| The Reference in Independent Anti-Malware Advice and Information
Subscribe | Log in

The Microsoft LNK / USB worm / rootkit ‘issue’ will kill WIN XP SP2 and WIN2000 earlier…

Just recently, reports were released about a new kind of malware propagating through removable drives. The said malware exploits a newly-discovered vulnerability in shortcut files, which allows random code to be executed on the user’s system. Microsoft has officially acknowledged the vulnerability and released a security advisory.

The malware some of the AV industry detects as Win32/Stuxnet, unfortunately, is a worm (and rootkit) of a slightly different colour. It can propagate making use of a 0-day vulnerability described here and also listed by CVE as CVE-2010-2568.
The biggest problem is that Windows (specifically, the Windows Shell) can be tricked into executing malicious code presented in a specially-crafted shortcut (.LNK) file linking, in turn, to a malicious DLL (Dynamic Link Library).

The problem is in the way that Windows Shell fails to parse the shortcut correctly when it loads the icon, it isn’t necessary to click the icon for the malicious code to be executed! The code will be executed without any action on the part of the user once that folder is opened to access whatever legitimate files are on the device.

Note also that USB devices are not the only potential vector: network shares and webDAV shares can also be used to distribute malicious .LNKs. Affected platforms (essentially all current Windows versions) are listed in the advisory: it’s likely that there won’t be a patch for XP SP2 or Windows 2000, which have reached the end of their support life.

Microsoft suggest three temporary solutions at this moment:

* disabling Autorun (always a good idea, but not much help in this instance)

* restricting user rights (adherence to the principle of least privilege, i.e. not giving users more privileges than they need)

* blocking SMB connections on the perimeter firewall to reduce the risk from file shares

Microsoft also suggests two workarounds, and describes how to effect them:

* disable the display of shortcuts

* disable the WebClient service

The real problem:

Take it from me: In the long end this lnk problem will kill MS Win2000 and MS Windows XP SP2 earlier as expected as this OS’ses will have no support or critical update anymore except if MS decides to make an exception, however I doubt it!
Also the number of Windows XP SP2 users is still very high… and do you really think that they care or are aware of their ‘not’ supported OS. Most of them don’t even know that they are using Windows XP, ‘they use Windows’.

PS: This was my first post after a long time. The reason is that I’m moving my sites and started to refurbish my website. So please, stay tuned …

Comments are closed.