Wednesday, July 21, 2010

Just a few notes about a new 0-day vulnerability for our clients...

After the notorious Adobe Flash 0-day that put the security community on alert at the end of May, it is now time for a new vulnerability to steal the thunder. A few days ago Microsoft has released a security advisory (2286198) warning his costumers about a critical security flaw. As detailed on the advisory, all maintained version of Windows Operating System are affected by the issue. Other areas confirm that other non-maintained versions of the operating system like Windows 2000 SP4 and Windows XP SP2 are still affected.

This vulnerability, cataloged as CVE-2010-2568, lies on the Windows Shell component and occurs due the incorrectly way Windows parses shortcut references (files containing the .lnk extension). The advisory also details that it is possible to take advantage of this flaw in a malicious way to allow remote code execution.

As reported on June 16th by the MPCC (Microsoft Malware Protection Center), a worm called Stuxnet that takes advantage of this vulnerability was already being monitored and is suspected to be spreading in the wild for at least a month, possibly longer. According to them, USB removable devices are the main instrument used in order to propagate it, but other infection mechanisms could also be used as Windows file shares and WebDav.

According to Chester Wisniewski, the flaw occurs when shell32.dll tries to load control panel icons from applets. It is possible to create a specially crafted shortcut that points to a malicious file. That way, when the folder gets displayed (using Windows explorer for example) the LNK file will be charged to load and execute the malicious payload. Notice that the .lnk file just carries the exploitation/infection vector that leads the drivers to be executed.

As pointed out by Chet on the same SophosLabs blog post, the analysis performed against an infected USB device containing the malicious code shows that the crafted shortcut file loads two drivers: mrxcls.sys and mrxnet.sys.

These two drivers basically consist of a rootkit and once executed it installs a backdoor on the system, hides the presence of malicious files on the removable USB device and injects encrypted data blobs that seems to serve to the basic rootkit infrastructure.

What has raised special attention is that these drivers were signed using a private key that belongs to Realtek Semiconductor Corp. a well known IC design and peripheral manufacturer company. This characteristic let the drivers to run unnoticed, without causing any warning to be exhibited to the user. How the attacker(s) manage to get their drivers signed by Realtek is still unknown.

The MMPC teams have worked together with VeriSign and Realtek to revoke the certificate and issue a new one. Although, according F-secure it is still possible to use the certificate due the countersignature method of time stamping that allows signatures to be verified even after the certificate has expired or been revoked.

Looking at the malware behavior, Frank Boldewin found some database queries that target the Siemens SIMATIC WinCC SCADA system, a computer system used to control and monitor critical infrastructure operations such the ones performed in power plants and large communication systems. According the Slashdot post the product uses a hardcoded username and password to access its database system (Server=.\WinCC;uid=WinCCConnect;pwd=2WSXcder).

When you don't work for a company that operates critical infrastructure services you should not be worried about the malware it in the first place. But since a proof of concept code was released on on June 18th, we can expect more payloads to emerge and ends up being triggered by the LNK vulnerability.

Another important thing to mention is that a lot of questions are raised up these days concerning AutoRun and AutoPlay. As described on Seans post at F-Secure Weblog, the vulnerability could be exploited even if AutoRun and AutoPlay are disabled. However, as happened with the Conficker, these features could be used to trick a user and get the code executed, but it is definitely not required. In order to get the payload executed it is just necessary to display the folder content with the crafted LNK file inner in.

In order to mitigate the issue until Microsoft properly releases a patch some workarounds were proposed as disabling the displaying of icons for shortcuts and disabling WebClient service, more details about how to perform such operations could be checked on the Microsoft Advisory (2286198). Other solution as proposed on the SophosLabs blog post involves the deploy of a GPO (Group Policy Object) disallowing the use of executable files that are not on the C: drive which I believe is the best way to mitigate the problem until the patch is released.

More information about this malware could be verified on the Chet post including a video demonstrating the attack and in the PDF document wrote by Kupreev Oleg and Ulasen Sergey from VirusBlokAda, a Belorussian based company who first discovered and analyzed the exploit.