backtop


Print 31 comment(s) - last by Pirks.. on Jul 21 at 3:39 PM


  (Source: CBS News)
Microsoft is working on a fix for the exploit

Microsoft has done a relatively good job building a secure operating system in the form of Windows 7 and patching the few flaws that have been discovered and widely published.  But like any OS there are still some gaping holes, and with Windows 7's growing market share, there's plenty of parties both malicious and altruistic to poke around and find those holes.

The latest threat is a new strain of malware that takes advantage of Windows 7's allowance of "autorun" or "autoplay" files.  

The attack vector begins with an infected machine writing malware to an attached USB drive.  The malware program writes two driver files -- "mrxnet.sys" and "mrxcls.sys" – to the attached drive.  These rootkit files are using a likely stolen digital signature of Realtek Semiconductor Corp.  The drivers serve "rootkit" functionality, disguising malware that is subsequently written to the drive.

Packed with malware and drivers that disguise it, the next infection will be initiated when the unsuspecting user plugs in their USB stick into another machine.  If the user follows the prompt and selects the "Autorun" option or opts to open the drive in Windows Explorer, the stored malware will autorun, infecting the attached machine.

While autoplay/autorun is disabled by default on most Windows 7 installs, browsing to the root folder of a USB stick, or enabling autoplay on USB sticks can still trigger this attack.

Belarus anti-virus company VirusBlokAda was the first to spot the new malware in the wild.  It published an advisory earlier this month.  Warns VirusBlokAda researcher Sergey Ulasen, "So you just have to open infected USB storage device using [Windows] Explorer or any other file manager which can display icons (for i.e. Total Commander) to infect your Operating System and allow execution of the malware."

The story gets stranger from here, though.  While one might expect the cleverly crafted malware to be involved in a pedestrian credit card number/personal information theft scheme, it appears to be something far more devious.  Security researcher Frank Boldewin closely examined the loaded malware and discovered they had a very specific target -- trying to probe and infect Siemens WinCC SCADA systems.

What are WinCC SCADA systems used for?  They are commonly used in large factories and power plants.  The malware's focus on them makes it clear that this effort is some sort of focused industrial espionage effort.  Only a few countries might have the savvy and interest to concoct this kind of organized effort -- among them China.

Of course this virus also targets pedestrian systems to reach its high profile targets.  And it seems only a matter of time before pedestrian attacks piggyback on the infection package or are released in copycat scheme.

Microsoft did not respond to VirusBlokAda, or thank it for informing it about this potentially dangerous exploit.   However, Jerry Bryant, group manager of response communications at Microsoft, told security researcher Brian Krebs that his company was looking into it.  He states, "Microsoft is investigating new public claims of malware propagating via USB storage devices. When we have completed our investigations we will take appropriate action to protect users and the Internet ecosystem."

Microsoft just released a security advisory which includes registry edits that users can perform to safeguard their system.  The advisory says the exploit affects all currently supported versions of Windows and that it's working on a fix.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: Seen it before...
By eegake on 7/19/2010 5:56:56 PM , Rating: 0
Early in the century when we still used Microsoft Windows, disabling autorun was a standard part of stripping undesirable/insecure crap from Windows.

The better long term solution was to disable the use of Windows completely. At our site it only lives on in a couple of XP VM installations supporting 2 or 3 legacy applications.


RE: Seen it before...
By Motoman on 7/19/2010 6:33:24 PM , Rating: 2
Good for you. You kids have fun in your little hole there.

Such an attack vector doesn't necessarily require autorun. The infection can spread when you manually access an infected file, which is the way the old-school floppy viruses worked (since there never was an autorun-floppy feature).


RE: Seen it before...
By w1z4rd on 7/20/2010 3:24:32 AM , Rating: 2
autorun-floppy feature

the utter chaos and time this would've taken up!


RE: Seen it before...
By Pirks on 7/20/2010 11:02:24 AM , Rating: 1
quote:
The infection can spread when you manually access an infected file, which is the way the old-school floppy viruses worked
Haha, here The Mototroll falls again :))) You should know that in MS-DOS you actually had to RUN the file not just access it, in order to get a virus. You could RUN the boot sector also to get a boot sector virus. But you NEVER got a virus in MS-DOS by just ACCESSING a file.

Maybe I got a Darwin award, but your lies just proved that you're a total n00b, hence your award is just as n00by, I can take such an award from a little stupid n00by, no problem for me.


RE: Seen it before...
By Motoman on 7/20/2010 1:26:15 PM , Rating: 2
Uh, OK. How about non-executable files, dip$hit? You know...like, files that you don't ever "run?" Say, a word processing document (WordStar, say, or early WordPerfect) or spreadsheet file (VisiCalc, Quattro, Lotus)? You don't run those files. But they could get infected with a virus, that would activate when you ACCESSED the file.

But you just go on there in your strange little world. For the rest of us, it's highly entertaining when you convince yourself that you've "won" some imaginary fight, when all you've done is re-affirmed what a total waste of space you are.


RE: Seen it before...
By Pirks on 7/21/2010 10:49:12 AM , Rating: 2
Motoidiot, did you know that macros contained in these Word/etc files should be RUN/EXECUTED by the Word/etc macro interpreter in order to get a virus? You can't just get them by ACCESSING a file. You can access it but if your Word chooses not to run the macros you won't get the virus. Is that clear, n00by? ;)


RE: Seen it before...
By Motoman on 7/21/2010 1:48:18 PM , Rating: 2
Yes - it's clear that you realized that you've just idioted yourself into a corner, and as always, are trying to declare victory even as you lay dying on the ground.

The very fact that you think you're making any kind of point is laughable. As is your existence. No, actually, I take that back. The fact that you exist isn't funny. It's quite depressing, actually.


RE: Seen it before...
By Pirks on 7/21/2010 3:39:10 PM , Rating: 2
blah blah, yada yada. lotsa angry words and no cool arguments. what happened to your brain, moto? lost it somewhere?


"If they're going to pirate somebody, we want it to be us rather than somebody else." -- Microsoft Business Group President Jeff Raikes














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki