New zero-day flaw hitting Windows users

A number of security researchers have reported that this latest exploit piggybacks on USB storage devices and taps a previously unknown security vulnerability in the way Microsoft Windows processes shortcut files.

According to the Virusblokada security portal, USB-borne malware is extremely common, and most malware that piggybacks on USB and other removable drives has previously taken advantage of the Windows Autorun or Autoplay feature.

But this latest exploit, notes the security portal, is unusual in its modus operandi as shortcut files are normally placed on the user's desktop or start menu.

Commenting on the exploit, fellow IT security researcher Brian Krebs says that, ideally, a shortcut doesn't do anything until a user clicks on its icon.

But, he says, researchers have found that these malicious shortcut files "are capable of executing automatically if they are written to a USB drive that is later accessed by Windows Explorer".

Sergey Ulasen, an anti-virus expert with Virusblokada, says that this means that you simply have to open infected USB storage device using Explorer or any other file manager – "which can display icons to infect your operating system and allow execution of the malware".

What's interesting about the malware is that it reportedly installs two drivers: 'mrxnet.sys' and 'mrxcls.sys'.

These so-called 'rootkit' files, says Ulasen, are used to hide the malware itself so that it remains invisible on the USB storage device.

According to Brian Krebs, if this truly is a new vulnerability in Windows, it could soon become a popular method for spreading malware. "But for now, this threat seems fairly targetted: Independent security researcher Frank Boldewin said he had an opportunity to dissect the malware samples, and observed that they appeared to be looking for Siemens WinCC SCADA systems, or machines responsible for controlling the operations of large, distributed systems, such as manufacturing and power plants", he noted.

Supervisory Control and Data Acquisition (SCADA) systems, Infosecurity notes, are often used for protecting critical national infrastructure platforms such as energy and telecommunications grids.

These systems are usually based around an embedded and robust version of Windows, which makes them resilient against most malware, but this attack vector could theoretically infect a SCADA system, which is what makes the malware particularly nasty.

Boldewin, meanwhile, is reported to have said that it looks like this malware was made for espionage.

What’s Hot on Infosecurity Magazine?