July 21, 2010

Stuxnet attacks! One more Zero-day for Microsoft Windows

In spite of its attack vector, the new worm exploiting a shortcut processing vulnerability becomes very popular. It would seem that this malware distribution vector was to become inefficient long ago, because this method of spreading worms has been used since the time of Elk Cloner (1982). However, 28 years later, we face this attack vector again, but the infection speed has become much higher and the scale has become much wider.

Event Chronology

10.07.2010
The Byelorussian antivirus company VirusBlokAda (VBA) reports detection of a new malicious program.
The US-CERT receives notification of an attack exploiting a 0-day vulnerability in Microsoft Windows.

15.07.2010
Information about the vulnerability becomes publicly available

16.07.2010
Microsoft issues a security bulletin that confirms the vulnerability presence

19.07.2010
An exploit becomes publicly available

Vulnerable Systems

  • Microsoft Windows XP SP2/SP3
  • Microsoft Windows 2003 SP2
  • Microsoft Windows Vista SP1/SP2
  • Microsoft Windows 2008 SP0/SP2
  • Microsoft Windows 7
  • Windows Server 2008 R2 for x64-based Systems


Currently, antivirus products identify the worm as:

  • Eset: Win32/Stuxnet.A
  • Symantec: W32.Temphid
  • Kaspersky: Rootkit.Win32.Stuxnet.a
  • TrendMicro: RTKT_STUXNET.A
  • F-Secure: Rootkit.Stuxnet.A
  • Sophos: W32/Stuxnet-B
  • Bitdefender: Rootkit.Stuxnet.A
  • Avast: Win32:Stuxnet-B
  • Microsoft: Trojan:WinNT/Stuxnet.A
  • AVG: Rootkit-Pakes.AG
  • PCTools: Rootkit.Stuxnet
  • GData: Rootkit.Stuxnet.A
  • AhnLab: Backdoor/Win32.Stuxnet
  • DrWeb: Trojan.Stuxnet.1
  • Fortinet: W32/Stuxnet.A!tr.rkit
  • Ikarus: Rootkit.Win32.Stuxnet
  • Norman: W32/Stuxnet.D

The worm propagation rate: 1000 hosts per day. The main propagation method: USB drives.

The infection scale is clearly illustrated with a diagram from the MMPC web site:



Infection

The vulnerability exists due to an error when handling file shortcuts (.lnk and .pif). The worm spreads via USB devices. The system becomes infected when a user opens an infected drive automatically with the autorun mechanism or when the drive is opened directly in Windows Explorer or another file manager. A crafted shortcut will force Windows Shell to load an external dynamic-link library that executes arbitrary code with the privileges of the user who launched Windows Explorer.

The current worm version performs the following actions in the system:

1. The worm copies itself to the following files:
%System%\drivers\mrxcls.sys
%System%\drivers\mrxnet.sys


Some samples have Realtek Semiconductor Corporation digital signatures.

2. The worm registers itself (mrxcls.sys) as a service called MRXCLS.

3. The worm generates a register key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxCls\­"ImagePath" = "%System%\drivers\mrxcls.sys"

4. The worm registers the mrxnet.sys file as a service called MRXNET.

5. The worm generates a register key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxNet\­"ImagePath" = "%System%\drivers\mrxnet.sys"

6. The worm hides the files named
%DriveLetter%\~WTR[FOUR NUMBERS].tmp

by overwriting the following APIs:
FindFirstFileW
FindNextFileW
FindFirstFileExW
NtQueryDirectoryFile
ZwQueryDirectoryFile

After successful launching, the worm shuts down the services that contain the following names:

avp.exe
Mcshield.exe
avguard.exe
bdagent.exe
UmxCfg.exe
fsdfwd.exe
rtvscan.exe
ccSvcHst.exe
ekrn.exe
tmpproxy.exe

The worm gathers information about network settings and local network servers. It can connect to the following sites:

www.windowsupdate.com
www.msn.com
www.mypremierfutbol.com
www.todaysfutbol.com

The worm is spreading by creating the following files:

%DriveLetter%\~WTR4132.tmp
%DriveLetter%\~WTR4141.tmp
%DriveLetter%\Copy of Shortcut to.lnk
%DriveLetter%\Copy of Copy of Shortcut to.lnk
%DriveLetter%\Copy of Copy of Copy of Shortcut to.lnk
%DriveLetter%\Copy of Copy of Copy of Copy of Shortcut to.lnk

A PoC code is publicly available now. As you can see on Figs. 1 and 2, the debugging data is represented with a string that confirms code execution.



Fig. 1



Fig.2


Here is a video demonstrating the vulnerability exploitation:

video



Protection

While Microsoft is preparing patches, let’s consider the following workarounds.

1. Deny displaying shortcut icons

  • If you perform the actions described below, the shortcut icons will not be displayed any more. Disabling of icon displaying will prevent vulnerability exploitation.
  • Open the registry editor (Start->Run->regedit).
  • Go to the key
    HKEY_CLASSES_ROOT\lnkfile\shellex\IconHandler
  • Delete data for the (Default) value.



  • Restart Windows Explorer.

2. Disable the WebClient service

Disabling of this service eliminates the attack vector by blocking the most probable attack source via the Web Distributed Authoring and Versioning (WebDAV).

  • Start->Run->cmd
  • sc stop WebClient
  • sc config WebClient start= disabled

If you disable this service, the WebDav resources become unavailable.

3. Block the download of LNK and PIF files from the Internet

4. Fix it

You can also use a Fix it utility from Microsoft.

Added 07.21.2010

Microsoft updated their advisory with new information about possible attack vectors.

  • Internet Explorer. In the Web-based scenario, a remote attacker can set up a malicious Web site and try to load malicious components when a user visits the Web site with the browser such as Internet Explorer.
  • Microsoft Office. An attacker could embed an exploit in a document that supports embedded shortcuts.

This means that in the nearest future we will see e-mails with malicious attachments exploiting this vulnerability.



Links
Proof-of-Concept Code: http://www.securitylab.ru/poc/395903.php

http://www.securitylab.ru/vulnerability/395902.php

http://www.microsoft.com/technet/secu...86198.mspx
http://blogs.technet.com/b/mmpc/archi...sting.aspx
http://www.symantec.com/security_resp...99&tabid=2
http://anti-virus.by/press/viruses/3948.html
ftp://anti-virus.by/pub/docs/russian...pHider.pdf

5 comments:

  1. This comment has been removed by a blog administrator.

    ReplyDelete
  2. This comment has been removed by a blog administrator.

    ReplyDelete
  3. This comment has been removed by a blog administrator.

    ReplyDelete
  4. This comment has been removed by a blog administrator.

    ReplyDelete
  5. This comment has been removed by a blog administrator.

    ReplyDelete