Microsoft Investigating Windows Security Zero-Day Targeted by Trojan
Microsoft is investigating reports of a Windows security vulnerability being exploited by a Trojan some say is targeting industrial companies.
The malware exploits a vulnerability in Windows' handling of "lnk" shortcut files. According to VirusBlokAda (PDF), a security vendor based in Belarus, the Trojan propagates through USB devices and uses rootkit functionality to hide itself. Unlike other USB malware, however, just opening up an infected USB device with Windows Explorer or another file manager that can display icons is enough to infect a system, the firm found.
"[The] malware installs two drivers: mrxnet.sys and mrxcls.sys," according to the company's advisory. "They are used to inject code into systems processes and hide [the] malware itself. That's the reason why you can't see malware files on the infected USB storage device."
According to an analysis by Sophos, the rootkit is able to load undetected into the system because it is digitally signed by RealTek Semiconductors, a legitimate hardware vendor. The rootkit, once loaded, disguises the malicious files on the USB device, making further investigation difficult, Sophos said.
"At this point the only mitigation is to not view USB disks in Windows Explorer," said Chet Wisniewski, senior security adviser at Sophos. "The attack is not widespread at all as it was a very targeted attack. The real problem is that now that it is known, any random cyber-criminal can start to use it. That's what makes this a much bigger problem. Hopefully, Microsoft will have some good news and official mitigation steps today."
Independent security researcher Frank Boldewin uncovered requests by the malware to a Siemens SCADA WinCC + S7 database, indicating the Trojan may be meant for industrial espionage. The Siemens SCADA system is widely used by utility companies.
Malware spreading via USB devices is not new. In fact, two of the top five malware threats observed by McAfee during the first of the year were worms infecting users with AutoRun enabled.
"When we have completed our investigations, we will take appropriate action to protect users and the Internet ecosystem," said Jerry Bryant, group manager of Response Communications at Microsoft, in a statement to eWEEK.