NETWORKWORLD.com

Microsoft has confirmed a new, highly dangerous zero-day vulnerability that has caused multiple researchers to issue warnings. The exploit is a whopper on all levels.

It comes into the enterprise via hidden files on USB sticks or via shared network files. It requires no user interaction to infect the system (simply viewing the icon is enough to trigger it). It propagates itself. It loads as a rootkit infection. It affects all Windows operating systems, even full-patched Windows 7 systems. It seems to target extremely sensitive information — researchers say it seems to have been made for espionage. If all that weren’t scary enough, a researcher has already published proof-of-concept code.




  1. david says:

    By what mechanism does a trojan install by the user viewing an icon?

  2. Gilgamesh says:

    #1 – Not sure the mechanism, but graphical file-system managers read all kinds of ‘header’ data within a file *before* simply listing its name. How much of the file is read automatically has increased steadily over time to provide fancy icons and think-ahead & search services.

  3. KMFIX says:

    Is this real? And how does it effect my Mac?

  4. LCR says:

    Ewww. Swine flu, and now this! Mommy, I’m scared!

  5. ECA says:

    KM,
    probably doesnt.
    Unless its designed under Java/Adobe/Flash/.. of the scripts that your browser Automatically RUNS.
    LOVE NOSCRIPT..

  6. chuck says:

    I tried to install the rootkit app on my iPhone4, but it said I was holding it wrong.

  7. FRAGaLOT says:

    #5 ECA
    This sounds like a exploit in windows explorer on how it pre-scans all contents of a folder as you open it. Has nothing to do with a web browser, so “no script” is moot.

    I’m assuming a malformed icon header, I guess, somehow loads a rootkit, or opens it up for a rootkit to be deployed. Who knows really.

    I’m very sure there is away to turn off the pre-scanning of folders and disabling icons, and just listing a folders contents as-is. But every version of windows is different and i have no idea where you can change that behavior.

  8. Skeptic says:

    Re: “By what mechanism does a trojan install by the user viewing an icon?”

    It’s rather complicated, but subliminal messages enter your eyes, controlling your subconscious to seek out the trojan and download it yourself. Memory of all actions is erased through hypnotic techniques. Soon after you will go out and buy an iPhone 4 with free bumper and case.

    [You’ve been watching the Manchurian Candidate too much. – ed.]

  9. Rider says:

    Yes it’s a real problem but this article is full of shit. The security exploit can be used by anything, saying the security exploit is “targeting data” is bullshit. Also calling it a root kit is bullshit. It’s a security hole that can be used to install anything, yes a rootkit is one of things that can be installed. And I’m not sure what the proof of concept part of the article is about. There either is an exploit or there is not an exploit. We already know there is one and we know how it is being used so what exactly is this proof of concept?

    Seems to have been designed for espionage. With hundreds of credible news stories out there with real facts and information in them why did you post this one.

    [Because I’m a Mac fanboy.       Just kidding! – ed.]

  10. jbellies says:

    I saw something like this in an internet cafe in rural Mexico a couple of years ago. It was a virus. All it needed was for you to insert a USB … later when you got home, you insert the same USB in your own computer, and it reads the malformed icon header or whatever. You did not need to click anything to become infected. Several, maybe all, of the computers at the internet cafe were infected. I noticed the problem (too late to prevent infection), but managed to stamp it out by erasing some files. The entry method, from the description, is nothing new.

    I can’t figure out why users can’t sue MS or other software providers for holes that aren’t plugged, EULAs notwithstanding. You know, if negligence is involved.

  11. ECA says:

    #10,
    that is another story.
    Distribution of software that CANT protect itself, or has tools enough so MANY can FIX problems. Locking the OS, so it cant be infected. Standardized BAM/boot/Root so that an infection can be located and killed. NOT installing HOLES that are sold as Advertising abilities in the browser.

  12. deowll says:

    A coherent article written by somebody that knows jack would have been useful. This article has all the appearance of having been written by somebody who didn’t have a clue what they were saying.

    Is this dullard trying to say that if you get self booting malware on a USB drive and automatic booting is turned on when you stick it in a computer it loads or what? It more or less reads like they have completely confabulated two or more security issues. I either know to much or to little to appreciate this babel.

    I don’t have the link but there is an article posted that lists some routers that have been proven to be vulnerable or not vulnerable to a new flavor of DNS attack. I located the site by doing a web search and mine was on the list but fortunately it wasn’t vulnerable to that attack. You can do what you want.

  13. deowll says:

    MS says:

    General Information
    Executive Summary

    Microsoft is investigating reports of limited, targeted attacks exploiting a vulnerability in Windows Shell, a component of Microsoft Windows. This advisory contains information about which versions of Windows are vulnerable as well as workarounds and mitigations for this issue.

    The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the icon of a specially crafted shortcut is displayed. This vulnerability is most likely to be exploited through removable drives. For systems that have AutoPlay disabled, customers would need to manually browse to the affected folder of the removable disk in order for the vulnerability to be exploited. For Windows 7 systems, AutoPlay functionality for removable disks is automatically disabled. Microsoft is currently working to develop a security update for Windows to address this vulnerability.

    We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers.
    Top of sectionTop of section

    To me this sounds like a government or business conducting espionage. Russia? This is a variation of the auto boot problem with a new twist.

  14. Rider says:

    #13 what in the world makes it sound like espionage? it sounds like every other damn security exploit.

  15. Mextli says:

    #10 “It was a virus. All it needed was for you to insert a … … later when you got home, you insert the same …”

    A lot of viruses from Mexico are spread that way.

  16. ECA says:

    Im sorry.

    I do NOT THINK my browser should have FULL access to do anything on my computer, withOUT telling WHAT AND WHY its trying to DO IT.
    ALSO the Internet TEMP file should be setup so it CANT see the rest of the system, AND LOCKED TIGHT.

  17. Milo says:

    Oh no! I have 2 computers!
    Oh wait, one runs Ubuntu and the other is a MacBook Pro.

    Ha ha!

  18. jbellies says:

    #12, #13. With all respect, it is an old twist.
    #15 ¡Tocado!

  19. jescott418 says:

    The person that wrote this must be a Microsoft hater or a Apple lover.
    Most security articles abut this have indicated that most flavors of Security software AKA anti virus that are up to date will prevent this. Even Microsoft’s Security Essentials which is free is already updated for this.
    I am so sick of these dooms day freaks who shout shut your Windows machines down or the end is near! The other fact is that Windows 95 is one of the most susceptible to this attack. OK if your still running Windows 95 you deserve to be attacked!

  20. ECA says:

    19, Jess…
    And win 95 on a current machine runs Circles around win 7..

  21. Awake says:

    And in other news:

    “Apple the new world leader in software insecurity”

    http://arstechnica.com/security/news/2010/07/apple-the-new-world-leader-in-software-insecurity.ars

    Apple has displaced Oracle as the company with the most security vulnerabilities in its software, according to security company Secunia. Over the first half of 2010, Apple had more reported flaws than any other vendor. Microsoft retains its third-place spot.

  22. chris says:

    #21 Points to you for scooping a DU thread, see above thread.

    I heard a few years ago that the Chinese were using something similar. Dropping thumb drives, when they were expensive, around sensitive buildings. Insert the stick and it would start crawling the network.

    Funny how the virtual world mirrors the actual one: the most advanced software is attackware.

    My uniformed prediction is that this is Russian stuff. A major leap is that the hot Russian spy just returned may have been sticking this in bankers’ PCs in exchange for another kind of sticking.


0

Bad Behavior has blocked 5645 access attempts in the last 7 days.