Posted on 07/15/2010 10:23:01 AM PDT by Gomez
Anti-virus specialists report that a new trojan is spreading via USB flash drives, apparently exploiting a previously unknown hole in Windows. According to analyses by Belarusian AV vendor VirusBlokAda, a copy of the trojan managed to infect a fully patched Windows 7 system (32-bit) without having to resort to such common auto-start tools as autorun.inf when a Flash drive carrying the trojan was plugged in. Instead of spreading through auto-start, the malware exploits a flaw in the code for processing short-cuts (.lnk files): Once the relevant icon is displayed in Windows Explorer, malicious code is launched without any further user interaction.
The trojan exploits this to install two drivers with rootkit functions designed to hide its subsequent activities within the system. Interestingly, both drivers are signed with a code-signing key by vendor RealTek and can, therefore, be installed on a system without triggering an alert. Only recently, AV vendor F-Secure pointed out that the amount of signed malware for Windows is increasing. In some cases, digital keys have even been stolen from developers.
An investigation by malware analyst Frank Boldewin has shown that this is not just any old trojan designed to harvest passwords from unsuspecting users. It appears that the malware specifically targets process control systems and their visualisation components. The trojan is, therefore, unlikely to spread on a large scale.
During his investigation, Boldewin came across some database queries the trojan made that point towards the WinCC SCADA system by Siemens. As Boldewin explained in an email to The H's associates at heise Security, a "normal" malware programmer wouldn't have managed to do that. Boldewin continued "As this Siemens SCADA system is used by many governments and industrial enterprises worldwide, we must assume that the attackers' intention was industrial espionage or even espionage in the government area". Frank Boldewin is the author of the feature article "Episode 2: The image of death" in our "CSI:Internet" series.
Microsoft has been informed about the vulnerability, but appears to have problems with reproducing it. Andreas Marx of AV-Test says that every .lnk file is linked to the ID of the newly infected USB Flash drive. This means that the sample trojans found so far can't simply be started on an arbitrary Windows system – the malware will only start in the OllyDbg debugger after some modifications to the code.
ping
Hmm, where are most USB Flash Drives manufactured these days?
And, it's been discovered. Hole will be patched, and AV software will be updated....
ZZZZZzzzzzzzz
SCADA systems are those that monitor and control infrastructure facilities like power plants, gas lines, sewage plants etc.
This isn't the work of script kiddies trying to muck up your web-surfing. This appears to be targeted at serious systems by a knowledgeable attacker(s).
PING.... our turn at bat.
Well, there goes your "Windows 7 is just as secure as Mac OSX" shtick.
Real trogan, in the wild, doing an actual exploit, not in some lab, and without any user intervention required.
Plink Plink Plink
Just dropping 3 quarters in the machine and waiting for the spin cycle to begin....
Before we get into a discussion, perhaps you can define what you mean by trojan, virus, and infection. The last definition by you was that only a self-installing, self-replicating virus was a problem. Is that your claim?
Good point, Puget. This appears to be a hybrid... self running and self installing, ergo, it can be self- replicating. But it requires the action of a user to insert the Flash Drive. Once the user takes that action, apparently there is no further user interaction required though. NOT GOOD. Still a trojan, for that reason... but the potential for being a worm.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.