Lot is being discussed and written about the latest StuxNet worm/virus/trojan/rootkit. After analyzing the StuxNet samples and having closer look at the .LNK files I realized that lot of miss concepts are making round over the internet. Many of the security news websites have just copied the contents of blogs and added their own conclusions which all are not true.
Some of the miss concepts about the latest CVE-2010-2568 based attack by StuxNet:
Myth 1: Many articles are calling this as a zero day vulnerability in Windows Shell, some are calling it as a vulnerability in .LNK file format and so on so forth.
Fact: It is basically a design flaw by Microsoft in handling .LNK files. Can be called as designed to be a feature which got misused by a malware to get executed automatically. Just like Autorun feature which now is being widely used by malware authors to spread the malware. So its not at all a vulnerability in Windows Shell or .LNK file format and nor any kind of buffer overflow that is being happening.
Myth 2: Malware/Worm will not work on all pen drives. Needs OllyDbg debugger to start the code or modify the .LNK to make it work.
Fact: The worm does work on all pen drives and does not need any modification to .LNK file to work or a debugger to start it. Basically the worm drops a .LNK file on pen drive when infecting it which is unique to the pen drive being infected. So if researchers or user copies these files as it is to other pen drive of-course it is not going to get executed automatically on other pen drives. Important thing is the pen drive which is infected by the worm (.lnk and other files dropped by the worm on it) will infect other PCs successfully if we use the same pen drive as it is on the other PC and open the removable drive in explorer. That means attack vector successfully works without any modifications provided it is infected by the worm automatically and not by manually copying the malware files on the pen drive.
Myth 3: Attack vector works only on USB/Pen drives.
Fact: If the specially crafted .LNK file is dropped on network drive with all the relevant files in same location it will still work. The malware will automatically get executed if we happen to open that particular network drive or even any folder (local or shared) in the system. The flaw is about handling of .LNK files it can be from any location like removable drives (Pen/USB drives), local drives and folders, shared drives and folders.
Myth 4: Disabling autoplay or autorun feature of Windows will prevent execution of such malware from infected pen drive.
Fact: Disabling of autoplay or autorun feature of Windows will not prevent automatic execution of malware from pen drive. You may still get infected if you simply insert the infected pen drive to your system and open the drive in explorer. As it common practice that users most of the time open the pen drive in explorer to explore the contents and do operations like copy paste or view. So even if you have autoplay off simply opening the infected pen drive in explorer is going to infect your PC.
Myth 5: The StuxNet Malware is possibly originated in India.
Fact: Some researcher in Russia (working for reputed AV Company there) feels and put the theory that StuxNet malware is originated in India (Link to the blog). India being world leader in outsourced programming and high number of infections being detected in India does not at all mean that Malware is originated in India. I will not comment where the malware must have originated as we can conclude about origin only after proper investigation and looking at the forensic facts. I recommend the Russian researchers to work on facts instead of working on vague theory and leave the predictions job to Paul the octopus.
I hope this helps to clear the confusion cloud. Quick Heal users need not fear or have any confusions, Quick Heal (latest updated) successfully protects from StuxNet worm and even similar technique new malwares. Quick Heal automatically removes the malicious .LNK files from all locations.