Windows Shell Attacks Increase

Two new attacks have emerged to exploit the recently discovered zero-day Windows Shell vulnerability. Like Stuxnet, these new attacks use specially crafted shortcut (.LNK) files to cause Windows to automatically load and execute remote code.

According to Sophos, the new malware first appeared Thursday night.

The first piece of malware is called Dulkis-A, and is "a Windows worm, written in obfuscated Visual Basic, which copies itself to any attached removable storage device," said Graham Cluley, senior technology consultant at Sophos, writing on the firm's blog. The other piece of malware is Chymine, a keylogging Trojan application "designed to steal information from infected computers," he said.

Microsoft has yet to patch the Windows Shell vulnerability, but on Tuesday, the company detailed a workaround that would prevent attacks from exploiting the bug. It also released a tool to automatically install the workaround on a computer running Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, or Windows Server R2. Unfortunately, the workaround disables .LNK and .PIF file functionality, as a result removing all icon graphics and replacing them with a plain white icon. Microsoft plans to release a patch in the future that will eliminate the vulnerability, as well as restore the icons.

How else can IT managers block the vulnerability? Sophos says that tweaking existing security policies can help. "Only allow executable files to run from certain paths, like the hard drive, and never from a USB key or other removable media. This would prevent malware that uses this exploit from running off of a USB key, remote fileshare, or device like an iPod or BlackBerry." But attacks exploiting the vulnerability are also appearing on and being spread by websites.

Stuxnet, which targets Siemens controls systems and thus appears to be designed for industrial espionage, also continues to circulate. To help affected customers, on Thursday, Siemens released a tool developed by Trend Micro, Sysclean, to detect and remove the virus. But Siemens warned that "as each plant is individually configured, we cannot rule out the possibility that removing the virus may affect your plant in some way."

Siemens also released a security patch for its SIMATIC distributed control system that uses Microsoft's current workaround to eliminate the vulnerability, with the same side effect of eliminating all icon graphics. "Make sure that you assign meaningful names to your desktop links and those in the Windows Start menu to easily recognize them later," Siemens advised customers. The company promised to release a full patch that would restore the icons, after Microsoft released the relevant security update.

One workaround that Siemens users should avoid, however, is changing the default passwords on their control systems, warned control systems expert Joe Weiss, writing on his blog. "Microsoft wants default passwords changed -- standard IT policy -- while Siemens is telling its customers not to change the default passwords as it could cause problems," he said.

The disconnect highlights how in control environments, safety -- not security -- comes first, he said. "The IT folks do not understand why anybody would want to keep a default or hardcoded password as an emergency back door. IT in enterprises, outside of banking, simply doesn't have real-time emergencies."