Hackers Exploit Windows Shortcut File Flaw

A new strain of malware is spreading in the wild via USB storage devices, exploiting a vulnerability in the way Microsoft Windows handles shortcut files, security reporter Brian Krebs writes.

Specifically the rootkit-syle malware exploits a serious flaw in the way Microsoft Windows processes shortcut files, and can even penetrate fully patched Window 7 systems, researchers found.

VirusBlokAda, an anti-virus company based in Belarus, first reported the flaw last month when researchers detected Trojan payloads in the wild distributed when users accessed contents of an infected USB drive with a file manager such as Windows Explorer.

Shortcut files, known for ending in the ".lnk" extension, are Windows files that link specific application icons to the respective executable programs. Located on the users' Desktop or Start Menu, shortcuts aren't supposed to do anything until a user clicks on the related icon.

The .lnk shortcut flaw opened up the door for the distribution of two rootkits -- Rootkit.TMPHider and SScope.Rootkit.TmpHider.2 -- which have proliferated in active attacks as a result of the vulnerability, according to a VirusBlockAda advisory.

During the attack, the malware installs two drivers, mrxnet.sys and mrxcls.sys, used to inject malicious code into systems while hiding existing malware so it can't be detected on the USB drives. "That's the reason why you can't see malware files on the infected USB storage device," said VirusBlokAda researcher Sergey Ulasen, in a June advisory.

"So you just have to open infected USB storage device using Microsoft Explorer or any other file manager which can display icons (for i.e. Total Commander) to infect your Operating System and allow execution of the malware," Ulasen said, adding, "Thus, current malware should be added to very dangerous category (because it) causes the risk of the virus epidemic at the current moment."

A malicious shortcut on the USB will then automatically download malware if users open the device on Windows Explorer or a similar file manager used to display icons. The fact that users could become automatically infected without any user interaction indicates a high severity level and a "critical" ranking by Microsoft.

Ulasen also noted that the digital signature of both driver files belonged to hi-tech company Realtek Semiconductor.

Independent researcher Frank Boldewin found that the malware is targeting SCADA control systems, used to control industrial machinery in power plants and factories, which he said could possibly indicate cyberespionage.

"This points me to the Siemens WinCC SCADA system. Looks like this malware was made for espionage," he said in a blog post.

Ulasen said that he contacted both Microsoft and Realtek about the attacks but heard back from neither. Microsoft, however, is reportedly investigating the problem, according to Krebs.