Windows systems at risk from Stuxnet shortcut malware

Windows systems at risk from Stuxnet shortcut malware

Summary: Microsoft is investigating spy malware that launches from a USB stick without a user's click and that is infecting critical infrastructure systems in Iran, India and other countries

SHARE:
TOPICS: Security
3

Microsoft is looking into a family of malware that is using a Windows flaw to infiltrate critical infrastructure and other systems in a number of countries.

The malware, which has been labelled 'Stuxnet' by security researchers, has been seen in the wild in India, Iran, the US and Indonesia, Microsoft said in a blog post on Friday. One of the attack vectors Stuxnet uses is via USB stick. The malware requires no user interaction to infect the system. The operating system merely rendering an icon launches the malware.

"What is unique about Stuxnet is that it utilises a new method of propagation," wrote Microsoft researcher Tareq Saade in the blog post. "Specifically, it takes advantage of specially-crafted shortcut files (also known as .lnk files) placed on USB drives to automatically execute malware as soon as the .lnk file is read by the operating system."

The malware, described by security company F-Secure as an "advanced, persistent threat", has infected Siemens WinCC Scada machines. In addition, Russian security company Kaspersky said in a blog post on Saturday that this was the first time its researchers had seen a piece of malware that relies on shortcut files to launch and hide itself.

The malware first injects a backdoor into the system, then drops two Trojans: a rootkit and various pieces of code, including drivers. VeriSign and Microsoft worked together to revoke the expired certificates used by the two Trojans, which had been signed by RealTek Semiconductors, according to Saade.

The malware takes advantage of the shortcut facility in a number of Microsoft operating systems, including versions of Windows 7, Microsoft said in a security advisory on Friday. Windows Vista, Windows Server 2008 and Windows XP SP3 versions are also among those affected.

Microsoft said that Stuxnet could allow an attacker to take control of a system, and it is investigating the malware. In the meantime, IT professionals can disable shortcut icons to mitigate the threat, the company advised.

Proof-of-concept exploit code for the vulnerability was posted on research organisation Offensive Security's exploit database on Sunday.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

3 comments
Log in or register to join the discussion
  • A few days ago, my internet security alerted me that my system had been attacked and when i viewed the report, i saw that it was two trojans. Thankfully the software disabled the threats and i am not sure what they were, could have been the Stuxnet? Is it around in the UK yet? Thank goodness they were detected and stopped though!
    willjamess
  • This is the result of running an insecure OS.
    ator1940
  • @ator1940
    Please, feel free to tell us the name of the 100% secure OS, I don't think there is none at this time. (please don't say the 100% secure OS is the one that's shutdown, because it could be that it could well be turned on via LAN).
    mathy231