Possible .LNK handling bug allows for unauthorized code execution

Jul 15, 2010 14:42 GMT  ·  By

Security researchers from an Belarusian antivirus company called VirusBlokAda have found a new piece of malware, which appears to take advantage of a previously undisclosed Windows vulnerability in order to propagate. The flaw allows for arbitrary files to be executed by simply opening a folder containing a malformed shortcut file.

The new malware, whose components are detected by VirusBlokAda's products as Trojan-Spy.0485 and Malware-Cryptor.Win32.Inject.gen.2, is spreading via removable storage devices. However, the most intriguing aspect of this threat is that it doesn't abuse the Windows AutoRun feature to infect computers.

Instead, it exploits what appears to be a new 0day Windows vulnerability, which allows files to be automatically executed when viewing specially-crafted .LNK files. All it takes is opening a folder containing such a malformed shortcut in Windows Explorer or another file manager capable of displaying icons.

“Operating System Windows 7 Enterprise Edition x86 with all latest updates is vulnerable, that means malware uses vulnerability that still exists and hasn’t been closed in OS Windows,” the VirusBlokAda researchers, write in their advisory. According to malware experts from Finnish antivirus vendor F-Secure, who also analyzed the samples, the vulnerability appears to stem from the way Windows handles Control Panel shortcuts.

F-Secure also believes that this malware is designed for industrial espionage, because it looks for Siemens WinCC SCADA systems. Supervisory Control And Data Acquisition (SCADA) systems are used to monitor and control mission critical operations at power- and water-distribution plants, gas and oil refineries or manufacturing facilities.

The malware installs two rootkits that function as system drivers and are called mrxnet.sys and mrxcls.sys. These are detected by VirusBlokAda as Rootkit.TmpHider and SScope.Rookit.TmpHider.2. Surprisingly both of them appear to be signed with the digital signature of Realtek Semiconductor Corp., a legit hardware manufacturer.

Microsoft is aware of the new threat and is investigating the incident. “Microsoft is investigating new public claims of malware propagating via USB storage devices. When we have completed our investigations we will take appropriate action to protect users and the Internet ecosystem,” a company spokesperson commented for Krebs on Security.

VirusBlokAda said that it came across the malware on 17th of June, 2010. According to a VirusTotal scan performed on July 8, Microsoft's antivirus product detects one of the malicious samples as TrojanDropper:Win32/Stuxnet.A. UPDATE July 16th, 2010: Corrected an error where the company who discovered the malware was improperly presented as being from Ukraine. VirusBlokAda Ltd. is actually based in Belarus.

You can follow the editor on Twitter @lconstantin