Watch out for this nasty zero-day exploit

Windows' dumb way of handling certain shortcut icons opens door to new rootkit exploit that can nail fully patched systems

An antivirus company based in Belarus called VirusBlokAda claims that its researchers have discovered two malicious files, called ~wtr4132.tmp and ~wtr4141.tmp, and added them to the company's antivirus signature file. In spite of the ".tmp" filename extension, both files contain programs. Those programs install a rootkit on Windows machines, including fully patched Windows 7 machines, and they propagate using a previously unknown mechanism.

The precise infection method is still being investigated and dissected by black hats and white hats all over the world, but the samples that have surfaced in print show four shortcut files: plain old everyday LNK files, much like the ones you find scattered all over your desktop. Somehow working in collusion, one or more of the four LNK files and two TMP files can pwn any modern Windows machine.

[ Get your systems up to snuff with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

Microsoft Security Advisory 2286198, titled "Vulnerability in Windows Shell Could Allow Remote Code Execution," acknowledges the security hole and states that Windows XP SP3, Server 2003 SP2, Vista, Windows 7, and Server 2008 and R2, in all flavors, are vulnerable. Others have found that this zero-day hole also affects Windows XP SP2 and Windows 2000. Of course, both of those versions lapsed into unsupported status last week, but when Microsoft issues a fix for this problem, I figure there's a 99.99 percent chance that it'll be available for XP SP2 and Win2000 as well -- so much for end-of-life dates.

Apparently, the security hole occurs as a by-product of the way Windows itself offers up an icon for a shortcut. There aren't many details available about the process, but it appears to go like this:

Windows shortcuts are files set up in a predefined way that end with the filename extension ".LNK." As you may recall, icons for Windows shortcuts appear with a loopy arrow overlaying the icon for the program or file or folder itself. If you write a program that displays icons, when your program encounters a LNK file, it will most likely construct a loopy arrow and then ask Windows to provide the icon of the underlying program, file, folder, or whatever. There is a bug in the way Windows retrieves those underlying icons. It's a big bug, and it's been in Windows for a long, long time. The bug is so big that Windows can be forced to run any program at all. Instead of retrieving the icon of the underlying program or file or folder, Windows instead runs a program of the caller's choice.

Permit me to illustrate: Have you ever gone to a farmer's market and seen a caricature artist? People walk up to the artist and say, "Draw me a picture of Brad Pitt." Ten minutes and 20 bucks later, they get a picture of Brad Pitt.

Now let's say you discover that there's a zero-day shell vulnerability bug in the artist. When you tell the artist, "Draw me a picture of the Windows Time and Date icon, but really buy me an ice cream cone," the artist buys you an ice cream cone.

And who said computer security was complicated?

Say you're a clever cretin and you want to install rootkits. Here's what you do: You make a LNK file that takes advantage of this bug in Windows. When a program -- any program -- puts together an icon for your LNK file, it calls Windows and asks Windows to pass the program the icon of the underlying program, file, or folder. Bingo. This bug kicks in and, instead of retrieving the underlying icon, Windows gets tricked into buying ice cream, er, running some other program. Researchers have hinted that the LNK file (or files) has to specify the precise location of the infecting program, so the LNK file probably has to travel together with the infecting file.

As best as I can tell, that's the basic mechanism at work. If it turns out to be the case, there are all sorts of worrisome implications.

First, you don't have to run anything. It's a drive-by infection vector. The minute you do something that makes a program want to show you the icon for that bad LNK file, you're hosed. The examples found in the wild were on USB drives, but that's just a convenient way to deliver all the files in a group. As soon as you open the containing folder, Windows Explorer wants to generate icons for the LNK files, and your system bites the dust. Microsoft now advises that WebDAV can be used as an infection vector. Clearly, any network shares -- anyplace your users are likely to go looking for files -- are also susceptible.

Second, the people who put this together are way smart. What I've described here is only part of the story. Those two TMP files, which are programs that get run by the jiggered LNK file(s), install Stuxnet-infected drivers signed by Realtek, the company that makes audio codecs, routers, and network interface controllers. The signature's real. Brian Krebbs in his KrebbsOnSecurity blog explains how the installed drivers work as rootkits. The Microsoft Malware Prevention Center blog goes into detail about the Stuxnet worm.

Third, the usual defense mechanisms don't apply. User Account Control, for example, never enters into the picture. Running on a Limited account makes no difference, as Sophos's Chester Wisniewski demonstrates convincingly on his blog. Disabling AutoRun for USB drives does nothing.

Fortunately, it looks like the original zero-day attack was limited, very specifically, to monkeying around with Siemens WinCC SCADA systems, which are used to control large automated production facilities -- industrial espionage. Unfortunately, the experts are betting that the same hole will be used in other exploits in the very near future.

What can you do about it? Not much. Microsoft's Security Advisory gives manual steps for disabling the display of icons in Windows Explorer and for disabling WebDAV. Neither approach blocks other icon-displaying programs, and in any case the cure may be worse than the disease. Antivirus software vendors are adding detection for Stuxnet, which will stop the current incarnation. But nobody I know has come up with a way of stopping the propagation method.

SANS Internet Storm Center reports that there’s Proof of Concept code circulating in cracker circles.

Keep your eyes open for this one. We haven't heard the last of it yet.

This article, "Watch out for this nasty zero-day exploit," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.

Copyright © 2010 IDG Communications, Inc.