Microsoft is investigating reports of a vulnerability being exploited by a Trojan spreading through USB devices. According to security pros, the malware appears to be targeting the utility industry.
Microsoft is investigating reports of a Windows security vulnerability being
exploited by a Trojan some say is targeting industrial companies.
The malware exploits a vulnerability in Windows' handling of "lnk"
shortcut files. According to
(PDF), a security vendor based in Belarus,
the Trojan propagates through USB devices
and uses rootkit functionality to hide itself. Unlike other USB
malware, however, just opening up an infected USB
device with Windows Explorer or another file manager that can display
icons is enough to infect a system, the firm found.
"[The] malware installs two drivers: mrxnet.sys and mrxcls.sys,"
according to the company's advisory. "They are used to inject code into
systems processes and hide [the] malware itself. That's the reason why you
can't see malware files on the infected USB
According to an analysis by Sophos, the rootkit is able to load
undetected into the system because it is digitally signed by RealTek
Semiconductors, a legitimate hardware vendor. The rootkit, once loaded,
disguises the malicious files on the USB
device, making further investigation difficult, Sophos said.
"At this point the only mitigation is to not view USB
disks in Windows Explorer," said Chet Wisniewski, senior security adviser
at Sophos. "The attack is not widespread at all as it was a very targeted
attack. The real problem is that now that it is known, any random cyber-criminal
can start to use it. That's what makes this a much bigger problem. Hopefully,
Microsoft will have some good news and official mitigation steps today."
researcher Frank Boldewin
uncovered requests by the malware to a Siemens
SCADA WinCC + S7 database, indicating the Trojan may be meant for industrial
espionage. The Siemens SCADA system is widely used by utility companies.
devices is not new. In fact, two of the top five malware threats
observed by McAfee during the first of the year were worms infecting users with
"When we have completed our investigations, we will take appropriate
action to protect users and the Internet ecosystem," said Jerry Bryant,
group manager of Response Communications at Microsoft, in a statement to eWEEK.