Windows Shell vulnerability being used in the wild (Update)
by Steve Ragan - Jul 22 2010, 20:12The Windows Shell vulnerability, which is the result of improper shortcut handling, gained attention as the means used by criminals to distribute Malware targeting SCADA systems.
Now that the code to exploit the vulnerability is widely available, it’s being used in the wild, albeit in a limited scope. The fear is that this could change.
Initially, the attacks using the Windows Shell vulnerability were small, tightly focused to organizations running the WinCC SCADA system by Siemens. The Malware delivered in those attacks, dubbed Stuxnet by the media and security community, focused on Siemens’ technology, and attempted to use default settings to gain access. If that failed, so did the attack.
Microsoft is working on a patch for the vulnerability itself, but it won’t be easy. They have suggested mitigations, and even a tool to implement them. At the same time, the attack surface due to this vulnerability is wide. As the proof of concept for the vulnerability shows, an attacker can use any malicious payload in conjunction with the Windows Shell flaw to target victims.
During an interview this afternoon, Jamz Yaneza, Threat Research Manager for TrendMicro, confirmed that they are seeing new exploits in the wild since the proof of concept code started to circulate, targeting a much wider base of users due to the Windows shell vulnerability. “I generally think that the fix for this is going to be a requirement,” he said.
[TrendLabs posted a blog on the subject here.]
The exploitation of the vulnerability itself can come from rogue shortcuts on a USB drive, the most common attack vector seen by TrendLabs, but there are other vectors, including the potential for malicious links to be embedded in various file formats, such as documents, or placed in a network share.
In addition, there is an option to push drive-by-downloads if a malicious link is embedded on a Website. To be fair, while drive-by-downloads are possible, they haven’t been used.
A second security firm, Kaspersky, has seen attacks in the wild as well, confirming TrendLabs’ observations. Both firms noted that the payload remains the same, Stuxnet.
Considering that Stuxnet only targets SCADA systems in its initial release, it’s a little odd to see that variant propagated on a wider scale. Yet, during our conversation with Yaneza, the idea that this could change is a strong possibility.
Stuxnet uses SQL to target the WinCC SCADA system. However, the code that targets WinCC can be replaced by anything, and when combined with the Windows Shell vulnerability, it’s a wonder this isn’t happening online. One example of an alternate attack would be to replace the SCADA code with code that targets financial information.
The fact that the SCADA SQL code has remained comes as a surprise to Kaspersky’s senior anti-Virus researcher Roel Schouwenberg.
“It's rather surprising that we haven't seen more wide-spread adoption [of the Windows shell vulnerability] so far. Zero-days that affect all versions of Windows since Windows 2000, for which there's no real useable mitigation other than AV, aren't very common. So one would expect lots of the bad guys would be jumping on this, but so far they haven't.”
Until a patch is officially released, administrators and home users alike will need to remain vigilant. Aside from ensuring anti-Virus definitions are current (all of the major security companies have some type of signature for Stuxnet), caution is the best defense.
In terms of geographic stats, the attacks in the wild have hit Iran, Indonesia, and India the hardest. However, there have been detections in the U.S. and U.K., as well as parts of Europe.
Update:
Shortly after this story went live, ESET confirmed two new Malware families using the Windows Shell vulnerability.
The two Malware families, Chymine.A and Autorun.VB.RP, were both observed by ESET researchers. Chymine.A is a keylogger, and early detection shows the attacks aimed at China.
They noted that, while Chymine.A is a payload delivered because of the Windows Shell vulnerability, Autorun.VB.RP "does actually produce new [malicious *.LNK] files exploiting the CVE-2010-2568 vulnerability to facilitate its own spreading."
"This new development follows a typical path of evolution in malware. Often there are only days between the initial release of information regarding a critical vulnerability, and the discovery of its exploitation being executed in the wild by malware authors. It is safe to assume that more malware operators will start using this exploit code in order to infect host systems and increase their revenues." - Pierre-Marc Bureau, ESET
Comment on this Story