Print 31 comment(s) - last by Pirks.. on Jul 21 at 3:39 PM

  (Source: CBS News)
Microsoft is working on a fix for the exploit

Microsoft has done a relatively good job building a secure operating system in the form of Windows 7 and patching the few flaws that have been discovered and widely published.  But like any OS there are still some gaping holes, and with Windows 7's growing market share, there's plenty of parties both malicious and altruistic to poke around and find those holes.

The latest threat is a new strain of malware that takes advantage of Windows 7's allowance of "autorun" or "autoplay" files.  

The attack vector begins with an infected machine writing malware to an attached USB drive.  The malware program writes two driver files -- "mrxnet.sys" and "mrxcls.sys" – to the attached drive.  These rootkit files are using a likely stolen digital signature of Realtek Semiconductor Corp.  The drivers serve "rootkit" functionality, disguising malware that is subsequently written to the drive.

Packed with malware and drivers that disguise it, the next infection will be initiated when the unsuspecting user plugs in their USB stick into another machine.  If the user follows the prompt and selects the "Autorun" option or opts to open the drive in Windows Explorer, the stored malware will autorun, infecting the attached machine.

While autoplay/autorun is disabled by default on most Windows 7 installs, browsing to the root folder of a USB stick, or enabling autoplay on USB sticks can still trigger this attack.

Belarus anti-virus company VirusBlokAda was the first to spot the new malware in the wild.  It published an advisory earlier this month.  Warns VirusBlokAda researcher Sergey Ulasen, "So you just have to open infected USB storage device using [Windows] Explorer or any other file manager which can display icons (for i.e. Total Commander) to infect your Operating System and allow execution of the malware."

The story gets stranger from here, though.  While one might expect the cleverly crafted malware to be involved in a pedestrian credit card number/personal information theft scheme, it appears to be something far more devious.  Security researcher Frank Boldewin closely examined the loaded malware and discovered they had a very specific target -- trying to probe and infect Siemens WinCC SCADA systems.

What are WinCC SCADA systems used for?  They are commonly used in large factories and power plants.  The malware's focus on them makes it clear that this effort is some sort of focused industrial espionage effort.  Only a few countries might have the savvy and interest to concoct this kind of organized effort -- among them China.

Of course this virus also targets pedestrian systems to reach its high profile targets.  And it seems only a matter of time before pedestrian attacks piggyback on the infection package or are released in copycat scheme.

Microsoft did not respond to VirusBlokAda, or thank it for informing it about this potentially dangerous exploit.   However, Jerry Bryant, group manager of response communications at Microsoft, told security researcher Brian Krebs that his company was looking into it.  He states, "Microsoft is investigating new public claims of malware propagating via USB storage devices. When we have completed our investigations we will take appropriate action to protect users and the Internet ecosystem."

Microsoft just released a security advisory which includes registry edits that users can perform to safeguard their system.  The advisory says the exploit affects all currently supported versions of Windows and that it's working on a fix.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

for i.e.?
By Lifted on 7/19/10, Rating: 0
RE: for i.e.?
By Snow01 on 7/19/2010 8:48:45 AM , Rating: 5
No, i.e. stands for id est. It's translates to "that is..", where e.g. does translate to "for example". You are, however, correct to point out it's incorrect use here. If using either, you wouldn't actually state "for" before it, and e.g. would have been correct vs. i.e.

Like most of us, just learn to overlook these errors as they're pretty prevalent and not usually worth discussing, outside of broadening the collective's grammatical knowledge.

RE: for i.e.?
By Snow01 on 7/19/10, Rating: -1
RE: for i.e.?
By PrinceGaz on 7/20/2010 7:26:23 AM , Rating: 2
I think you should actually have used "it", as you are treating "id est" as a single object.

RE: for i.e.?
By Spivonious on 7/20/2010 8:06:08 AM , Rating: 2
Ha, I don't think he caught that one. There's another "it's" that should be "its".

RE: for i.e.?
By Spivonious on 7/19/10, Rating: 0
RE: for i.e.?
By DanNeely on 7/19/2010 9:23:37 AM , Rating: 2
The easier to remember backcronym sources for those abbreviations are "In Essence" and "Example Given".

RE: for i.e.?
By JasonMick on 7/19/2010 9:58:49 AM , Rating: 3
Jason meant "e.g." or "exempli grati".

I didn't mean anything.... it was a quote...

I thought it was a bit strange sounding too, but obviously English is likely *not* a first language for these researchers, so that's understandable.

RE: for i.e.?
By Spivonious on 7/19/2010 10:36:02 AM , Rating: 3
Apologies, I missed that it was a quote from the Russian anti-virus company.

RE: for i.e.?
By bobsmith1492 on 7/19/2010 11:59:12 AM , Rating: 2
I would think "Total Commander" (i.e. "Supreme Commander") would have tipped you off as well that this wasn't from an English-speaker!

RE: for i.e.?
By kreedaz on 7/19/2010 1:52:21 PM , Rating: 2
"Total Commander" was correct. It is a file management program, here is the link, ( .

Supreme Commander is of course a video game.

Before the flame wars begin...
By quiksilvr on 7/19/2010 8:24:22 AM , Rating: 5
All operating systems (yes, even Ubuntu) get viruses and malware and security breaches.

Before we get the Apple side saying "oh our operating system is awesome zomgroflcoptersbbq kthxbai", its that kind of crap that makes you sound like a moron.

How about be open to the fact that all operating systems screw up?

It's like the whole antenna iPhone thing, it's not that it happened is what makes people mad, its how the company responded (and still respond) to it.

