Windows systems at risk from Stuxnet shortcut malware

Summary:Microsoft is investigating spy malware that launches from a USB stick without a user's click and that is infecting critical infrastructure systems in Iran, India and other countries

Microsoft is looking into a family of malware that is using a Windows flaw to infiltrate critical infrastructure and other systems in a number of countries.

The malware, which has been labelled 'Stuxnet' by security researchers, has been seen in the wild in India, Iran, the US and Indonesia, Microsoft said in a blog post on Friday. One of the attack vectors Stuxnet uses is via USB stick. The malware requires no user interaction to infect the system. The operating system merely rendering an icon launches the malware.

"What is unique about Stuxnet is that it utilises a new method of propagation," wrote Microsoft researcher Tareq Saade in the blog post. "Specifically, it takes advantage of specially-crafted shortcut files (also known as .lnk files) placed on USB drives to automatically execute malware as soon as the .lnk file is read by the operating system."

The malware, described by security company F-Secure as an "advanced, persistent threat", has infected Siemens WinCC Scada machines. In addition, Russian security company Kaspersky said in a blog post on Saturday that this was the first time its researchers had seen a piece of malware that relies on shortcut files to launch and hide itself.

The malware first injects a backdoor into the system, then drops two Trojans: a rootkit and various pieces of code, including drivers. VeriSign and Microsoft worked together to revoke the expired certificates used by the two Trojans, which had been signed by RealTek Semiconductors, according to Saade.

The malware takes advantage of the shortcut facility in a number of Microsoft operating systems, including versions of Windows 7, Microsoft said in a security advisory on Friday. Windows Vista, Windows Server 2008 and Windows XP SP3 versions are also among those affected.

Microsoft said that Stuxnet could allow an attacker to take control of a system, and it is investigating the malware. In the meantime, IT professionals can disable shortcut icons to mitigate the threat, the company advised.

Proof-of-concept exploit code for the vulnerability was posted on research organisation Offensive Security's exploit database on Sunday.

Topics: Security

About

Tom is a technology reporter for ZDNet.com, writing about all manner of security and open-source issues.Tom had various jobs after leaving university, including working for a company that hired out computers as props for films and television, and a role turning the entire back catalogue of a publisher into e-books.Tom eventually found tha... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.