W32.Flamer: Spreading Mechanism Tricks and Exploits
Flamer has the ability to spread from one computer to the next. However, Flamer does not automatically spread, but instead waits for instructions from the attackers. Flamer can spread using the following methods:
- Through network shares using captured credentials, including Domain Administrator
- Through the Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability (CVE-2010-2729), previously used by Stuxnet
- Through removable media using a specially crafted autorun.inf file, previously seen used by Stuxnet
- Through removable drives using a special directory that hides the files and can result in automatic execution on viewing the USB drive when combined with the Microsoft Windows Shortcut 'LNK/PIF' Files Automatic File Execution Vulnerability (CVE-2010-2568), a vulnerability previously used by Stuxnet
Most of these methods are straight-forward, but the last method is something we have not seen before and is quite interesting as it uses junction points.
Junction points are a feature of Windows that allow a user to create an alias to a directory. For example, if a long path such as C:\My\Very\Long\Directory\Path existed, a junction point could be named C:\MyJunction that resolved to C:\My\Very\Long\Directory\Path making it easier to access. The junction point itself is actually just a directory, but with special attributes.
Flamer leverages junction points to hide its files and enable auto-execution.
Flamer creates a normal directory on the removable drive using a variable name. In our example, we use 'MyDocs'. Inside the directory, Flamer adds three files:
- itself (e.g. mssecmgr.ocx)
Desktop.ini is a special configuration file recognized by Windows and allows the user to customize the properties and behavior of the directory. Flamer adds a ShellClassInfo section to the desktop.ini configuration file causing it to behave as a junction point. Normally, a junction point can only be aliased to another directory. For example, the user cannot alias a junction point to an executable file because the user could be tricked into running an executable file instead of opening a directory.
Flamer uses some special tricks to bypass this behavior. Three CLSID entries are added to the ShellClassInfo section with a specially chosen CLSID.
This CLSID will cause the 'MyDocs' directory to become a junction point, but instead of being redirected to another directory it will alias the junction point to a file called target.lnk, which must be inside the directory.
Now, if the user tries to open the 'MyDocs' folder using Explorer, it will not be possible. Instead, the user will go to the directory defined by target.lnk. This means the user cannot see the files inside 'MyDocs', such as target.lnk and Desktop.ini; more importantly, the user cannot see or access Flamer (mssecmgr.ocx) itself. Flamer has essentially hidden itself inside a junction point.
This is only half the purpose of the junction point. Now hidden, Flamer still needs a way to have itself executed. Because a LNK file is now being used, Flamer can take advantage of the Microsoft Windows Shortcut 'LNK/PIF' Files Automatic File Execution Vulnerability (CVE-2010-2568).
Using a specially crafted target.lnk file to exploit the "Shortcut" vulnerability, Flamer now auto-executes, compromising the computer. As soon as the removable drive is viewed, Windows will automatically resolve the junction point to the target.lnk file. The target.lnk file will be automatically parsed and then, through the "Shortcut" vulnerability, automatically execute the CPlApplet export of Flamer (mssecmgr.ocx). This final step executes Flamer and allows it to compromise another computer.
- When inserting a compromised removable drive, the user sees a folder and cannot see inside
- Windows automatically opens the folder and parses the files inside
- Flamer is executed through a LNK file exploiting the "Shortcut" vulnerability
The actual folder name is configurable and in the samples we have recovered, Flamer will use a folder name that starts with ".MSBTS" or "~WRM3F0". The file name for Flamer itself is also configurable and in the samples we have recovered to date will be named LSS.OCX, SYSTEM32.DAT, or NTVOLUME.DAT. Interestingly, Flamer has two mechanisms to compromise removable drives–using the "Shortcut" vulnerability along with a junction point and using autorun.inf. Similarly, Stuxnet used both the autorun.inf mechanism and the "Shortcut" vulnerability. For Stuxnet we were able to determine older variants used autorun.inf and only later upgraded to use the "Shortcut" vulnerability. We have not yet found Flamer variants that solely used autorun.inf, but we would not be surprised if we did recover some in the future or if Flamer added autorun.inf once the "Shortcut" vulnerability was patched.
Flamer is incredibly large and we suspect we will find more interesting tricks and novel techniques as we continue to analyze the threat.