Pages

Wednesday, July 21, 2010

Stuxnet attacks! One more Zero-day for Microsoft Windows

In spite of its attack vector, the new worm exploiting a shortcut processing vulnerability becomes very popular. It would seem that this malware distribution vector was to become inefficient long ago, because this method of spreading worms has been used since the time of Elk Cloner (1982). However, 28 years later, we face this attack vector again, but the infection speed has become much higher and the scale has become much wider.

Event Chronology

10.07.2010
The Byelorussian antivirus company VirusBlokAda (VBA) reports detection of a new malicious program.
The US-CERT receives notification of an attack exploiting a 0-day vulnerability in Microsoft Windows.

15.07.2010
Information about the vulnerability becomes publicly available

16.07.2010
Microsoft issues a security bulletin that confirms the vulnerability presence

19.07.2010
An exploit becomes publicly available

Vulnerable Systems

  • Microsoft Windows XP SP2/SP3
  • Microsoft Windows 2003 SP2
  • Microsoft Windows Vista SP1/SP2
  • Microsoft Windows 2008 SP0/SP2
  • Microsoft Windows 7
  • Windows Server 2008 R2 for x64-based Systems


Currently, antivirus products identify the worm as:

  • Eset: Win32/Stuxnet.A
  • Symantec: W32.Temphid
  • Kaspersky: Rootkit.Win32.Stuxnet.a
  • TrendMicro: RTKT_STUXNET.A
  • F-Secure: Rootkit.Stuxnet.A
  • Sophos: W32/Stuxnet-B
  • Bitdefender: Rootkit.Stuxnet.A
  • Avast: Win32:Stuxnet-B
  • Microsoft: Trojan:WinNT/Stuxnet.A
  • AVG: Rootkit-Pakes.AG
  • PCTools: Rootkit.Stuxnet
  • GData: Rootkit.Stuxnet.A
  • AhnLab: Backdoor/Win32.Stuxnet
  • DrWeb: Trojan.Stuxnet.1
  • Fortinet: W32/Stuxnet.A!tr.rkit
  • Ikarus: Rootkit.Win32.Stuxnet
  • Norman: W32/Stuxnet.D

The worm propagation rate: 1000 hosts per day. The main propagation method: USB drives.

The infection scale is clearly illustrated with a diagram from the MMPC web site:



Infection

The vulnerability exists due to an error when handling file shortcuts (.lnk and .pif). The worm spreads via USB devices. The system becomes infected when a user opens an infected drive automatically with the autorun mechanism or when the drive is opened directly in Windows Explorer or another file manager. A crafted shortcut will force Windows Shell to load an external dynamic-link library that executes arbitrary code with the privileges of the user who launched Windows Explorer.

The current worm version performs the following actions in the system:

1. The worm copies itself to the following files:
%System%\drivers\mrxcls.sys
%System%\drivers\mrxnet.sys


Some samples have Realtek Semiconductor Corporation digital signatures.

2. The worm registers itself (mrxcls.sys) as a service called MRXCLS.

3. The worm generates a register key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxCls\­"ImagePath" = "%System%\drivers\mrxcls.sys"

4. The worm registers the mrxnet.sys file as a service called MRXNET.

5. The worm generates a register key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxNet\­"ImagePath" = "%System%\drivers\mrxnet.sys"

6. The worm hides the files named
%DriveLetter%\~WTR[FOUR NUMBERS].tmp

by overwriting the following APIs:
FindFirstFileW
FindNextFileW
FindFirstFileExW
NtQueryDirectoryFile
ZwQueryDirectoryFile

After successful launching, the worm shuts down the services that contain the following names:

avp.exe
Mcshield.exe
avguard.exe
bdagent.exe
UmxCfg.exe
fsdfwd.exe
rtvscan.exe
ccSvcHst.exe
ekrn.exe
tmpproxy.exe

The worm gathers information about network settings and local network servers. It can connect to the following sites:

www.windowsupdate.com
www.msn.com
www.mypremierfutbol.com
www.todaysfutbol.com

The worm is spreading by creating the following files:

%DriveLetter%\~WTR4132.tmp
%DriveLetter%\~WTR4141.tmp
%DriveLetter%\Copy of Shortcut to.lnk
%DriveLetter%\Copy of Copy of Shortcut to.lnk
%DriveLetter%\Copy of Copy of Copy of Shortcut to.lnk
%DriveLetter%\Copy of Copy of Copy of Copy of Shortcut to.lnk

A PoC code is publicly available now. As you can see on Figs. 1 and 2, the debugging data is represented with a string that confirms code execution.



