In a recently released advisory, Microsoft has dispatched a warning to all users informing them of Microsoft Windows Shell’s vulnerability towards malware and other hacker attacks. These malicious attacks are usually spread via USB’s which are infected by a virus. This vulnerability can affect every windows system, be it Vista or Windows 7. Microsoft further ascertained that these attacks can be made through network shares and WebDAV shares. The infection usually occurs when the Windows Shell is not able to validate parameters of shortcut when the malware is trying to load. This allows the attackers to download the malicious code through an open window when the user clicks on the icon of the malicious file. These shortcuts are links to files and are connected through LNK file extension.
However, analysts are of the view that it does not require the user to click on the icon. Simply connecting the USB stick and browsing through it is enough for the malware to attack the system, making it open to the attackers. They believe that the malware can bypass most of the security mechanisms of windows operating system, even while loading without any administrative privilege. According to these analysts, the malware makes use of these shortcut files using .lnk extension on the USB which automatically execute once the operating system starts reading these files. To make it simpler, simply browsing through the USB stick and using an application that uses shortcut or easy access files can run the malware, without the user having to do anything with it.
This vulnerability was first noticed last week by the Belarusian antivirus company, where hackers were able to leverage Stuxnet rootkit. For those uninitiated, Stuxnet rootkit is a malware that targets networks of global enterprises for sensitive information. Stuxnet rootkit has shown ability to evade detection by managing to hide files that end with .lnk and files that start with ‘~WTR’ and end with ‘.tmp’. Another feature noticed in this malware is its ability to overtake ‘autorun’ feature. Thereby, even if you turn the autorun feature off, the rootkit will still be able to execute and install itself in your system. The rootkit even has the ability to evade antivirus and firewalls. What it actually does is it injects itself into iexplore.exe files. Since most firewalls trust iexplore.exe files, the malware goes unnoticed by the system. This malware can even terminate some of the security features in your system. It has been found that by using two drivers, “mrxnet.sys” and “mrxcls.sys” namely, the rootkit is able to load without detection. Then again, the rootkit also has the ability to mask these two drivers.
Another security analyst also specified that the malware was able to use a default password for lifting data from the Siemens SCADA WinCC + S7 control system database. He further specified that this could indicate towards the use of Trojan for industrial espionage attacks.
Microsoft has suggested that users disable icons for shortcuts and switch off the WebClient service. However, this does not answer the dilemma faced by the corporate clients as disabling icon shortcuts will result in confusion among their users, even as switching off the WebClient service will make the sharing-based applications useless.