New rootkit threatens all versions of Windows

A highly dangerous zero-day rootkit is in the wild with no patches available yet.

Microsoft has confirmed a new, highly dangerous zero-day vulnerability that has caused multiple researchers to issuing warnings. The exploit is a whopper on all levels.

It comes into the enterprise via hidden files on USB sticks or via shared network files. It requires no user interaction to infect the system (simply viewing the icon is enough to trigger it). It propagates itself. It loads as a rootkit infection. It affects all Windows operating systems, even full-patched Windows 7 systems. It seems to target extremely sensitive information -- researchers say it seems to have been made for espionage. If all that weren't scary enough, a researcher has already published proof-of-concept code.

Anti-malware vendors are updating their software to add detection of the threat. Microsoft is among them. According to the Microsoft Malware Protection blog: "We have multiple signatures that detect this threat for customers using Microsoft Security Essentials, Microsoft Forefront Client Security, Windows Live OneCare, the Forefront Threat Management Gateway, and the Windows Live Safety Platform. "

We have a number of articles on Network World covering the attack. Here are a list of resources:

Ms. Smith's report on the hole and how it targets espionage. (Includes links to various researcher's reports)

Microsoft confirms 'nasty' Windows zero-day bug (no patch will be forthcoming for Windows 2000)

Microsoft's actual security alert and recommended workarounds.

One researcher publishes exploit, another claims Microsoft's workarounds won't work

UPDATED 0721: Microsoft is still working on the actual patch, but has made it easier for users to implement its workarounds. Most of the major anti-virus vendors are losely claiming that their wares will detect the rootkit. Here's the word from Microsoft on how to implement the workaround to make your systems less vulnerable.

We've just updated Microsoft Security Advisory 2286198 to let customers know that we now have an automated "Fix It" available to implement the workaround we first outlined in our original posting on Friday, July 16, 2010. More information is available in the KB article 2286198, but in summary running the "Fix It" can help prevent attacks attempting to exploit this vulnerability. This workaround will disable some icons from being displayed so we recommend administrators test this before deploying it widely.

We've also updated the advisory with new information regarding possible attack vectors. Finally, we have included a new workaround that customers can implement to help protect their environments: blocking the download of LNK and PIF files (note that these files can be transferred over WebDav, so be sure to account for this protocol if you implement this workaround).

As for new attack vectors hard to see what those could be since all Windows operating systems, patched or not, are vulnerable. However, Microsoft has released an updated description of the attack: "The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the icon of a specially crafted shortcut is displayed. This vulnerability can be exploited locally through a malicious USB drive, or remotely via network shares and WebDAV. An exploit can also be included in specific document types that support embedded shortcuts." 

Check out these other posts from Microsoft Subnet

• All of today's Microsoft news and blogs
• Why Microsoft and HP need each other
• Microsoft was against software patents before it was for them
• Has Microsoft Courier come back to life?
• Microsoft was against software patents before it was for them
• How to create custom AD LDS attributes
• Microsoft's cloud is slower than Google's, Amazon's, benchmark says
• Finalists Named for the Imagine Cup 2010 Competition!

Like RSS? Subscribe to all Microsoft Subnet bloggers.
Like e-mail? Sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert.)
Like Twitter? Follow All Microsoft Subnet bloggers on Twitter @microsoftsubnet

Follow Julie Bort on Twitter @Julie188 or connect with me on my Facebook Like Page

• Microsoft
• Microsoft security
• rootkit
• Trojans
• USB stocking stuffers
• Windows security
• Zero Day Threat