Windows Shortcut Flaw underpins power plant Trojan
Dangerous lnk to spying
Hackers have developed malware that spreads via USB sticks using a previously unknown security weakness involving Windows' handling of shortcut files.
Malware targeting the security weakness in the handling of 'lnk shortcut files has been spotted in the wild by Belarus-based security firm VirusBlokAda. The malware uses rootkit-style functionality to mask its presence on infected systems. These rootlet drivers come digitally signed by legitimate software developer Realtek Semiconductor, a further mark of the sophistication of the attack.
In an advisory, VirusBlokAda says it has seen numerous incidents of the Trojan spy payloads dropped by the malware since adding detection for the malign code last month.
Even fully patched Windows 7 systems are vulnerable to attack in cases where a user views files on an infected USB drive using Windows Explorer, security blogger Brian Krebs reports. Instead of using Windows Autoplay to spread the malware takes advantage of security weaknesses involving shortcut files. Malicious shortcuts on the USB are reportedly capable of auto-executing if users open an infected storage device on Windows Explorer. Normally users would have to click on the link for anything to happen.
Independent researcher Frank Boldewin has uncovered evidence that the malware is targeting SCADA control systems, used to control industrial machinery in power plants and factories, and specifically Siemens WinCC SCADA systems.
"Looks like this malware was made for espionage," Boldewin writes.
Firms faced with a spate of Windows autorun worms have responded by disabling autorun, but this advice may no longer be enough with the appearance of a new attack vector, Finnish security firm F-Secure warns. "Our initial analysis of the samples appears to indicate that the shortcuts somehow take advantage of the way in which Windows handles Control Panel shortcut files," it adds.
Microsoft is reportedly in the process of investigating the apparent security flaw underpinning the attack. ®
"The marketing men run MS now"
That's been the case for a very very very long time.
The original NT design had lots of separate kernel modules and very little code ran in kernel mode unless it actually *had* to. This meant that there was very little code which was capable of compromising the whole system, and thus the system as a whole was relatively stable and secure. It also meant that there was a bit of a performance hit every time code went from user mode (an editor or whatever) to kernel mode (eg to do some actual IO).
The performance hit meant that in the early days of NT3 and NT4, apps were *slower* on NT than on W98 - W98 was always in "kernel mode", always capable of clobbering the whole system, and often did. So NT was typically more productive (because it wasn't subject to address space limits and wasn't falling over) but any individual benchmark would be slower on NT.
The marketing men didn't like this, and nor did Bill.
Bill said "make NT faster than 98". So lots of stuff that could and should have been user mode got shifted into kernel mode so there weren't so many changes from user to kernel and back again. And all that unnecessarily exposed kernel mode can compromise a whole system.
When high definition content started coming along, Bill's mates in the content industry attempted to get MS to restore some of the security of the user/kernel split, so that their extremely valuable high definition bits weren't as easily copied as they might have been without MS DRM and anti-tilt and the like. Unfortunately in many cases the performance effects were even worse than the 98->NT performance hit, and so Vista was the delight we came to know and love.
Whatever the naysayers may tell you, Linux does at least generally understand the difference between user mode and kernel mode, and generally makes the tradeoff in favour of stability/security rather than ultimate performance. For a lot of people that's a very sensible tradeoff.
One set of folks who may not like that tradeoff are of course l33t gamers; they just want everything to be as fast and as low overhead as is possible so they can get on with their frogging or whatever. They'd be better off leaving games to consoles though, and letting PCs be used for what PCs should be used for. No PC can serve two masters equally well (not with the same OS, anyway)..
The marketing men run MS now, not the developers.
When the internet took off and XP came along, MS should have pushed a lot harder at locking down the O/S, they didn't. Just like Larry Ellison with Oracle back in the 80's, numbers, numbers, numbers was all that mattered. Didn't matter if Oracle database couldn't hold data for toffee! Getting names on the books and securing the numbers was all that mattered.
With the saturation that MS have in the home and business desktop markets, they have no reason to make more than a token effort to secure their flagships products. The market won't dump them, they have it sown up so why should they worry about something that will bother a small percentage of users.
I am almost positive there are developers in MS crying out to get things fixed, but the marketing droids want bums on seats, even if that means cutting back on developers and shipping products not completely tested, so be it.
Linux might be a little rough around the edges and need a little more work in some places, but at least the developers have passion to try to get things right, the marketers don't get anywhere near as much of a say in Linuxland.
Well Done MS !
Another example of a slipshod attitude towards security, who in their right mind would design an OS that would perform such dangerous tasks ?
Yet another reason to use a 'nix platform.