Microsoft Warns Of Attacks Exploiting Windows Shell Flaw

Microsoft released an advisory Monday warning users of a critical vulnerability in the Microsoft Windows Shell has already opened the door for hackers to launch malicious attacks that spread via infected USB sticks, which could be leveraged for industrial espionage.

The vulnerability, which affects just about every Windows system, including Vista and fully patched Windows 7, occurs when the Windows Shell fails to correctly validate parameters of a shortcut when the icon is attempting to load, giving attackers a window to download malicious code when the user clicks the displayed icon of a malicious shortcut file, according to the Microsoft Advisory.

Shortcuts are links to a file or program, represented by an icon and connected via the LNK extension, which are used to store files and folders in an easy-to-access location, such as a user's desktop.

While Microsoft maintains that an attack could be executed if users click on a shortcut icon, security researchers say that simply opening and browsing a USB drive containing the malware would be required for a successful exploit.

"Our analysis indicates otherwise, clicking is not required," said researchers at F-Secure.

Researchers at Microsoft's Malware Protection Center said that the exploit "takes advantage of specially-crafted shortcut files (also known as .lnk files) placed on USB drives to automatically execute malware as soon as the .lnk file is read by the operating system. In other words, simply browsing to the removable media drive using an application that displays shortcut icons (like Windows Explorer) runs the malware without any additional user interaction. We anticipate other malware authors taking advantage of this technique. "

Malicious hackers looking to exploit the Shell flaw could launch an attack by creating an infected USB drive and enticing a user to insert it into a computer. Once opened, the USB drive would execute attack code on the user's system. An attacker could also place malicious components on a remote network share that would load malicious code when other users browse the share.

’So you just have to open infected USB storage device using [Windows] Explorer or any other file manager which can display icons (for i.e. Total Commander) to infect your Operating System and allow execution of the malware,’ wrote Sergey Ulasen, an anti-virus expert with VirusBlokAda that first detected the vulnerability, in a June blog post.

Specifically, the vulnerability, first detected and made public by the Belarusian antivirus company last week, enables hackers to leverage the Stuxnet rootkit, a previously unknown strain of malware that targets sensitive information on the networks of enterprises with global operations. The Stuxnet rootkit has thus far distinguished itself with its ability to hide two types of files -- those that end in '.lnk', and all files that start with '~WTR' and end with '.tmp,' which allows the malware to evade detection and cover its tracks.

Another distinguishing feature is that the rootkit outwits the Autorun feature, according to Paul Henry, security analyst at Lumension Security. The malware exploits a previously unknown vulnerability with Windows link shortcut files (.lnk), circumventing Windows Autorun or Autoplay.

"This means that our usual fall-back advice of turning Autorun off does not help in this case," Henry said in a blogpost.

It can also evade basic security software, such as antivirus and firewalls, researchers say. The malware injects itself into iexplore.exe, which is generally trusted by firewalls, subsequently enabling the threat to get through undetected. The malware also possesses traits that enable it to evade and terminate several security products.

The rootkit functionality is also used to mask two drivers,’mrxnet.sys’ and ’mrxcls.sys," which load without being detected. Ulasen noted that the drivers are signed by legitimate chip manufacturer RealTek Semiconductors, possibly indicating that the certificates were spoofed and can't be trusted.

Meanwhile, security researcher Frank Boldewin at Reconstructor.org, said that the malware used a default password to lift data from the Siemens SCADA WinCC + S7 control system database, indicating the Trojan could possibly be used for industrial espionage attacks.