There is a new Window attack against Windows that exploits a vulnerability Windows .lnk files (all those shortcuts on the desktop, in the start menu, and elsewhere are .lnk (link) files). Currently, this attack is being spread via USB drives, and is not a network attack. In theory, though, it could also be spead via network shares or WebDAV. All versions of Windows are vulnerable, including fully patched versions of Windows 7 and Server 2008.
Current versions of the attack utilize a rootkit to hide the malicious files on both the USB drive and on infections machines. Simply inserting an infected USB drive into a Windows computer ahd viewing its contents is generally all it takes to spread the infection. Any other USB drive that is inserted will also be infected. Initial samples of this “worm” (so classified because it can spread without any specific user action) are targeted attacks – looking specifically for software that is used to manage large distributed systems, such as power plants and manufacturing facilities. Broader attacks are almost sure to follow.
USB “drives” (which can incude other devices, such as smart phones, which incorporate solid state drives) are an increasingly dangerous vector for the spread of malware. “Thumb drives” or “USB sticks” have become a cheap, compact, and easy means of moving large amounts of data between computers. Smart phones are becoming ubiquitous and are commonly plugged into multiple computers to sync email, contact lists, and calendars.
One of the drivers that the rootkit installs is as signed driver – signed by Realtek Semiconductor Corp., a legitimate company. This is a good example of why it is so important to protect certificate private keys. Verisign has since revoked the compromised certificate. AV vendors are also scrambling to add this to the list of threats their products will detect.
We will have to wait to see how widespread the attacks which exploit this vulnerability become. Microsoft has not released any date for a fix. There are workarounds, but some of them will preclude the use of Sharepoint, a service upon which many organizations depend. The best solution is to implement some form of endpoint security. Endpoint security is used to lock down USB and other devices by limiting their ability to write files. Endpoint security can also limiting what can be written to external devices as part of a Datat Loss Prevention program.
One additional note – any systems running on Windows 2000 or Window XP without SP3 will NOT receive updates to patch this flaw – ever. Microsoft has officially ended support for those operating system.
Want to read more?
Dennis H in West Virginia, US
July 20, 2010