|Home » Security
Insidious USB Attack Hits All Versions of Windows
No extraordinary user action required. Bypasses 'autorun'.
An insidious Windows attack has been found in the wild. It's propagated via USB thumbs. 'Autorun' is not required to make it work.
Not many details are known, those that have the details aren't disclosing yet, but the hack seems to exploit the way icons for shortcut links are processed. All that's needed to propagate the malware is browsing through an infected stick with a graphical file manager interfacing with the Windows 'shell'.
Belarus AV vendor VirusBlokAda disclosed on 17 June that two malware samples were found that were capable of infecting a fully patched Windows Se7en machine - and all that was needed was to view the contents of the USB with a file manager such as Windows Explorer.
Windows Explorer is of course nothing but a 'pretty face' on the system's 'shell' functionality which does the actual work. [Radsoft's Xfile works the same way as Windows Explorer. Only better.]
Brian Krebs points out that USB-borne malware is extremely common - the USB stick being a sort of latter-day floppy with fundamentally the same capabilities. USB malware doesn't rely as boot sector viruses did on system interrupts for new media but on the 'autorun' feature that in the past has amongst other things helped Sony propagate their infamous rootkit.
And anything that's possible on other systems is going to mutate in the greenhouse that is Windows.
Windows shortcut files (extension lnk) are - as most Microsoft 'technology' - a bit of 'overkill'. It's not enough to point to another file; you have to be able to customise the displayed icon as well. [Yes there are further dangers there already.]
The malware strains for this new USB attack actually install a rootkit when activated. [Yes being able to install a rootkit on a system without a user being aware of it speaks volumes about the system's security or lack thereof.]
As executable code can't be run unless the user expressly requests it and as these malware strains activate without any further user interaction, the flaw must be in the way Microsoft handle the matter of displaying an arbitrary icon for lnk files.
The malware exploits either a heretofore unknown flaw in the way other system components behave or the way the Windows 'shell' processes (supposed) image files to be used to graphically display shortcut file icons.
Security researcher Frank Boldewin claims the current strains specifically target Siemens WinCC SCADA systems or machines responsible for controlling the operations of large distributed systems used in manufacturing and power plants. This of course doesn't mean future versions won't target other things as well.
Microsoft say they're working on a fix. Be on the lookout in the meantime for the driver files MRXCLS.SYS and MRXNET.SYS. Or do the sensible thing and leave Windows behind. You know you should have done it long ago anyway.
Krebs on Security: Experts Warn of New Windows Shortcut Flaw
The Register: Windows Shortcut Flaw underpins power plant Trojan