NEWS FROM THE LAB - Friday, July 16, 2010

More Analysis of Case LNK Exploit Posted by Sean @ 10:30 GMT

There's a new threat that spreads via USB storage devices, by exploiting a previously unknown flaw in Windows shortcuts.

We have added detection for the shortcut LNK exploit as Exploit:W32/WormLink.A. The shortcut file used in this case is 4.1 KB. Files associated with the trojan-dropper, backdoor, rootkit are detected as the Stuxnet family.

We mentioned two interesting details yesterday, that the rootkit was signed, and that it was targeting SCADA systems.

The rootkit components are digital signed and we've confirmed that a valid Realtek Semiconductor Corp. signature is used. The dropped drivers are properly signed, while the trojan-dropper itself only attempted to copy the digital signature.

In any case, the certificate, while valid, expired in June. The H Security has a screenshot of the certificate.

Malicious software using valid digital signatures is something that our Jarno Niemel´┐Ż recently predicted in his Caro 2010 Workshop presentation: It's Signed, therefore it's Clean, right?

Regarding the SCADA systems that are being targeted, the Siemens SIMATIC WinCC database appears to use a hardcoded admin username and password combination that end users are told not to change.

Thus, any organization successfully compromised by this targeted attack could be completely vulnerable to database compromise. This Slashdot comment has additional details.

We'll have more on this case as it develops.

Edited to add: While the certificate used for signing has expired, noted above, because a countersigning technique to time stamp is used, it is still possible that the certificate can be utilized.

From Microsoft's MSDN Library: "The countersignature method of time stamping … allows for signatures to be verified even after the signing certificate has expired or been revoked."