Microsoft is looking into a family of malware that is using a Windows flaw to infiltrate critical infrastructure and other systems in a number of countries.
The malware, which has been labelled 'Stuxnet' by security researchers, has been seen in the wild in India, Iran, the US and Indonesia, Microsoft said in a blog post on Friday. One of the attack vectors Stuxnet uses is via USB stick. The malware requires no user interaction to infect the system. The operating system merely rendering an icon launches the malware.
"What is unique about Stuxnet is that it utilises a new method of propagation," wrote Microsoft researcher Tareq Saade in the blog post. "Specifically, it takes advantage of specially-crafted shortcut files (also known as .lnk files) placed on USB drives to automatically execute malware as soon as the .lnk file is read by the operating system."
The malware, described by security company F-Secure as an "advanced, persistent threat", has infected Siemens WinCC Scada machines. In addition, Russian security company Kaspersky said in a blog post on Saturday that this was the first time its researchers had seen a piece of malware that relies on shortcut files to launch and hide itself.
The malware first injects a backdoor into the system, then drops two Trojans: a rootkit and various pieces of code, including drivers. VeriSign and Microsoft worked together to revoke the expired certificates used by the two Trojans, which had been signed by RealTek Semiconductors, according to Saade.
The malware takes advantage of the shortcut facility in a number of Microsoft operating systems, including versions of Windows 7, Microsoft said in a security advisory on Friday. Windows Vista, Windows Server 2008 and Windows XP SP3 versions are also among those affected.
Microsoft said that Stuxnet could allow an attacker to take control of a system, and it is investigating the malware. In the meantime, IT professionals can disable shortcut icons to mitigate the threat, the company advised.
Proof-of-concept exploit code for the vulnerability was posted on research organisation Offensive Security's exploit database on Sunday.