Trend Micro Threat Advisory: A Shortcut to Infection
July 2010 by Trend Micro
Trend Micro TrendLabs warns of an active criminal attack associated with the as yet unpatched vulnerability that exposes all users of all current versions of Microsoft Windows to the risk of attack and infection.
Notably, the malware that first exploited this vulnerability appeared to be highly targeted toward SCADA systems. These systems are routinely used in the control of utilities such as power and water and also in large-scale manufacturing.
The vulnerability means that a user who views the contents of a folder containing a shortcut, is at risk of potential infection – without ever double-clicking or viewing a document. Auto-run capabilities of USB drives is what really makes this threat dangerous – as purely plugging in a USB stick which automatically displays folders could infect a user.
While this vulnerability is most likely to be exploited through removable drives users should be on their guard against all shortcut files whose authenticity they cannot guarantee. This same vulnerability could potentially be exploited through contaminated file shares or something as simple as a malicious compressed archive such as a zip file.
Instead of dropping an AUTORUN.INF file and a copy of itself into removable and fixed drives, the malware used in this attack drops a .LNK file—a shortcut file that points to an executable file—into the drives instead. The dropped .LNK file exploits this vulnerability to drop a new copy of the malware (WORM_STUXNET.A) onto other systems.
Additionally, this worm also drops a rootkit, which it uses to hide its routines. This enables the worm to remain unnoticed by the user and to make analysis harder for researchers.
A working exploit for this vulnerability is now in open distribution, so further attacks are likely. Advice is provided in the Microsoft Security Advisory 2286198 including how to disable the display of icons for shortcuts and disable the WebClient service until such times that a patch is available. Users of the Trend Micro Smart Protection Network have been protected against the malicious code used in this attack since last Thursday 15th July. Other users can run Trend Micro HouseCall to check for and clean up infections.