Spy rootkit goes after key Indian, Iranian systems

A data-harvesting rootkit is infecting systems in India, Iran and Indonesia, according to security companies
Written by Tom Espiner, Contributor

Sophisticated malicious software which infects critical infrastructure systems is spreading in the wild, according to security companies.

Finnish security company F-Secure, which is in the process of analysing the malware, told ZDNet UK that critical infrastructure in India and Iran had been affected.

The malware takes advantage of a zero-day vulnerability in Microsoft .lnk shortcut files, and infects Siemens WinCC Scada software running on Windows 7 Enterprise Edition x86 systems. It spreads via USB drives and runs automatically when a shortcut icon is displayed on a user's screen.

The malware targets supervisory control and data acquisition (Scada) systems, commonly used by critical infrastructure organisations such as utilities companies.

"We're looking at an advanced, persistent threat, used for espionage, targeting mission critical systems," said F-Secure security adviser Sean Sullivan. "India has seen a lot of cases." He said that the malware takes advantage of hard-coded usernames and passwords in the Siemens software.

The malware uses valid but expired certificates signed by Realtek Semiconductor Corporation to validate its drivers. Realtek was not available for comment at the time of writing.

Sullivan said the malware authors had more than likely appropriated Realtek code and used it in the malicious software.

Security company Sophos told ZDNet UK on Friday that it was aware of instances of the malware spreading in India, Iran and Indonesia. Sophos senior technology consultant Graham Cluley told ZDNet UK that the rootkit circumvents preventative measures such as disabling autorun and autoplay in Windows.

"This waltzes around autorun disable," said Cluley. "Simply viewing the icon will run the malware."

The malware was discovered in June by researchers from Belorussian security company VirusBlokAda. F-Secure published the VirusBlokAda paper, which details the threat, in a blog post on Thursday.

The aim of the malware is to steal data, said Sullivan. Once activated, it sets about scraping any available information from databases.

"It's either corporate or government espionage," said Sullivan.

Siemens told ZDNet UK on Friday that its security experts were looking into the rootkit.

"The Siemens Computer Emergency Response Team are aware of the issue and are investigating the situation urgently," said Andrew Hyde, Siemens's UK head of marketing communications.

Microsoft also said it was looking at the malware.

"Microsoft is investigating new public claims of malware propagating via USB storage devices," said Jerry Bryant, group manager of response communications at Microsoft, in a statement. "When we have completed our investigations we will take appropriate action to protect users and the internet ecosystem."

Editorial standards