|
|
|
|
|
|
| Search | ||||||||||||
| Security News | ||||||||||||
|
||||||||||||
| IT Directory | ||||||||||||
|
||||||||||||
 | |
|
2010-07-16 15:42:51 | |
|
Sophos warns Windows users of a new worm that can spread to computers, circumventing traditional precautions for mitigating this kind of infections. It exploits a vulnerability in the way Windows handles shortcut files (.lnk). The worm appears as one such .lnk file and is detected as W32/Stuxnet-B.
Much like the infamous Conficker worm, the malware spreads through infected removable media such as USB thumb drives. Protection against Conficker could be easily reinforced by disabling the AutoPlay feature of Windows. However, Stuxnet can infect a computer even if this is turned off. According to the Sophos blog, the vulnerability has to do with "how Windows Explorer loads the image to display when showing a shortcut, so the only requirement is that the removable media be accessed through Windows Explorer. When loaded, the file disguised as a shortcut executes a DLL, which installs the rootkit on the system. Interestingly, thid DLL appears as a device driver digitally signed by RealTek Semiconductors, a well-known, legitimate hardware vendor. Sophos could not determine "why RealTek would digitally sign a driver that is in fact a rootkit, or whether their systems were compromised." In addition, other researchers have reported that the rootkit is looking for Siemens WinCC SCADA systems, machines that are responsible for managing many critical operations such as power plants and manufacturing. According to Frank Boldewin, who has had the opportunity to study the malware first hand, it "looks like this malware was made for espionage." There is also the theory of Stuxnet being part of an 'advanced persistent threat' such as Operation Aurora, which hit Google and other important companies last winter. However, experts believe there is still no serious reason to believe such a thing : "It’s important not to overreact to this threat, as the exploit has only recently been discovered and the security community has not yet established the extent of the risk to SCADA systems," explained Graham Cluley, senior technology consultant at Sophos. It seems that for now, there is not much one can do to prevent infection apart from staying aware and being careful of what removal media they use. Up-to-date antivirus software should be able to detect the threat however, so people are advised to download the latest malware definitions from their antivirus vendor. Sophos also provides a tool for detecting and removing rootkits in case of infection. | |
Reference 2: http://www.sophos.com/blogs/chetw/g/2010/07/15/windows-day-vulnerability-shortcut-files-usb/
Reference 4: http://www.reconstructer.org/main.html
|
© 2006-2010 Heptacube Inc. |