Feeds

Windows Shortcut Flaw underpins power plant Trojan

Dangerous lnk to spying

Internet Security Threat Report 2014

Hackers have developed malware that spreads via USB sticks using a previously unknown security weakness involving Windows' handling of shortcut files.

Malware targeting the security weakness in the handling of 'lnk shortcut files has been spotted in the wild by Belarus-based security firm VirusBlokAda. The malware uses rootkit-style functionality to mask its presence on infected systems. These rootlet drivers come digitally signed by legitimate software developer Realtek Semiconductor, a further mark of the sophistication of the attack.

In an advisory, VirusBlokAda says it has seen numerous incidents of the Trojan spy payloads dropped by the malware since adding detection for the malign code last month.

Even fully patched Windows 7 systems are vulnerable to attack in cases where a user views files on an infected USB drive using Windows Explorer, security blogger Brian Krebs reports. Instead of using Windows Autoplay to spread the malware takes advantage of security weaknesses involving shortcut files. Malicious shortcuts on the USB are reportedly capable of auto-executing if users open an infected storage device on Windows Explorer. Normally users would have to click on the link for anything to happen.

Independent researcher Frank Boldewin has uncovered evidence that the malware is targeting SCADA control systems, used to control industrial machinery in power plants and factories, and specifically Siemens WinCC SCADA systems.

"Looks like this malware was made for espionage," Boldewin writes.

Firms faced with a spate of Windows autorun worms have responded by disabling autorun, but this advice may no longer be enough with the appearance of a new attack vector, Finnish security firm F-Secure warns. "Our initial analysis of the samples appears to indicate that the shortcuts somehow take advantage of the way in which Windows handles Control Panel shortcut files," it adds.

Microsoft is reportedly in the process of investigating the apparent security flaw underpinning the attack. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Home Office: Fancy flogging us some SECRET SPY GEAR?
If you do, tell NOBODY what it's for or how it works
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Syrian Electronic Army in news site 'hack' POP-UP MAYHEM
Gigya redirect exploit blamed for pop-rageous ploy
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
prev story

Whitepapers

10 ways wire data helps conquer IT complexity
IT teams can automatically detect problems across the IT environment, spot data theft, select unique pieces of transaction payloads to send to a data source, and more.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
The total economic impact of Druva inSync
Examining the ROI enterprises may realize by implementing inSync, as they look to improve backup and recovery of endpoint data in a cost-effective manner.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.