The security community was buzzing today about a potential new zero-day vulnerability in Windows. The attack that exploits the vulnerability was originally discovered by VirusBlokAda in Belarus. It contains several components and is still being analyzed by SophosLabs.
It starts with a yet unexplained flaw in Windows that allows a Windows shortcut file (.lnk) placed on a USB device to run a DLL simply by being viewed. This means that, even with AutoRun and AutoPlay disabled, you can open a removable media device (USB) and execute malicious code without user interaction. The danger associated with this attack is large considering how many computers were infected through USB devices by Conficker using the AutoPlay functionality. If you can execute malware even when AutoPlay is disabled, the risk is very high. Sophos detects these malicious .lnk files as W32/Stuxnet-B.
Although analysis is not complete, it would appear that the flaw is in how Windows Explorer loads the image to display when showing a shortcut. This feature is being used to exploit a vulnerability and execute a DLL to load the malware on the system.
The DLL that is loaded in this case is a rootkit dressed up as a device driver. It is able to load undetected into the system because it is digitally signed by RealTek Semiconductors, a legitimate hardware vendor. Why RealTek would digitally sign a driver that is in fact a rootkit, or whether their systems were compromised has yet to be determined. The rootkit, once loaded, disguises the malicious files on the USB device, making further investigation difficult.
The .lnk files used to spread the infection via USB are specific to each USB key infected. The malware dynamically generates the .lnk file for each device it infects. At this time it is unclear whether this is necessary for the exploit to work, or whether it is a control mechanism for the perpetrators of this attack.
Brian Krebs reported on his blog that the payload appears to be looking for content specific to Siemens SCADA software. SCADA systems control much of our nations’ critical infrastructure. If this is the case, it’s a disturbing turn of events. The implication would be that the samples that we are looking at are part of a true “Advanced Persistent Threat” attack against specific targets. Knowledge of this exploit could also lead to widespread adoption by opportunistic malware writers similar to what happened in the Google Aurora attacks.
This is why we need to be careful not to call every data-stealing piece of malware an Advanced Persistent Threat. We need to be sure that when a wolf really does come along — when our adversaries target critical infrastructure providers with malware designed to steal information or disrupt their operations — our cries don’t go unheeded.