W32.Flamer: Spreading Mechanism Tricks and Exploits
W32.Flamer: Spreading Mechanism Tricks and Exploits
Flamer
has the ability to spread from one computer to the next. However,
Flamer does not automatically spread, but instead waits for instructions
from the attackers. Flamer can spread using the following methods:
- Through network shares using captured credentials, including Domain Administrator
- Through the Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability (CVE-2010-2729), previously used by Stuxnet
- Through removable media using a specially crafted autorun.inf file, previously seen used by Stuxnet
- Through removable drives using a special directory that hides the
files and can result in automatic execution on viewing the USB drive
when combined with the Microsoft Windows Shortcut 'LNK/PIF' Files Automatic File Execution Vulnerability (CVE-2010-2568), a vulnerability previously used by Stuxnet
Most of these methods are straight-forward, but the last method is
something we have not seen before and is quite interesting as it uses
junction points.
Junction points are a feature of Windows that allow a user to create
an alias to a directory. For example, if a long path such as
C:\My\Very\Long\Directory\Path existed, a junction point could be named
C:\MyJunction that resolved to C:\My\Very\Long\Directory\Path making it
easier to access. The junction point itself is actually just a
directory, but with special attributes.
Flamer leverages junction points to hide its files and enable auto-execution.
Flamer creates a normal directory on the removable drive using a
variable name. In our example, we use 'MyDocs'. Inside the directory,
Flamer adds three files:
- itself (e.g. mssecmgr.ocx)
- desktop.ini
- target.lnk
Desktop.ini is a special configuration file recognized by
Windows and allows the user to customize the properties and behavior of
the directory. Flamer adds a ShellClassInfo section to the desktop.ini
configuration file causing it to behave as a junction point. Normally, a
junction point can only be aliased to another directory. For example,
the user cannot alias a junction point to an executable file because the
user could be tricked into running an executable file instead of
opening a directory.
Flamer uses some special tricks to bypass this behavior. Three CLSID
entries are added to the ShellClassInfo section with a specially chosen
CLSID.
This CLSID will cause the 'MyDocs' directory to become a junction
point, but instead of being redirected to another directory it will
alias the junction point to a file called target.lnk, which must be inside the directory.
Now, if the user tries to open the 'MyDocs' folder using Explorer, it
will not be possible. Instead, the user will go to the directory
defined by target.lnk. This means the user cannot see the files inside 'MyDocs', such as target.lnk and Desktop.ini; more importantly, the user cannot see or access Flamer (mssecmgr.ocx) itself. Flamer has essentially hidden itself inside a junction point.
This is only half the purpose of the junction point. Now hidden,
Flamer still needs a way to have itself executed. Because a LNK file is
now being used, Flamer can take advantage of the Microsoft Windows Shortcut 'LNK/PIF' Files Automatic File Execution Vulnerability (CVE-2010-2568).
Using a specially crafted target.lnk file to exploit the
"Shortcut" vulnerability, Flamer now auto-executes, compromising the
computer. As soon as the removable drive is viewed, Windows will
automatically resolve the junction point to the target.lnk file. The target.lnk
file will be automatically parsed and then, through the "Shortcut"
vulnerability, automatically execute the CPlApplet export of Flamer (mssecmgr.ocx). This final step executes Flamer and allows it to compromise another computer.
- When inserting a compromised removable drive, the user sees a folder and cannot see inside
- Windows automatically opens the folder and parses the files inside
- Flamer is executed through a LNK file exploiting the "Shortcut" vulnerability
The actual folder name is configurable and in the samples we have
recovered, Flamer will use a folder name that starts with ".MSBTS" or
"~WRM3F0". The file name for Flamer itself is also configurable and in
the samples we have recovered to date will be named LSS.OCX, SYSTEM32.DAT, or NTVOLUME.DAT.
Interestingly, Flamer has two mechanisms to compromise removable
drives–using the "Shortcut" vulnerability along with a junction point
and using autorun.inf. Similarly, Stuxnet used both the autorun.inf mechanism and the "Shortcut" vulnerability. For Stuxnet we were able to determine older variants used autorun.inf and only later upgraded to use the "Shortcut" vulnerability. We have not yet found Flamer variants that solely used autorun.inf, but we would not be surprised if we did recover some in the future or if Flamer added autorun.inf once the "Shortcut" vulnerability was patched.
Flamer is incredibly large and we suspect we will find more
interesting tricks and novel techniques as we continue to analyze the
threat.
Author: A L Johnson
Date: Jun 01, 2012 07:13 AM
Source: Symantec
|