Windows zero-day attack works on all Windows systems.

[Megamatman]

If you're an IT pro or have any form of Windows PC you may be interested to read this.

http://www.sophos.com/blogs/chetw/g/2010/07/16/windows-day-attack-works-windows-systems/

It's been a busy 24 hours looking into this newest flaw in Windows. Lots of research has gone into it and most of the results are not good news for Windows users. It is important to think about this attack as two separate pieces, one that is a new zero-day vulnerability that could easily be adopted by any malware author, the other a unique payload that appears to be designed to go after some very specific infrastructure targets.

For corporate users (unless you run a power plant, water system or other SCADA system) the important part is the zero-day flaw. Warning: I am about to go a bit geeky.

The flaw is in how shell32.dll tries to load control panel icons from applets. By making a specially crafted shortcut pointing to a malicious file, you can make Windows Explorer blindly execute the malicious file when the location of the shortcut is merely browsed to. In this case the malicious file is a rootkit and a dropper that immediately hide the special shortcut (.lnk) files. Allowing executable code to load in the process of trying to retrieve an icon seems like a major oversight in the design of Windows.


Here is a photo of the directory listing I made on a Linux box in SophosLabs using an infected USB device. You can see that there are 4 different malicious shortcuts that are all called "Copy of ... Shortcut to.lnk". The tmp files you see are the actual rootkit/dropper.

The following (hastily captured, apologies for the quality) video shows the automatically executed rootkit in action. You can see that I in no way interact with the device other than to "explore" it. This will work even with AutoRun and AutoPlay disabled. I don't know why you would plug in a USB storage device if you weren't going to view it in Explorer...

This rootkit is particularly nasty as it infects all Windows versions since XP, and as you see here it bypasses all Windows 7 security mechanisms, including UAC, and doesn't require administrative privilege to run. The user I am logged in as in this video is "Bob," a standard user. I expressed concerns last November about people mistaking UAC for a security feature and this unfortunately seems to still hold true.

A few hours ago Microsoft released their security advisory and mitigation advice. Microsoft confirms what I discovered during my testing, that this vulnerability affects all currently supported Windows releases. However, noticeably absent from the list are Windows 2000 and Windows XP SP2 as they are no longer supported since Tuesday. They are, however, definitely still vulnerable.

This exploit affects more than just USB devices. According to Microsoft's advisory, it also affects Windows file shares and WebDav, making a very bad situation worse. Let's hope Microsoft has their best team on this to get us a dependable fix very soon.

For now, Microsoft advises that you disable icons for shortcuts. Unfortunately, this is highly impractical for most environments. While it would certainly solve the problem, it would also cause mass confusion among many users and might not be worth the support calls. Microsoft also suggests disabling the WebClient service that is used for WebDav. If you are not a Microsoft SharePoint customer this may be a solution, but many organizations rely on SharePoint so this is limiting as well.

Today, a colleague suggested the best mitigation I have heard so far: deploying a GPO disallowing the use of executable files that are not on the C: drive. This will work for most environments, and you really shouldn't be running executables from USB drives and network shares anyway. We tested this solution against the vulnerability and it does in fact provide protection.

The malware originally distributed with this flaw is not a big concern unless you run a nuclear power plant and Homer Simpson is using Windows and clicking whatever he pleases (D'oh!). Expect the exploit, on the other hand, to be widely used in short order. Having had the opportunity to play with it and see the simplicity with which it can be used, I suspect it will be too juicy a target to ignore.

If you are a Sophos customer, the good news is that you are protected against the exploit and the payload. Even the WebDav angle will be stopped by the Sophos Web Appliance. As a backup measure, or for people not fortunate enough to have our software, I recommend using the GPO to disable execution on devices other than the system and program drives.

Update: Some people have pointed out that they are required to execute files from network shares as part of their standard operations. If this is true, the above suggestion can still work you simply need to adjust the GPO to allow execution for the specific network paths you may require. This solution is not ideal, but it is the simplest method to try and prevent infection from this flaw .

A special shout-out to SophosLabs and Mike, Niall, and Paul. Your help investigating this was invaluable and we all appreciate your dedication to helping the public defend their PCs.

[Megamatman]

The particular rootkit described here is detected successfully by the major anti-virus programs.

The major problem is that Windows Explorer blindly executes files when the location of the shortcut is merely browsed to due to a flaw in how shell32.dll tries to load control panel icons from applets.  This means that other yet-to-be-detected malicious code could be run on Windows systems without our knowledge.

Microsoft are working on a patch for this at the moment but if you are in an enterprise IT environment Microsoft advises that you disable icons for shortcuts. Unfortunately, this is highly impractical for most environments.  Another way could be to deploy a GPO (this is the workaround we have used) disallowing the use of executable files that are not on the C: drive. This will work for most environments, and you really shouldn't be running executables from USB drives and network shares anyway.

If you don't currently have an anti-virus program installed on your home PC I suggest you install one as soon as possible.

Matt

[Leon]

What does that all mean in non-tech speak?!  I've got basic AVG, do I need to do anything?

[Megamatman]

You should be ok with AVG.

1) If you have Windows XP SP2 installed upgrade to SP3. SP2 is no longer supported by M$, so if/when a patch is released you wouldn't receive it.

To find out what version you have:
Start >>Run>>Type: "winver" (without quotes) >> Click OK.

2) Ensure you have the latest version of AVG installed (9.0 I think) and that it is fully patched and updated.

Matt

[Leon]

I'll have to check on that then.  My laptop is just about still crawling, and I've no idea what Service Pack we've got on there.

[nikharwood]

To find out what version you have:
Start >>Run>>Type: "winver" (without quotes) >> Click OK.

And how do I do that when I hit Start...and Run isn't an option (Vista)?

[Megamatman]

And how do I do that when I hit Start...and Run isn't an option (Vista)?

In Vista and Windows 7:

You can either type "run" in the serach box at the bottom of the start menu and click 'Run' when it appears in the start menu search results.

Or

Enable the Run command in the start menu.

To do that:
1) Right click the Taskbar
2) Choose Properties. This will bring up the 'Taskbar and Start menu properties'
3) Click the Properties tab.
4) Click Customize
5) Scroll down the list and tick the Run Command tickbox.
You'll now have the Run Command on the RHS of your start menu.

Matt

[Megamatman]

You should be ok with AVG.

1) If you have Windows XP SP2 installed upgrade to SP3. SP2 is no longer supported by M$, so if/when a patch is released you wouldn't receive it.

To find out what version you have:
Start >>Run>>Type: "winver" (without quotes) >> Click OK.

2) Ensure you have the latest version of AVG installed (9.0 I think) and that it is fully patched and updated.

Matt

Btw, if you do have SP2 you can upgrade to SP3 by running a Windows Update.

Matt

[nikharwood]

Btw, if you do have SP2 you can upgrade to SP3 by running a Windows Update.

Matt

Ah - coolio...I know how to do that 

Thanks Matt

[Megamatman]

Btw, this is sorted now.

See:
http://www.guardian.co.uk/technology/blog/2010/jul/27/windows-zero-day-security

If you havent run a windows update since before the end of July, run one now.

Matt