Update 7/27/10: I've confirmed that Microsoft’s Security Essentials will detect and quarantine the link file vulnerability.
This article was originally posted at www.pacitnews.org, a site for members of the Pacific IT Professionals user group.
Black Hat and Defcon are weeks away, but there's a Windows zero-day vulnerability all IT pros should know about. This zero-day exploit has been out there for at least 10 years and may go all the way back to NT. It turns out there is a subtle error in the way the Windows Shell (which displays icons, Start Bars, menus, shortcuts, etc.) parses the icons of .LNK files or shortcuts.
A researcher in Belarus found in-the-wild code that makes use of this exploit and is targeting Siemens SCADA (supervisory control and data acquisition) systems. While most of you do not have SCADA systems, you are indirectly affected as these systems are used to control the power grids, oil production, nuclear power plants, wastewater treatment, fabrication, and many other industrial processes.
Siemens programmers made it very easy for the malware creators to install a root kit to take control of the SCADA systems, as (are you ready for this?) they only used one hard-coded password for all customers. In Vista, Microsoft did something that was supposed to make it more difficult for malware creators to install altered drivers—they required driver signing. (Remember all those Apple ads making fun of Windows for requiring approval before continuing?)
This would have prevented this root kit from being installed had it not been for the fact the drivers were signed. This is the James Bond part: It turns out these malware writers are not dumb. They used signed drivers using a stolen PRIVATE key from RealTek. Once this was discovered, Microsoft and RealTek contacted VeriSign (signer of RealTek's certificates) and revoked them immediately. Microsoft has added one or more certifications to Microsoft's Certificate Revocation List, (CRL). If you've done Windows Update in the past week or so you should find a new CRL file has been installed.
Important: This is why you want to keep all of your machines patched and up to date. You always want the latest, up to date CRL file.
But wait, there's more. Someone recently found almost the same exploit using a cert from JMicron Technology Group. But an ESET researcher realized that JMicron and RealTek are both in the same building complex in Hsinchu, Taiwan. It has now been found that both companies' private keys have been used to sign malware carrying an exploit. Coincidence?
This is a true, zero-day exploit. (For more information, see Metasploit.com.) The cyber-criminals know how to use this exploit and are doing so. (Microsoft's security report is acknowledging this exploit.)
This exploit is being propagated by USB thumb drives, in a way reminiscent to the early Mac floppy disk viruses which spread the virus just by inserting the floppy disk. These guys have found they can do the same with the USB thumb drives even if autorun is disabled. You can't see the files because the files are masked and will not be presented to Windows Shell. (You would be able to see the code with a disk sector editor, however.) Just the act of displaying the icon of the USB key executes the malicious code and spreads the malware. This malware (worm) is spreading on the order of 9,000 machines per day or over a quarter of a million machines per month.
Microsoft has also acknowledges the spread/infection of the malware can happen by displaying .LNK files, but also in Office documents. That's any Office document, including Outlook. So receiving infected email containing one of these can compromise your system. And they also acknowledge websites can do it, too. You can now have a malicious website that will display and leverage the vulnerability in the shell. It might be all browsers, but Internet Explorer has been confirmed by Microsoft. We will know more in the weeks to come.
For now there is not a fix. Microsoft has posted a fix that makes some changes to the registry and shows some manual changes that can be made. The problem is, the "fix" will no longer display your icons and instead will display generic white rectangles, leaving you without icons. There are some registry changes and other "fixes" that can be applied, but nothing that's a real fix.
It appears that every version of Windows going back to NT is affected, though Microsoft has only confirmed it to affect supported versions, which includes XP SP3 and newer.
