Microsoft issued a critical security advisory on Friday (16 July 2010) concerning a vulnerability affecting most Windows operating systems. Security pundits consider this an extremely serious persistent [malware] threat (APT). Speculation suggests no Microsoft patch until August 10, but never for Windows XP SP2 users. This vulnerability poses little risk to AppGuard or AppGuard Enterprise protected Windows computers, even XP SP2.

Free Lifetime License to Beta Participants, up to 3 PC’s

Vulnerability/Exploit Background

The vulnerability involves those short-cuts most commonly found on a PC’s desktop and application tray. Actually, any short-cut, which is actually a file with an LNK extension, located anywhere, can be used. Most exploits in the wild are found on USB drives, and utilize the Windows Auto-Play functionality to activate the short-cut upon USB insertion. Similarly, in the enterprise, attackers drop these LNK files onto network drives to get the same Auto-play effect.

A malware name most commonly associated with this exploit is Stuxnet. There’s also a downloader (i.e., a generic malware application that attackers download and launch from user space when they have exploited a software vulnerability, it then assesses the host, downloads persistent malware and files, and finally installs them for permanent use) that implants malicious LNK files as well as an executable. This downloader also attempts to alter the Windows registry (HKCU/…/Run) to automatically launch the permanent malware executable when Windows launches. Also of interest, with each use, the hash checksum, or signature, of this download changes, making detection by traditional anti-virus/spyware highly unlikely. Names for the downloader include: W32.Changeup (Symantec), W32/Autorun.BFG (Sophos), Win32/AutoRun.VB.RD (Eset), Worm:Win32/Vobfus.R (Microsoft), Download-CJX (McAfee), TR/Dldr.Gaat.B (Avira).

The most important thing for enterprise desktop administrators or advanced home users to know is that this vulnerability enables an attacker to launch an arbitrary executable. However, the executable must already be present in the host. Otherwise, a malicious short-cut is moot. Think of this vulnerability as a trigger, which is useless without a bullet (i.e., a malicious executable). Does the LNK vulnerability alone represent a zero day threat? No. But combined with other vulnerabilities it can be zero day.

Microsoft recommends disabling short-cuts, among other workarounds. AppGuard and AppGuard Enterprise need not implement these workarounds. But, they do add another layer of protection.

How AppGuard Defeats LNK Exploits

A Stuxnet or similar malware attack usually begins somewhere in user-space, which is any hard drive or removable media location where an end-user without local admin rights can write. User-space is the preferred initial landing site for any attack because its always accessible whereas system-space is inaccessible when the target PC is running without local admin rights.

AppGuard only allows executables to launch from within user-space if they are on the ‘guard list’, which may be regarded as a white list. So, the malicious executable cannot launch from user-space, period. This includes USB drives too. AppGuard Enterprise, where PC’s frequently encounter network drives, treats these drives as user-space as well.

The attackers must therefore get their malicious executable into system-space before their LNK trigger can be of use. System-space is defined as the Windows and Program Files directories and their children. AppGuard places applications at-risk ‘under guard’. Typically one guards web browsers, email applications, Adobe Reader, Microsoft Office, and others that consumer files and communications from potentially unknown origins. ‘Guarded’ applications can neither write into system-space nor Windows registry where it can trigger executable launches.

So, attackers cannot launch malicious executables from user-space. They cannot exploit vulnerabilities in software applications to plant an advanced persistent [malware] threat (APT, i.e., malicious executable) into system-space. Therefore, the LNK Windows vulnerability poses little risk to AppGuard or AppGuard Enterprise protected computers.

Update: New Zero Day Protection Feature Called MemoryGuard Alone Kills Some Windows LNK Based Attacks

We tested the downloader mentioned above with drive-by download protection disabled (this feature prevents executable launches from user-space) and allowed the downloader to run with nothing restricting it but the MemoryGuard protection feature, currently out in beta.  The result was MemoryGuard blocking the downloader’s attempts to launch code injection attacks on all available processes in the test host.  Below is a screenshot:

Zero Day Protection from Advanced Code Injection Attacks

Can AppGuard Do Even More?

Yes, AppGuard users and administrators can add three executables to the ‘guard list’.

• rundll32.exe
• cmd.exe
• regsrv32.exe

With the forthcoming summer releases of AppGuard and AppGuard Enterprise, these will be guarded by default. We doing so because these Windows facilities are sometimes used by attackers.

Legitimate software installations and patches use these facilities too. Thus, one should suspend all AppGuard protections when doing so. Consumers need only right-click on the AppGuard tray icon and select ‘suspend all’. Enterprise users should always test installs. They have an additional feature whereby they can define power applications, such as patch management or desktop configuration software, which tells AppGuard to allow them to what they wish.

Posted: Thursday, July 22nd, 2010 - Endpoint Security
RSS 2.0 - Comment - Trackback