Sophos Cloud Optix
Update: I have recorded a new more detailed video of the infection. Other minor edits as well. For additional information on this threat see Windows zero-day vulnerability uses shortcut files on USB.
It’s been a busy 24 hours looking into this newest flaw in Windows. Lots of research has gone into it and most of the results are not good news for Windows users. It is important to think about this attack as two separate pieces, one that is a new zero-day vulnerability that could easily be adopted by any malware author, the other a unique payload that appears to be designed to go after some very specific infrastructure targets.
For corporate users (unless you run a power plant, water system or other SCADA system) the important part is the zero-day flaw. Warning: I am about to go a bit geeky.
The flaw is in how shell32.dll tries to load control panel icons from applets. By making a specially crafted shortcut pointing to a malicious file, you can make Windows Explorer blindly execute the malicious file when the location of the shortcut is merely browsed to. In this case the malicious file is a rootkit and a dropper that immediately hide the special shortcut (.lnk) files. Allowing executable code to load in the process of trying to retrieve an icon seems like a major oversight in the design of Windows.
Here is a photo of the directory listing I made on a Linux box in SophosLabs using an infected USB device. You can see that there are 4 different malicious shortcuts that are all called “Copy of … Shortcut to.lnk”. The tmp files you see are the actual rootkit/dropper.
The following (hastily captured, apologies for the quality) video shows the automatically executed rootkit in action. You can see that I in no way interact with the device other than to “explore” it. This will work even with AutoRun and AutoPlay disabled. I don’t know why you would plug in a USB storage device if you weren’t going to view it in Explorer…
Enjoy this video? Consider subscribing to the SophosLabs YouTube channel.
This rootkit is particularly nasty as it infects all Windows versions since XP, and as you see here it bypasses all Windows 7 security mechanisms, including UAC, and doesn’t require administrative privilege to run. The user I am logged in as in this video is “Bob,” a standard user. I expressed concerns last November about people mistaking UAC for a security feature and this unfortunately seems to still hold true.
A few hours ago Microsoft released their security advisory and mitigation advice. Microsoft confirms what I discovered during my testing, that this vulnerability affects all currently supported Windows releases. However, noticeably absent from the list are Windows 2000 and Windows XP SP2 as they are no longer supported since Tuesday. They are, however, definitely still vulnerable.
This exploit affects more than just USB devices. According to Microsoft’s advisory, it also affects Windows file shares and WebDav, making a very bad situation worse. Let’s hope Microsoft has their best team on this to get us a dependable fix very soon.
For now, Microsoft advises that you disable icons for shortcuts. Unfortunately, this is highly impractical for most environments. While it would certainly solve the problem, it would also cause mass confusion among many users and might not be worth the support calls. Microsoft also suggests disabling the WebClient service that is used for WebDav. If you are not a Microsoft SharePoint customer this may be a solution, but many organizations rely on SharePoint so this is limiting as well.
Today, a colleague suggested the best mitigation I have heard so far: deploying a GPO disallowing the use of executable files that are not on the C: drive. This will work for most environments, and you really shouldn’t be running executables from USB drives and network shares anyway. We tested this solution against the vulnerability and it does in fact provide protection.
The malware originally distributed with this flaw is not a big concern unless you run a nuclear power plant and Homer Simpson is using Windows and clicking whatever he pleases (D’oh!). Expect the exploit, on the other hand, to be widely used in short order. Having had the opportunity to play with it and see the simplicity with which it can be used, I suspect it will be too juicy a target to ignore.
If you are a Sophos customer, the good news is that you are protected against the exploit and the payload. Even the WebDav angle will be stopped by the Sophos Web Appliance. As a backup measure, or for people not fortunate enough to have our software, I recommend using the GPO to disable execution on devices other than the system and program drives.
Update: Some people have pointed out that they are required to execute files from network shares as part of their standard operations. If this is true, the above suggestion can still work you simply need to adjust the GPO to allow execution for the specific network paths you may require. This solution is not ideal, but it is the simplest method to try and prevent infection from this flaw .
A special shout-out to SophosLabs and Mike, Niall, and Paul. Your help investigating this was invaluable and we all appreciate your dedication to helping the public defend their PCs.