, so pretty much every OS MS has made in the last decade.

As the Ars article states, this exploit is already being used in the wild using USB keys as the method and carrier of the infection. On the USB key resides a rootkit and malicious payload with a kernel-level driver digitally signed by Realtek (!!!), which prevents the malware files and the offending icon from being shown to the user.
 
At first glance, I thought you were going to post an autorun exploit. Obviously not! That's pretty bizarre and scary...
 
The malware payload appears to be designed to specifically compromise the databases used by Siemens' SIMATIC WinCC software. WinCC is SCADA software, used to control and monitor industrial systems, found in manufacturing plants, power generation facilities, oil and gas refineries, and so on.
Click to expand...

Ergh, that just screams terrorism to me. Scary shit.
 
It's scary that the payload would (at least from a casual glance) appear to have terrorist-ish purposes, but more so that the programmer managed to sign it with a major company's digital certificate, which means they somehow had inside access to the master key.

THAT is creepy IMO, because it subverts the entire trust-based relationship between users and digital signatures...
 
mmendez said:
What's scary is that something as critical as SCADA is running on Windows. :rolleyes:
Click to expand...

More and more does use windows, particularly in the US. Embedded linux has never really caught on over here. Is XPe specifically affected?
 
Mize said:
More and more does use windows, particularly in the US. Embedded linux has never really caught on over here. Is XPe specifically affected?
Click to expand...

XPe is based on the NT5 codebase, and it appears that the entire NT5 code base (2000 / XP / Server 2003) is affected. So yes, it likely affects all version of XP Embedded.
 
Happily the certificate has been revoked, but how does this propagate to regular desktop clients? Does Win7 connect to a verisign server each time a certificate needs to be checked?
 
Bludd said:
Does Win7 connect to a verisign server each time a certificate needs to be checked?
Click to expand...
I would assume it does, or else it's kind of worthless having these certificates in the first place... However your PC might not have internet access - or at least not at that moment - and then the OS couldn't verify the validity.

Not sure if some kind of warning message would pop up in that case, or if this exploit somehow manages to suppress all that.
 
Grall said:
I would assume it does, or else it's kind of worthless having these certificates in the first place... However your PC might not have internet access - or at least not at that moment - and then the OS couldn't verify the validity.

Not sure if some kind of warning message would pop up in that case, or if this exploit somehow manages to suppress all that.
Click to expand...

Many (most?) SCADA systems do not have direct internet access to avoid chances of malware infection.
 
I would assume it'd be generally unsafe (and unneccessary) to hook up computers running critical bits of infrastructure to the internet. Not just from a malware POV, but those systems would then be vulnerable to straight old-fashioned blackhat hacking, DDoSing etc...
 
Grall said:
It's scary that the payload would (at least from a casual glance) appear to have terrorist-ish purposes, but more so that the programmer managed to sign it with a major company's digital certificate, which means they somehow had inside access to the master key.

THAT is creepy IMO, because it subverts the entire trust-based relationship between users and digital signatures...
Click to expand...

It doesn't surprise me at all. I was once emailed a digital certificate complete with keys and password from a major company so we could sign some files in their name. My guess is that certificates leak like this all the time.
 
Grall said:
I would assume it'd be generally unsafe (and unneccessary) to hook up computers running critical bits of infrastructure to the internet. Not just from a malware POV, but those systems would then be vulnerable to straight old-fashioned blackhat hacking, DDoSing etc...
Click to expand...

I agree. I will say, however, that more and more SCADA *is* being connected to the internet for remote monitoring, etc. It costs less to have experts in one location instead of four. Granted they're tunneling on a VPN, but they do it.
 
Albuquerque said:
XPe is based on the NT5 codebase, and it appears that the entire NT5 code base (2000 / XP / Server 2003) is affected. So yes, it likely affects all version of XP Embedded.
Click to expand...

If it's command line or has short-cut icons disabled then the system isn't vulnerable, unless you're silly enough to auto-run. Other than auto-run the only other way to trigger is by displaying an icon for a shortcut.

Poor Digi, didn't have to delete ALL icons, just shortcuts. :D

Bludd said:
Happily the certificate has been revoked, but how does this propagate to regular desktop clients? Does Win7 connect to a verisign server each time a certificate needs to be checked?
Click to expand...

Certs are stored locally on the computer and updated when you connect to the internet. I'm not sure whether new certs are pushed through Windows update or through Verisign.

Regards,
SB
 
Silent_Buddha said:
Certs are stored locally on the computer and updated when you connect to the internet. I'm not sure whether new certs are pushed through Windows update or through Verisign.

Regards,
SB
Click to expand...
There are design issues with how Windows 7 does this sort of thing. I think it uses the rundll executable for too much (Rundll should not really connect to the Internet) and it also uses svchost for too much. Services running inside svchost should identify themselves better I think, so you don't have to go dig around for what exactly is run inside each svchost process.

I also don't really trust the ntoskrnl.exe. It does weird things, IMHO, like crawling through directories (I know because I have software that monitors and supervises access to for instance the Firefox folder where passwords are stored). I wish something that is named as such a critical component does stuff like this. Why?
 
Silent_Buddha said:
If it's command line or has short-cut icons disabled then the system isn't vulnerable, unless you're silly enough to auto-run. Other than auto-run the only other way to trigger is by displaying an icon for a shortcut.
Click to expand...
"Isn't vulnerable" really isn't correct though, is it? If any other NT5 OS has short-cut icons disabled, then they're not going to be affected, but they're still vulnerable to the attack. In essence, skipping OVER the weakspot doesn't equate to it NOT having a weakspot.

And our XP Embedded systems (WEPOS 1.1 / POSReady2009) really don't use icons either, we have it all based on our on shell system. Nevertheless, access to the desktop by a secure admin logon is still permissible, which means under very specific circumstances, there is opportunity for breach until the OS is patched.

Actually, our devices are protected by SolidCore, so even in this instance, it really still wouldn't work. Any new executable code injected would simply be blocked from being read from the disk at a kernel filter level, so it would go nowhere.
 
Isn't this sort of thing covered by MS Base Certificate Updates?

I've been suspicious of shortcuts for a while for some reason, pretty sure I've seen some evidence previously that they can be exploited something like this.

Aside from that I friggin' hate having shortcuts on the desktop! :mad:
 
perhaps if you give the removable drive a custom icon rather than letting windows read the inf file on the drive and loading the icon listed in there:
 
Readers of Ars Technica - such as I - may have seen the blurb linking to this story:
http://blogs.technet.com/b/mmpc/arc...malware-families-using-lnk-vulnerability.aspx

...Apparantly, two new (or rather, additional, at least in the case of one of them(*)) malwares are out in the wild, using the .LNK exploit previously described to autorun from media inserted into your PC. Please keep your virus scanners updated, now that these threats have been identified I'm sure they've been added to the definition files by now.

* = Edit: reading the whole blog post more properly, it appears both of these malwares are variations of existing malware, modified to exploit this new security hole. Best to still use protection though... :)
 
Last edited by a moderator:
You must log in or register to reply here.
Back
Top