RSS Alerts

Share

More services

Related Links

  • VirusBlokAda
  • Elsevier Ltd is not responsible for the content of external websites.

Related Stories

Top 5 Stories

News

New zero-day flaw hitting Windows users

15 July 2010

Hard on the heels of a raft of WinXP patches and updates on Tuesday of this week, it seems that a nasty USB-based zero-day flaw is hitting users of the popular operating system.

A number of security researchers have reported that this latest exploit piggybacks on USB storage devices and taps a previously unknown security vulnerability in the way Microsoft Windows processes shortcut files.

According to the Virusblokada security portal, USB-borne malware is extremely common, and most malware that piggybacks on USB and other removable drives has previously taken advantage of the Windows Autorun or Autoplay feature.

But this latest exploit, notes the security portal, is unusual in its modus operandi as shortcut files are normally placed on the user's desktop or start menu.

Commenting on the exploit, fellow IT security researcher Brian Krebs says that, ideally, a shortcut doesn't do anything until a user clicks on its icon.

But, he says, researchers have found that these malicious shortcut files "are capable of executing automatically if they are written to a USB drive that is later accessed by Windows Explorer".

Sergey Ulasen, an anti-virus expert with Virusblokada, says that this means that you simply have to open infected USB storage device using Explorer or any other file manager – "which can display icons to infect your operating system and allow execution of the malware".

What's interesting about the malware is that it reportedly installs two drivers: 'mrxnet.sys' and 'mrxcls.sys'.

These so-called 'rootkit' files, says Ulasen, are used to hide the malware itself so that it remains invisible on the USB storage device.

According to Brian Krebs, if this truly is a new vulnerability in Windows, it could soon become a popular method for spreading malware. "But for now, this threat seems fairly targetted: Independent security researcher Frank Boldewin said he had an opportunity to dissect the malware samples, and observed that they appeared to be looking for Siemens WinCC SCADA systems, or machines responsible for controlling the operations of large, distributed systems, such as manufacturing and power plants", he noted.

Supervisory Control and Data Acquisition (SCADA) systems, Infosecurity notes, are often used for protecting critical national infrastructure platforms such as energy and telecommunications grids.

These systems are usually based around an embedded and robust version of Windows, which makes them resilient against most malware, but this attack vector could theoretically infect a SCADA system, which is what makes the malware particularly nasty.

Boldewin, meanwhile, is reported to have said that it looks like this malware was made for espionage.

This article is featured in:
Application Security • Data Loss  • Malware and Hardware Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012