Event Chronology
10.07.2010
The Byelorussian antivirus company VirusBlokAda (VBA) reports detection of a new malicious program.
The US-CERT receives notification of an attack exploiting a 0-day vulnerability in Microsoft Windows.
15.07.2010
Information about the vulnerability becomes publicly available
16.07.2010
Microsoft issues a security bulletin that confirms the vulnerability presence
19.07.2010
An exploit becomes publicly available
Vulnerable Systems
- Microsoft Windows XP SP2/SP3
- Microsoft Windows 2003 SP2
- Microsoft Windows Vista SP1/SP2
- Microsoft Windows 2008 SP0/SP2
- Microsoft Windows 7
- Windows Server 2008 R2 for x64-based Systems
Currently, antivirus products identify the worm as:
- Eset: Win32/Stuxnet.A
- Symantec: W32.Temphid
- Kaspersky: Rootkit.Win32.Stuxnet.a
- TrendMicro: RTKT_STUXNET.A
- F-Secure: Rootkit.Stuxnet.A
- Sophos: W32/Stuxnet-B
- Bitdefender: Rootkit.Stuxnet.A
- Avast: Win32:Stuxnet-B
- Microsoft: Trojan:WinNT/Stuxnet.A
- AVG: Rootkit-Pakes.AG
- PCTools: Rootkit.Stuxnet
- GData: Rootkit.Stuxnet.A
- AhnLab: Backdoor/Win32.Stuxnet
- DrWeb: Trojan.Stuxnet.1
- Fortinet: W32/Stuxnet.A!tr.rkit
- Ikarus: Rootkit.Win32.Stuxnet
- Norman: W32/Stuxnet.D
The worm propagation rate: 1000 hosts per day. The main propagation method: USB drives.
The infection scale is clearly illustrated with a diagram from the MMPC web site:

Infection
The vulnerability exists due to an error when handling file shortcuts (.lnk and .pif). The worm spreads via USB devices. The system becomes infected when a user opens an infected drive automatically with the autorun mechanism or when the drive is opened directly in Windows Explorer or another file manager. A crafted shortcut will force Windows Shell to load an external dynamic-link library that executes arbitrary code with the privileges of the user who launched Windows Explorer.
The current worm version performs the following actions in the system:
1. The worm copies itself to the following files:
%System%\drivers\mrxcls.sys
%System%\drivers\mrxnet.sys
Some samples have Realtek Semiconductor Corporation digital signatures.
2. The worm registers itself (mrxcls.sys) as a service called MRXCLS.
3. The worm generates a register key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxCls\"ImagePath" = "%System%\drivers\mrxcls.sys"
4. The worm registers the mrxnet.sys file as a service called MRXNET.
5. The worm generates a register key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxNet\"ImagePath" = "%System%\drivers\mrxnet.sys"
6. The worm hides the files named
%DriveLetter%\~WTR[FOUR NUMBERS].tmp
FindFirstFileW
FindNextFileW
FindFirstFileExW
NtQueryDirectoryFile
ZwQueryDirectoryFile
After successful launching, the worm shuts down the services that contain the following names:
avp.exe
Mcshield.exe
avguard.exe
bdagent.exe
UmxCfg.exe
fsdfwd.exe
rtvscan.exe
ccSvcHst.exe
ekrn.exe
tmpproxy.exe
The worm gathers information about network settings and local network servers. It can connect to the following sites:
www.windowsupdate.com
www.msn.com
www.mypremierfutbol.com
www.todaysfutbol.com
The worm is spreading by creating the following files:
%DriveLetter%\~WTR4132.tmp
%DriveLetter%\~WTR4141.tmp
%DriveLetter%\Copy of Shortcut to.lnk
%DriveLetter%\Copy of Copy of Shortcut to.lnk
%DriveLetter%\Copy of Copy of Copy of Shortcut to.lnk
%DriveLetter%\Copy of Copy of Copy of Copy of Shortcut to.lnk
A PoC code is publicly available now. As you can see on Figs. 1 and 2, the debugging data is represented with a string that confirms code execution.

Fig. 1

Fig.2
Here is a video demonstrating the vulnerability exploitation:
Protection
While Microsoft is preparing patches, let’s consider the following workarounds.
1. Deny displaying shortcut icons
- If you perform the actions described below, the shortcut icons will not be displayed any more. Disabling of icon displaying will prevent vulnerability exploitation.
- Open the registry editor (Start->Run->regedit).
- Go to the key
HKEY_CLASSES_ROOT\lnkfile\shellex\IconHandler - Delete data for the (Default) value.

- Restart Windows Explorer.
2. Disable the WebClient service
Disabling of this service eliminates the attack vector by blocking the most probable attack source via the Web Distributed Authoring and Versioning (WebDAV).
- Start->Run->cmd
- sc stop WebClient
- sc config WebClient start= disabled
If you disable this service, the WebDav resources become unavailable.
3. Block the download of LNK and PIF files from the Internet
4. Fix it
You can also use a Fix it utility from Microsoft.
Added 07.21.2010
Microsoft updated their advisory with new information about possible attack vectors.
- Internet Explorer. In the Web-based scenario, a remote attacker can set up a malicious Web site and try to load malicious components when a user visits the Web site with the browser such as Internet Explorer.
- Microsoft Office. An attacker could embed an exploit in a document that supports embedded shortcuts.
This means that in the nearest future we will see e-mails with malicious attachments exploiting this vulnerability.
Links
Proof-of-Concept Code: http://www.securitylab.ru/poc/395903.php
http://www.securitylab.ru/vulnerability/395902.php
http://www.microsoft.com/technet/secu...86198.mspx
http://blogs.technet.com/b/mmpc/archi...sting.aspx
http://www.symantec.com/security_resp...99&tabid=2
http://anti-virus.by/press/viruses/3948.html
ftp://anti-virus.by/pub/docs/russian...pHider.pdf
This comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDelete