Just recently, reports were released about a new kind of malware propagating through removable drives. The said malware exploits a newly discovered vulnerability in shortcut files, which allows random code to be executed on the user’s system. Microsoft has officially acknowledged the vulnerability and released a security advisory.
Our engineers were able to take hold of a sample of this malware, which is now detected as WORM_STUXNET.A, and analyze its routines. Here is a summary of their findings:
Instead of dropping an AUTORUN.INF file and a copy of itself into removable and fixed drives, WORM_STUXNET.A drops a .LNK file—a shortcut file that points to an executable file—into the drives instead. The dropped .LNK file exploits this vulnerability to drop a new copy WORM_STUXNET.A onto other systems. Trend Micro detects these .LNK files as LNK_STUXNET.A.
Apart from dropping copies of itself onto removable drives, this worm also drops a rootkit, which is now detected as RTKT_STUXNET.A, which it uses to hide its routines. This enables the worm to remain unnoticed by the user and to make analysis harder for researchers.
WORM_STUXNET.A was also found attempting to connect to certain websites, which were, interestingly enough, related to football. The purpose of the said routine remains undetermined, as our engineers found no trace of malicious activities on the said sites.
This new method of dropping .LNK files is yet another development in terms of how worms propagate through removable drives. Just recently, we reported about the use of the AUTORUN.INF Action Key to automatically execute malicious files.
Despite the numerous potential techniques for proliferation being offered by the Web, USB malware continue to be distributed by cybercriminals, which only proves their effectiveness. This type of malware was further discussed in the article “Understanding USB Malware.”
Because the vulnerability has to do with how Windows processes the shortcut icons, one suggested workaround is to disable displaying icons for all shortcuts. Procedures on how to do this are contained in the Microsoft security advisory.
Update as of July 20, 2010, 5:17 a.m. (UTC-7)
Code for exploiting the vulnerability involved in this attack is already released in the wild. To protect users from future attacks, we now detect all malware leveraging on the Windows Shell Vulnerability as WORM_STUXNET.SM.
Additionally, further analysis on WORM_STUXNET.A by Threat Response Engineer Cris Pantanilla reveals that the said worm attempts to access a certain database and execute SQL commands.
Update as of July 21, 2010, 1:00 a.m. (UTC-7)
Users of Deep Security and OfficeScan with the Intrusion Defense Firewall (IDF) plugin can partially protect themselves by downloading newly-released rules that deal with this vulnerability. These rules prevent this vulnerability from being exploited via network shares and WebDAV.
Update as of August 3, 2010, 3:30 a.m. (UTC-7)
Microsoft has issued an out-of-cycle patch to resolve this issue. Details may be found here.