The nightmare of infected USB pen drives is back. Until now the source of infections was the Autorun feature embedded in Windows. Now the problem resides in a Windows flaw (or feature?) when handling LNK shortcut files.

When some years ago new worms started using the autorun feature to spread themselves through USB removable devices, they became a serious problem because every Windows operating system had the autorun feature enabled.

This is still a security flaw, because a lot of Windows XP systems still have this feature enabled, while in the last Windows 7 the feature has been disabled by default. Microsoft chose to follow this path to protect their customers from this vehicle of infections.

This is one of the techniques the Conficker worm used to spread inside a companies's LAN, where USB devices are often used by employees to share data. Sadly, a lot of machines are still unprotected from this kind of attack. It is enough to plug the infected device on the machine and leave the autorun feature doing the rest, executing the malware.

Disabling the Autorun feature is a good security choice, but is it enough to stop malware from being executed without user interaction?

This is not the case, because a new Windows security 0-day flaw has been discovered that is able to execute malware without user interaction. The flaw, that looks like it has been used on some targeted attacks against Siemens WinCC SCADA systems, allows malware to get executed through a malformed (?) shortcut LNK file.

The flaw, first discovered by our colleagues at VirusBlokAda Ltd. security company, has been reported to Microsoft who have released security advisor 2286198, addressing this security flaw. The flaw is still being analyzed.

The flaw is triggered by just surfing to the directory where the malformed lnk shortcut file is present. It is enough to surf the directory from within Windows Explorer or with any other file manager. The flaw is triggered and the file is linked by the shortcut and automatically loaded into memory.

If you are wondering why I've put some question marks near the malformed and feature words, I'm going to explain the reason.

After our initial analysis, it looks like the flaw is not exploiting any coding error. There is no buffer/heap overflow, null-pointer dereference or use-after-free errors that you would usually expect from a 0-day flaw. It is just exploiting a feature used in Windows to handle some kind of libraries, and it is actively used more times inside Windows internals.

This allow us to think it is more a feature that has not been correctly hardened and it has been abused than a security bug. In fact, this behavior has probably been discovered by attackers while monitoring Windows behaviors when loading specified libraries, because it is easily reproducible.

I'm not allowed to disclose further details about the vulnerability, we have just to wait for Microsoft releasing a security update to patch this issue.

Microsoft, as said before, has released a security advisor to address this security flaw. In the security advisor there are some workarounds that should be really applied by everyone to protect their systems from this attack, by disabling the displaying of icons for shortcuts and disabling WebDAV. The flaw affects every Windows operating system from Windows XP to Windows 7.

Link to the security advisor is the following: Security Advisor 2286198

We will post further updates as soon as we have them.