Lets keep it clean here, guys.

RE: Before the flame wars begin...
By SunAngel on 7/19/10, Rating: -1
RE: Before the flame wars begin...
By H8ff0000 on 7/19/2010 10:20:50 AM , Rating: 5
All those "hehe"s... I just had a Beavis & Butthead flashback.

By EricMartello on 7/20/2010 6:49:35 PM , Rating: 1
Huh-huh huh-huh shutup buttmunch. That chick had big boobs. Let's go score.

RE: Before the flame wars begin...
By superPC on 7/19/2010 11:52:57 AM , Rating: 4
and let's face it. an antivirus cought that exploit. if we don't use autorun and scan the USB with an anti virus software before opening it we'll be all right.

of course some people can't be bothered to do that even if the USB came from some untrustworthy source. after they get the virus they blame microsoft. maybe those same people never lock their house when they're away. didn't someone said "Mac OS X is like living in a farmhouse in the country with no locks, and Windows is living in a house with bars on the windows in the bad part of town." bars won't do you any good if you don't lock the door. and only you can lock that door because you have the only key.

RE: Before the flame wars begin...
By w1z4rd on 7/20/2010 3:17:11 AM , Rating: 2
couldnt of said it better myself

Seen it before...
By Motoman on 7/19/2010 11:11:40 AM , Rating: 2
...back in the day, before the internet (inorite? like, forever ago) computer viruses spread only by floppy disk. Seemed like every college computer lab was a virtual petri dish.

So here we are again, doing it with USB drives. Have we learned nothing?

RE: Seen it before...
By Pirks on 7/19/10, Rating: -1
RE: Seen it before...
By Motoman on 7/19/2010 2:31:36 PM , Rating: 2
Neither has Apple, nor have you.

One quick Googling of "Apple usb virus" and this is the first hit - no need to look at others.

It's truly staggering how stupid you are. One would think you'd have managed to Darwin-Award yourself by now...

RE: Seen it before...
By eegake on 7/19/10, Rating: 0
RE: Seen it before...
By Motoman on 7/19/2010 6:33:24 PM , Rating: 2
Good for you. You kids have fun in your little hole there.

Such an attack vector doesn't necessarily require autorun. The infection can spread when you manually access an infected file, which is the way the old-school floppy viruses worked (since there never was an autorun-floppy feature).

RE: Seen it before...
By w1z4rd on 7/20/2010 3:24:32 AM , Rating: 2
autorun-floppy feature

the utter chaos and time this would've taken up!

RE: Seen it before...
By Pirks on 7/20/2010 11:02:24 AM , Rating: 1
The infection can spread when you manually access an infected file, which is the way the old-school floppy viruses worked
Haha, here The Mototroll falls again :))) You should know that in MS-DOS you actually had to RUN the file not just access it, in order to get a virus. You could RUN the boot sector also to get a boot sector virus. But you NEVER got a virus in MS-DOS by just ACCESSING a file.

Maybe I got a Darwin award, but your lies just proved that you're a total n00b, hence your award is just as n00by, I can take such an award from a little stupid n00by, no problem for me.

RE: Seen it before...
By Motoman on 7/20/2010 1:26:15 PM , Rating: 2
Uh, OK. How about non-executable files, dip$hit? You, files that you don't ever "run?" Say, a word processing document (WordStar, say, or early WordPerfect) or spreadsheet file (VisiCalc, Quattro, Lotus)? You don't run those files. But they could get infected with a virus, that would activate when you ACCESSED the file.

But you just go on there in your strange little world. For the rest of us, it's highly entertaining when you convince yourself that you've "won" some imaginary fight, when all you've done is re-affirmed what a total waste of space you are.

RE: Seen it before...
By Pirks on 7/21/2010 10:49:12 AM , Rating: 2
Motoidiot, did you know that macros contained in these Word/etc files should be RUN/EXECUTED by the Word/etc macro interpreter in order to get a virus? You can't just get them by ACCESSING a file. You can access it but if your Word chooses not to run the macros you won't get the virus. Is that clear, n00by? ;)

RE: Seen it before...
By Motoman on 7/21/2010 1:48:18 PM , Rating: 2
Yes - it's clear that you realized that you've just idioted yourself into a corner, and as always, are trying to declare victory even as you lay dying on the ground.

The very fact that you think you're making any kind of point is laughable. As is your existence. No, actually, I take that back. The fact that you exist isn't funny. It's quite depressing, actually.

RE: Seen it before...
By Pirks on 7/21/2010 3:39:10 PM , Rating: 2
blah blah, yada yada. lotsa angry words and no cool arguments. what happened to your brain, moto? lost it somewhere?

Windows Explorer
By Shadowmaster625 on 7/19/2010 1:26:56 PM , Rating: 2
How do you make windows explorer never autorun anything on a removable drive, but still be able to browse files on it?

RE: Windows Explorer
By Lazarus Dark on 7/19/2010 9:27:11 PM , Rating: 2
dont know where the setting is in Win7, but for XP, I use TweakXP and turn off autorun. Really, this should be off by default though, in fact it shouldn't exist, nothing should ever autorun.

I started turning off the autorun on everyones pc after Sony Music started puting those rootkit viruses on their music cd's. I will NEVER forgive Sony for that.

RE: Windows Explorer
By UnauthorisedAccess on 7/20/2010 12:35:37 AM , Rating: 2
Use Linux?

</poor attempt at humor>

"The whole principle [of censorship] is wrong. It's like demanding that grown men live on skim milk because the baby can't have steak." -- Robert Heinlein

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki