Stuxnet attacks! One more Zero-day for Microsoft Windows

In spite of its attack vector, the new worm exploiting a shortcut processing vulnerability becomes very popular. It would seem that this malware distribution vector was to become inefficient long ago, because this method of spreading worms has been used since the time of Elk Cloner (1982). However, 28 years later, we face this attack vector again, but the infection speed has become much higher and the scale has become much wider.

Event Chronology

10.07.2010
The Byelorussian antivirus company VirusBlokAda (VBA) reports detection of a new malicious program.
The US-CERT receives notification of an attack exploiting a 0-day vulnerability in Microsoft Windows.

15.07.2010
Information about the vulnerability becomes publicly available

16.07.2010
Microsoft issues a security bulletin that confirms the vulnerability presence

19.07.2010
An exploit becomes publicly available

Vulnerable Systems

Microsoft Windows XP SP2/SP3
Microsoft Windows 2003 SP2
Microsoft Windows Vista SP1/SP2
Microsoft Windows 2008 SP0/SP2
Microsoft Windows 7
Windows Server 2008 R2 for x64-based Systems

Currently, antivirus products identify the worm as:

Eset: Win32/Stuxnet.A
Symantec: W32.Temphid
Kaspersky: Rootkit.Win32.Stuxnet.a
TrendMicro: RTKT_STUXNET.A
F-Secure: Rootkit.Stuxnet.A
Sophos: W32/Stuxnet-B
Bitdefender: Rootkit.Stuxnet.A
Avast: Win32:Stuxnet-B
Microsoft: Trojan:WinNT/Stuxnet.A
AVG: Rootkit-Pakes.AG
PCTools: Rootkit.Stuxnet
GData: Rootkit.Stuxnet.A
AhnLab: Backdoor/Win32.Stuxnet
DrWeb: Trojan.Stuxnet.1
Fortinet: W32/Stuxnet.A!tr.rkit
Ikarus: Rootkit.Win32.Stuxnet
Norman: W32/Stuxnet.D

The worm propagation rate: 1000 hosts per day. The main propagation method: USB drives.

The infection scale is clearly illustrated with a diagram from the MMPC web site:

Infection

The vulnerability exists due to an error when handling file shortcuts (.lnk and .pif). The worm spreads via USB devices. The system becomes infected when a user opens an infected drive automatically with the autorun mechanism or when the drive is opened directly in Windows Explorer or another file manager. A crafted shortcut will force Windows Shell to load an external dynamic-link library that executes arbitrary code with the privileges of the user who launched Windows Explorer.

The current worm version performs the following actions in the system:

1. The worm copies itself to the following files:
%System%\drivers\mrxcls.sys
%System%\drivers\mrxnet.sys

Some samples have Realtek Semiconductor Corporation digital signatures.

2. The worm registers itself (mrxcls.sys) as a service called MRXCLS.

3. The worm generates a register key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxCls\"ImagePath" = "%System%\drivers\mrxcls.sys"

4. The worm registers the mrxnet.sys file as a service called MRXNET.

5. The worm generates a register key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxNet\­"ImagePath" = "%System%\drivers\mrxnet.sys"

6. The worm hides the files named

%DriveLetter%\~WTR[FOUR NUMBERS].tmp

by overwriting the following APIs:

FindFirstFileW

FindNextFileW

FindFirstFileExW

NtQueryDirectoryFile

ZwQueryDirectoryFile

After successful launching, the worm shuts down the services that contain the following names:

avp.exe

Mcshield.exe

avguard.exe

bdagent.exe

UmxCfg.exe

fsdfwd.exe

rtvscan.exe

ccSvcHst.exe

ekrn.exe

tmpproxy.exe

The worm gathers information about network settings and local network servers. It can connect to the following sites:

www.windowsupdate.com
www.msn.com
www.mypremierfutbol.com
www.todaysfutbol.com

The worm is spreading by creating the following files:

%DriveLetter%\~WTR4132.tmp

%DriveLetter%\~WTR4141.tmp

%DriveLetter%\Copy of Shortcut to.lnk

%DriveLetter%\Copy of Copy of Shortcut to.lnk

%DriveLetter%\Copy of Copy of Copy of Shortcut to.lnk

%DriveLetter%\Copy of Copy of Copy of Copy of Shortcut to.lnk

A PoC code is publicly available now. As you can see on Figs. 1 and 2, the debugging data is represented with a string that confirms code execution.

Fig. 1

Fig.2

Here is a video demonstrating the vulnerability exploitation:

Protection

While Microsoft is preparing patches, let’s consider the following workarounds.

1. Deny displaying shortcut icons

If you perform the actions described below, the shortcut icons will not be displayed any more. Disabling of icon displaying will prevent vulnerability exploitation.
Open the registry editor (Start->Run->regedit).
Go to the key
HKEY_CLASSES_ROOT\lnkfile\shellex\IconHandler
Delete data for the (Default) value.

Restart Windows Explorer.

2. Disable the WebClient service

Disabling of this service eliminates the attack vector by blocking the most probable attack source via the Web Distributed Authoring and Versioning (WebDAV).

Start->Run->cmd
sc stop WebClient
sc config WebClient start= disabled

If you disable this service, the WebDav resources become unavailable.

3. Block the download of LNK and PIF files from the Internet

4. Fix it

You can also use a Fix it utility from Microsoft.

Added 07.21.2010

Microsoft updated their advisory with new information about possible attack vectors.

Internet Explorer. In the Web-based scenario, a remote attacker can set up a malicious Web site and try to load malicious components when a user visits the Web site with the browser such as Internet Explorer.
Microsoft Office. An attacker could embed an exploit in a document that supports embedded shortcuts.