Fig. 1



Fig.2


Here is a video demonstrating the vulnerability exploitation:

video



Protection

While Microsoft is preparing patches, let’s consider the following workarounds.

1. Deny displaying shortcut icons

  • If you perform the actions described below, the shortcut icons will not be displayed any more. Disabling of icon displaying will prevent vulnerability exploitation.
  • Open the registry editor (Start->Run->regedit).
  • Go to the key
    HKEY_CLASSES_ROOT\lnkfile\shellex\IconHandler
  • Delete data for the (Default) value.



  • Restart Windows Explorer.

2. Disable the WebClient service

Disabling of this service eliminates the attack vector by blocking the most probable attack source via the Web Distributed Authoring and Versioning (WebDAV).

  • Start->Run->cmd
  • sc stop WebClient
  • sc config WebClient start= disabled

If you disable this service, the WebDav resources become unavailable.

3. Block the download of LNK and PIF files from the Internet

4. Fix it

You can also use a Fix it utility from Microsoft.

Added 07.21.2010

Microsoft updated their advisory with new information about possible attack vectors.

  • Internet Explorer. In the Web-based scenario, a remote attacker can set up a malicious Web site and try to load malicious components when a user visits the Web site with the browser such as Internet Explorer.
  • Microsoft Office. An attacker could embed an exploit in a document that supports embedded shortcuts.

This means that in the nearest future we will see e-mails with malicious attachments exploiting this vulnerability.



Links
Proof-of-Concept Code: http://www.securitylab.ru/poc/395903.php

http://www.securitylab.ru/vulnerability/395902.php

http://www.microsoft.com/technet/secu...86198.mspx
http://blogs.technet.com/b/mmpc/archi...sting.aspx
http://www.symantec.com/security_resp...99&tabid=2
http://anti-virus.by/press/viruses/3948.html
ftp://anti-virus.by/pub/docs/russian...pHider.pdf

5 comments:

  1. Thanks for sharing in detail. Your blog is an inspiration! Apart of really useful tips, it's just really ! This post will be effectively Just about everything looks good displayed.We are currently making quality quick chargers to supercharge your entire devices Hoverboard charger, Self balancing scooter charger, Uwheels charger, Iohawk charger, Electric bike charger and more.

    ReplyDelete
  2. Very efficiently written information. It will be valuable to everyone who uses it, including myself. Thanks a lot.Real estate lawyer Vaughan The services provided by Gaur Law include the drafting of wills, creating financial trusts, administering trusts and estates, tax planning advice and the creation of power of attorney.

    ReplyDelete
  3. What’s up, this weekend is good in favor of me, as this time i am reading this fantastic educational article here at my residence.
    Buy property Portugal

    ReplyDelete
  4. Best Place To Get A Solution To Your Financial Problems (Lexieloancompany@yahoo.com)!!!

    My Name is Nicole Marie, I live in USA and life is worth living comfortably for me and my family now and i really have never seen goodness shown to me this much in my life, As i am a struggling mum with two kids and i have been going through a serious problem as my husband encountered a terrible accident last two weeks, and the doctors stated that he needs to undergo a delicate surgery for him to be able to walk again and i could not afford the bills for his surgery then i went to the bank for a loan and they turn me down stating that i have no credit card, from there i ran to my father and he was not able to help me, then when i was browsing through yahoo answers i came across a God fearing man (Mr Martinez Lexie) who provides loans at an affordable interest rate and i have been hearing about so many scams on the Internet mostly Africa, but at this my desperate situation, i had no choice than to give it an attempt due to the fact that the company is from United State of America, and surprisingly it was all like a dream, i received a loan of $82,000.00 USD and i payed for my husband surgery and thank GOD today he is ok and can walk, my family is happy and i said to myself that i will shout to the world the wonders this great and God fearing Man Mr Martinez Lexie did for me and my family; so if anyone is in genuine and serious need of a loan do contact this GOD fearing man via Email: ( Lexieloancompany@yahoo.com ) or through the Company website: http://lexieloans.bravesites.com OR text: +18168926958 thanks


    ReplyDelete
  5. Your post is genuinely giving extraordinary information.. I favored it and got a kick out of comprehension it. Keep sharing such basic posts.Oh awesome! I was pondering whether this would be comprehensible, so thank you for the feedback. We hadn't considered the timing, however that is awesome!
    Portugal Property Market Update

    ReplyDelete