Malware Targets Shortcut Flaw In Windows, SCADA

tsu doh nimh writes "Anti-virus researchers have discovered a new strain of malicious software that spreads via USB drives and takes advantage of a previously unknown vulnerability in the way Microsoft Windows handles '.lnk' or shortcut files. Belarus-based VirusBlokAda discovered malware that includes rootkit functionality to hide the malware, and the rootkit drivers appear to be digitally signed by Realtek Semiconductor, a legitimate hi-tech company. In a further wrinkle, independent researcher Frank Boldewin found that the complexity and stealth of this malware may be due to the fact that it is targeting SCADA systems, or those designed for controlling large, complex and distributed control networks, such as those used at power and manufacturing plants. Meanwhile, Microsoft says it's investigating claims that this malware exploits a new vulnerability in Windows."

Re:Realtek

[fuzzyfuzzyfungus]

They may be pretty chintzy; but they are downright ubiquitous. Things are going to get comedic if every Realtek-equipped PC that also gets Windows updates suddenly starts throwing "unsigned driver" warnings because Microsoft revokes their trust of the Realtek signing key(which they might chicken out of; but they really should do if there are signed rootkit drivers floating around)...

Re:Windows for SCADA? WTF?!

[bloodhawk]

really you are asking the wrong questions. They failed to correctly patch windows, they would just as likely fail to correctly patch linux or any other OS too. The question isn't "why were you using windows", vulnerabilities exist in all OS's. The question is "Why the fuck were they not patching known vulnerable systems that are mission critical?" Patch for sasser worm was available well before the worm, secondly "why the fuck if they had a reason to not patch vulnerabilities were they leaving their mission critical devices exposed?".

What you describe is a massive failure on the part of the IT staff.

Re:Interesting

[h4rr4r]

Are you brain damaged?
USB drives are the new floppies. If the OS cannot handle them in a secure way the OS is the problem.

Re:Windows for SCADA? WTF?!

[PPH]

The actual consoles where the operators sit are about 90% Windows though, if not higher, and that's most likely where you're going to see this virus come into play in the first place because of some stupid user plugging in an infected USB device.

And then the virus rootkits the control console. It can then issue commands to the SCADA systems that appear to be from legitimate operator input.

Back when I worked for Boeing, we fought a loosing battle trying to keep Windows systems off the shop floor. In an ideal world, we would have a secure subnet within the company Intranet behind its own firewall to keep the Windows systems from seeing shop equipment. In the real world, lots of the factory equipment was running Windows. Worse yet, some of the people responsible for loading firmware into avionics used Windows laptops to do so. And then they'd take them home at night where the kids would use them to log on to Facebook, or download kewl stuff from unknown sources.

You can't fire people fast enough to keep Windows out of misson critical areas.

Re:Interesting

[Lonewolf666]

Portable media should never be considered "secure".

Correct, and that is why "autorun" functions that are active by default are a bad idea. But convenience over security is typical for certain OS vendors, especially those from Redmond ;-)

The only instance when stuff from portable media is automatically executed should be at boot time, if the medium is selected as boot drive in the BIOS (or whatever your system uses in place of the BIOS).