NEWS FROM THE LAB - Thursday, July 15, 2010

Espionage Attack Uses LNK Shortcut Files Posted by Sean @ 11:34 GMT

There's a possible new zero day in the wild which is being used in targeted espionage attacks. Belorussian antivirus company, VirusBlokAda, recently published news about two new rootkit samples, and quite interestingly, the infection vector is a USB storage device and Windows shortcut [.LNK] files.

The rootkit uses a LNK file that infects the operating system when viewed by an icon rendering file explorer such as Windows Explorer or Total Commander.

According to Krebs on Security, the method is capable of infecting a fully patched Windows 7 computer.

From Krebs: Jerry Bryant, of Microsoft, stated that "Microsoft is investigating new public claims of malware propagating via USB storage devices. When we have completed our investigations we will take appropriate action to protect users and the Internet ecosystem."

Our initial analysis of the samples appears to indicate that the shortcuts somehow take advantage of the way in which Windows handles Control Panel shortcut files.

Windows 7 Control Panel Icons

Our investigation is ongoing.

Two additional interesting details from Krebs' report:

1.) It uses (or attempts to imitate) a digital signature from Realtek Semiconductor Corp.
2.) It appears to target Siemens WinCC SCADA systems, or machines responsible for controlling the operations of large, distributed systems, such as manufacturing and power plants.

A report by VirusBlokAda can be found here. [PDF]

Many organizations have long since established policies for handing USB devices due to autorun worms. This new espionage attack seems to indicate the need for additional review. Disabling AutoRun/AutoPlay by policy is no longer a guaranteed safeguard.