Computer Security Windows Zero-Day Shortcut LNK File Vulnerability Used to...

Windows Zero-Day Shortcut LNK File Vulnerability Used to Install Rootkits from Infected USB Drives

windows vulnerability shortcut lnk file usb driveA newly discovered shortcut LNK file flaw within Windows is being used to install software used to gain administrator level access or control of a computer without detection, also known as Rootkits.

The new malware has been exploiting a design flaw within shortcut (.LNK) files on PCs running Windows. When a computer user double clicks an affected shortcut icon, the vulnerability is triggered. Shortcut icons represent a placeholder to the actual file or program in Windows. Shortcuts are often placed in the Start menu and desktop of a Windows PC but may also be represented on removable media such as USB drives.

Microsoft has already warned users, in the Microsoft Security Advisory (2286198), that hackers are exploiting an unpatched Windows vulnerability within the Windows Shell component where Windows incorrectly parses shortcuts. Since the warning, Microsoft has reconfirmed what researchers discovered this exploitation to be an issue with shortcut (.LNK) files. The vulnerability is apt to allow malicious code to be executed most likely through removable drives. When executed, the malware includes a Trojan horse which can implement attack code that downloads a rootkit and then remain undetected while running.

Several version of Windows are affected by the Shortcut flaw including Windows 7 and the now-unsupported Windows XP SP2 (Service Pack 2 - As of July 13, 2010 Microsoft no longer provides security updates or support for Windows XP SP2). Researchers have noticed that the related Shortcut flaw malware is mostly from an infected USB drive. Traditionally, malware that spreads through USB drives takes advantage of the Windows Autorun function, where it is executed before the user has a chance to interact with it or the moment the drive is physically attached to the computer. This time, malicious shortcut files with the .LNK extension must be opened by the user for this vulnerability to initiate. One security company, VirusBlokAda, supposedly found that the malicious shortcut files can be executed automatically if they are written to a USB drive later accessed by Windows Explorer.

The malware in question is known to install two drivers with the file names 'mrxcls.sys' and 'mrxnet.sys', which are rootkit files used to hide the malware on an infected USB drive. This means the malware may be spread from any computer that the infected USB drive is attached to without being exposed or visible. The odd nature of the two files, 'mrxcls.sys' and 'mrxnet.sys', is that they are both driver files signed with the digital signature of Realtek Semiconductor Corp, a legitimate technology company. This discovery was brought to our attention on the blog belonging to Krebsonsecurity.com. The exact correlation of the two has yet to be determined but both Microsoft and Realtek have been made aware of the situation and will be investigating it as necessary.

Attackers may soon take advantage of this new vulnerability within Windows to spread malware especially through systems running Windows XP SP2 because it will not be patched by Microsoft. If you are running Windows XP SP2, then you are advised to upgrade to at least XP SP3.

1 Comment

This makes everything so completely painless.

Loading...