Microsoft has done a relatively good job building a secure operating system in the form of Windows 7 and patching the few flaws that have been discovered and widely published.  But like any OS there are still some gaping holes, and with Windows 7's growing market share, there's plenty of parties both malicious and altruistic to poke around and find those holes.

The latest threat is a new strain of malware that takes advantage of Windows 7's allowance of "autorun" or "autoplay" files.  

The attack vector begins with an infected machine writing malware to an attached USB drive.  The malware program writes two driver files -- "mrxnet.sys" and "mrxcls.sys" – to the attached drive.  These rootkit files are using a likely stolen digital signature of Realtek Semiconductor Corp.  The drivers serve "rootkit" functionality, disguising malware that is subsequently written to the drive.

Packed with malware and drivers that disguise it, the next infection will be initiated when the unsuspecting user plugs in their USB stick into another machine.  If the user follows the prompt and selects the "Autorun" option or opts to open the drive in Windows Explorer, the stored malware will autorun, infecting the attached machine.

While autoplay/autorun is disabled by default on most Windows 7 installs, browsing to the root folder of a USB stick, or enabling autoplay on USB sticks can still trigger this attack.

Belarus anti-virus company VirusBlokAda was the first to spot the new malware in the wild.  It published an advisory earlier this month.  Warns VirusBlokAda researcher Sergey Ulasen, "So you just have to open infected USB storage device using [Windows] Explorer or any other file manager which can display icons (for i.e. Total Commander) to infect your Operating System and allow execution of the malware."

The story gets stranger from here, though.  While one might expect the cleverly crafted malware to be involved in a pedestrian credit card number/personal information theft scheme, it appears to be something far more devious.  Security researcher Frank Boldewin closely examined the loaded malware and discovered they had a very specific target -- trying to probe and infect Siemens WinCC SCADA systems.

What are WinCC SCADA systems used for?  They are commonly used in large factories and power plants.  The malware's focus on them makes it clear that this effort is some sort of focused industrial espionage effort.  Only a few countries might have the savvy and interest to concoct this kind of organized effort -- among them China.

Of course this virus also targets pedestrian systems to reach its high profile targets.  And it seems only a matter of time before pedestrian attacks piggyback on the infection package or are released in copycat scheme.

Microsoft did not respond to VirusBlokAda, or thank it for informing it about this potentially dangerous exploit.   However, Jerry Bryant, group manager of response communications at Microsoft, told security researcher Brian Krebs that his company was looking into it.  He states, "Microsoft is investigating new public claims of malware propagating via USB storage devices. When we have completed our investigations we will take appropriate action to protect users and the Internet ecosystem."

Microsoft just released a security advisory which includes registry edits that users can perform to safeguard their system.  The advisory says the exploit affects all currently supported versions of Windows and that it's working on a fix.