Network Security, Vulnerability Management

Flaw uses USB devices as vector to steal data

Story updated on Tuesday, July 20 at 11:47 a.m. EST

A sophisticated exploit, using removable media as a vector and created for corporate espionage, is taking advantage of a newly disclosed, zero-day vulnerability that impacts nearly all Windows users.

Microsoft disclosed the vulnerability on Friday with the release of a security advisory, which warned that the bug "exists because Windows incorrectly parses shortcuts [.lnk files, which are represented by an icon] in such a way that malicious code may be executed when the user clicks the displayed icon of a specially crafted shortcut [file]."

Experts, though, disagree whether a user needs to take any action to be infected.

The flaw permits a malicious .lnk file installed on a USB device to run a Dynamic Link Library (DLL), and a machine can be infected simply by a user viewing the icon, according to F-Secure. This means that disabling functionality such as AutoRun and AutoPlay would not stop the threat.

The malware on the USB devices installs two drivers, which serve as rootkits that hide the actual malware, making it nearly impossible to detect, according to Symantec.

The vulnerability, present in Windows Shell, is being exploited through the use of removable media that contains the Stuxnet malware, Dave Forstrom, director of marketing communications for integrated communications and response, said in a blog post.

Microsoft is aware of "limited, targeted attacks" trying to take advantage of the flaw. In its advisory, Microsoft suggests as a workaround that organizations disable the displaying of icons for shortcuts.

According to Symantec, the exploit has been customized to connect to the databases of supervisory control and data acquisition (SCADA) systems, used to manage operations at places such as power plants and gas and oil refineries, to obtain data. Machines based in India and Indonesia so far are the hardest hit.

Major manufacturer Siemens has warned customers about the threat.

RE: SC Magazine story

"Siemens was notified about the malware program...that is targeting the Siemens software Simatic WinCC and PCS 7 on July 14," said a statement. "The company immediately assembled a team of experts to evaluate the situation and is working with Microsoft and the distributors of virus scan programs to analyze the likely consequences and the exact mode of operation of  the virus."

The threat is particularly concerning because it not only affects Windows Server 2003, XP SP 3, Vista and 7 but also the widely deployed XP SP 2, which Microsoft ended patch support for on July 13.

"Unfortunately, the hackers are having a retirement party for Windows Service Pack 2 and didn't invite the defenders," Paul Henry, security and forensic analyst at endpoint protection company Lumension, told SCMagazineUS.com on Monday. "A large number of those people [running XP SP 2] happen to be critical infrastructure providers."

Henry said he expects attackers to continue their assaults on XP SP 2 vulnerabilities. With this particular flaw, organizations must make efforts to institute controls around removable media usage.

"We've been telling people for years that you need to get control of your removable media before it gets control of you," Henry said. "We really think people need to be aware of the vector itself."

McAfee recommends Windows users only connect trusted removable media to their computers.

"Also, users should not download or click on shortcut files (.lnk files) that are hosted on the network shares, web or sent in email," the company said. "Network administrators should block downloads of shortcut files."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.