Prevx Blog
Isolated first worm using LNK vulnerability
Posted by: Marco Giuliani
It was just a matter of time, everyone here at Prevx was expecting this. Too much noise around the Microsoft 0-day flaw allowed malware writers to use it as another way to spread malware . First the public proof of concept published by french security expert Ivanlef0u, then the module added to the metasploit project. Everything was just too ready to not be (ab)used by malware writers.
Early today we have isolated a new variant of Autorun worm, detected as Autorun:Worm-LNK and able to spread through USB removable storage devices by using LNK vulnerability. After the system has been infected, this malware is able to drop to every plugged USB removable storage device various LNK exploit files along with its executable files.
The first problem when using LNK exploit is that the crafted LNK shortcut file must point to the exact path where the malware file is located. This is the only way to get it working. This could be a problem, because the drive letter assigned to the plugged USB removable storage device is different on every PC. The malware tries to fix this problem by dropping more LNK crafted files on the infected USB removable storage device, each one of them pointing to a different drive letter - i.e. from D: to J:. Then, the executable file that should be called is put in the drive root directory. It is a kind of bruteforce attempt to guess the exact drive letter where the USB removable storage device is mapped to. Moreover, the malware still uses the old autorun.inf trick, which is, sadly, still effective.
Signature detection for LNK flaw is still unreliable, as the malware newly generated LNK files are recognized on VirusTotal by only 5 vendors out of 41. Writing generic detection signatures for this exploit could easily cause false positives, being it a design flaw and not a code flaw.
We expect to see more malwares using this technique, even because this flaw is working on every version of Windows operating system, from Windows 2000 to Windows 7, both x86 and x64. Users running Windows 2000, Windows XP, Windows XP Service Pack 1 and Windows XP Service Pack 2 must be more careful, as they will not receive security updates from Microsoft because these operating systems are out of support.
The best workaround at the moment is disabling the displaying of icons for LNK and PIF shortcuts, as reported by Microsoft in its security advisor. Microsoft released a Fix-It tool able to automatically apply this workaround until the company releases an official patch - we hope as fast as possible, because malware writers already started playing with this flaw.
This variant of Autorun worm is actually spreading very quickly, we are receiving reports of it almost constantly from Prevx community since yesterday morning.
Prevx already detects, blocks and cleans this malware infection from the infected PC.
9 comments so far
- ssj100 on Jul 23 2:47, 2010
- rich on Jul 23 3:02, 2010
- Triple Helix on Jul 23 3:22, 2010
- Daniel Wolf on Jul 23 17:19, 2010
- George Zarate on Aug 6 0:46, 2010
- J Fox on Aug 11 18:34, 2010
I see, I must be mistaken - my confusion arose from Prevx failing to block the POC that was released. I suppose it makes good sense not to block a harmless POC.
So what you're saying is that Prevx could block all variants of this malware (heuristically) from day zero? Thanks.
Hi Marco,
Can you post the contents of the autorun.inf file?
thanks!
Great to here that Prevx is on top of things as always!
TH
Agree with Triple, this kind of anaysis and on-the-ball stuff is why I own PrevX for two machines.
I love you prevx. Your so light on my 4 machines, and you keep all the little critters out. :)
How do you get all your shortcuts back if you use the Microsoft fixit tool? It's too late to use system restore as I've added too much since then.
I guess the key problem is that Prevx didn't block it on day zero.