Spy rootkit goes after key Indian, Iranian systems

Spy rootkit goes after key Indian, Iranian systems

Summary: A data-harvesting rootkit is infecting systems in India, Iran and Indonesia, according to security companies

TOPICS: Security

Sophisticated malicious software which infects critical infrastructure systems is spreading in the wild, according to security companies.

Finnish security company F-Secure, which is in the process of analysing the malware, told ZDNet UK that critical infrastructure in India and Iran had been affected.

The malware takes advantage of a zero-day vulnerability in Microsoft .lnk shortcut files, and infects Siemens WinCC Scada software running on Windows 7 Enterprise Edition x86 systems. It spreads via USB drives and runs automatically when a shortcut icon is displayed on a user's screen.

The malware targets supervisory control and data acquisition (Scada) systems, commonly used by critical infrastructure organisations such as utilities companies.

"We're looking at an advanced, persistent threat, used for espionage, targeting mission critical systems," said F-Secure security adviser Sean Sullivan. "India has seen a lot of cases." He said that the malware takes advantage of hard-coded usernames and passwords in the Siemens software.

Read this

Know the enemy: today's top 10 security threats

The more you know about the likely avenues of cybercrime attack, the better you can protect yourself against them, says Alan Calder

Read more

The malware uses valid but expired certificates signed by Realtek Semiconductor Corporation to validate its drivers. Realtek was not available for comment at the time of writing.

Sullivan said the malware authors had more than likely appropriated Realtek code and used it in the malicious software.

Security company Sophos told ZDNet UK on Friday that it was aware of instances of the malware spreading in India, Iran and Indonesia. Sophos senior technology consultant Graham Cluley told ZDNet UK that the rootkit circumvents preventative measures such as disabling autorun and autoplay in Windows.

"This waltzes around autorun disable," said Cluley. "Simply viewing the icon will run the malware."

The malware was discovered in June by researchers from Belorussian security company VirusBlokAda. F-Secure published the VirusBlokAda paper, which details the threat, in a blog post on Thursday.

The aim of the malware is to steal data, said Sullivan. Once activated, it sets about scraping any available information from databases.

"It's either corporate or government espionage," said Sullivan.

Siemens told ZDNet UK on Friday that its security experts were looking into the rootkit.

"The Siemens Computer Emergency Response Team are aware of the issue and are investigating the situation urgently," said Andrew Hyde, Siemens's UK head of marketing communications.

Microsoft also said it was looking at the malware.

"Microsoft is investigating new public claims of malware propagating via USB storage devices," said Jerry Bryant, group manager of response communications at Microsoft, in a statement. "When we have completed our investigations we will take appropriate action to protect users and the internet ecosystem."

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • I despair, I really do :(
    ... partly because I'm grounded while my car is being repaired !

    Hard coded passwords - WTF?
    Running executable code in images - WHY?

    For what purpose are there even accessible USB ports in the system?
  • > For what purpose are there even accessible USB ports in the system?

    These days, one reason would be "for the keyboard" and another reason would be "for the mouse". PS2 keyboards and mice are being phased out for their USB cousins - my PC doesn't even have PS2 ports any more. And then, my monitor comes with a handy built-in USB hub too...
  • I think what this person meant is why is this a concern when there are IDS/IPS applications that are designed to block any connected device via USB, CDROM, or any other interface that may present an issue that would compromise the security of such valuable systems.