Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Highly Dangerous Zero-day Windows Trojan Targets Espionage
08-03-2010, 05:42 PM,
#1
Exclamation  Highly Dangerous Zero-day Windows Trojan Targets Espionage
Highly Dangerous Zero-day Windows Trojan Targets Espionage
By Ms. Smith
Created Jul 19 2010 - 12:29pm

[1]There is a new vicious rootkit-level malware infection targeting critical infrastructure and aimed at corporate or government espionage. It often enters the enterprise through USB sticks. Finnish security company F-Secure advised [2] that the current malware is very dangerous and poses, "a risk of virus epidemic at the current moment." F-Secure further warns [3] that this is an espionage attack using LNK (*.LNK) shortcut files. All Windows operating systems are vulnerable, even Windows 7, though F-Secure says it has added detection modules for these rootkits to its own anti-malware products. Problem is, once it added the detection module, it started discovering infections all over the world, and the hole that the virus exploits remains unfixed. Because this is a rootkit infection, the virus bypasses security mechanisms [4]. From regular Joes to enterprises, this spy rootkit is in the wild and spreading infection.

Like hackers sniffing out sweets and set loose in a candy store, the very dangerous threat may prove too juicy of a target not to be widely exploited. The data stealing malware in the wild is meant to infiltrate systems, weaponized software aimed at critical infrastructure systems, perhaps with the magnitude of destruction that security researchers have warned is coming for years.

VirusBlokAda [2], an anti-virus company based in Belarus, discovered the malicious software that piggybacks on USB storage devices and exploits the way Windows processes shortcut files. Although it’s mainly being distributed by USB drives, it can also be transferred over shared networks when a user browses affected shortcuts in removable media or WebDAV share. It doesn't require administrative privilege to run. In an enterprise environment, users often execute files from network shares as standard operations and many organizations rely on SharePoint.

Sophos senior technology consultant Graham Cluley said [5], "This waltzes around autorun disable. Simply viewing the icon will run the malware." Windows Explorer executes the malicious file, a rootkit and a dropper, even if the location of the shortcut is simply browsed to, allowing the process to execute as if retrieving an icon. The malware hides itself immediately after the system has been infected by using drivers digitally signed by Realtek Semiconductor Corporation.

Microsoft released a security advisory [6], publicly addressing this Windows Shell vulnerability. It's a serious enough threat that Microsoft urges [7] anyone who believes to have been affected "to contact the national law enforcement agency in their country." Microsoft Malware Protection Center wrote [8], "Specifically, it takes advantage of specially-crafted shortcut files (also known as .lnk files) placed on USB drives to automatically execute malware as soon as the .lnk file is read by the operating system. In other words, simply browsing to the removable media drive using an application that displays shortcut icons (like Windows Explorer) runs the malware without any additional user interaction. We anticipate other malware authors taking advantage of this technique."

Microsoft has offered suggested workarounds. Though some security experts believe that the workarounds, which require disabling certain services [9], may cause an enterprise a lot of trouble, particularly for SharePoint users.

Independent researcher Frank Boldewin discovered that the malware targets SCADA control systems used to control industrial machinery in power plants and factories, and specifically Siemens WinCC SCADA systems. Boldewin wrote [10], "Looks like this malware was made for espionage."

Why would someone want to infiltrate a SCADA system? According to Wesley McGrew [11], "There may be money in it. Maybe you take over a SCADA system and you hold it hostage for money."

According to Krebs on Security [12], Jerry Bryant, a group manager of response communications at Microsoft stated that "When we have completed our investigations we will take appropriate action to protect users and the Internet ecosystem."

Although right now the attacks seem targeted, the attempt to infect new machines has increased. MMPC blogged [8], "In addition to these attack attempts, about 13% of the detections we’ve witnessed appear to be email exchange or downloads of sample files from hacker sites. Some of these detections have been picked up in packages that supposedly contain game cheats (judging by the name of the file)."

While security researchers are making educated guesses that this trojan was made for espionage, worms that use USB propagation vector may be best suited to attack isolated or air-gapped systems. If you recall, the DoD found this out [13] in late 2008 before banning thumb drives, CDs, flash media cards, and all other removable data storage devices to prevent a worm assault from spreading any further in its network.

Although NSA spokeswoman Judith Emmel, denied [14] there is any monitoring activities on utility companies [15] and called on the public to trust the NSA’s adherence to the law, will this new vicious malware aimed at utilities and factories and power plants issue broader allowances for NSA's Perfect Citizen?

MMPC writes [8], "We have multiple signatures that detect this threat for customers using Microsoft Security Essentials, Microsoft Forefront Client Security, Windows Live OneCare, the Forefront Threat Management Gateway, and the Windows Live Safety Platform. In addition to using antimalware technology, MSRC has released an advisory [6] with work-around details."

Source URL: http://www.networkworld.com/community/blog/will-cyber-espionage-attacks-trigger-nsas-per

Links:
[1] http://img11.nnm.ru/7/1/c/4/c/0c3ae61973a0432c49498e86b30_prev.jpg
[2] http://www.f-secure.com/weblog/archives/new_rootkit_en.pdf
[3] http://www.f-secure.com/weblog/archives/00001986.html
[4] http://www.sophos.com/blogs/chetw/g/2010/07/16/windows-day-attack-works-windows-systems/
[5] http://www.zdnet.co.uk/news/security/2010/07/16/spy-rootkit-goes-after-key-indian-iranian-systems-40089564/
[6] http://www.microsoft.com/technet/security/advisory/2286198.mspx
[7] http://blogs.technet.com/b/msrc/archive/2010/07/16/security-advisory-2286198-released.aspx
[8] http://blogs.technet.com/b/mmpc/archive/2010/07/16/the-stuxnet-sting.aspx
[9] http://www.networkworld.com/news/2010/071910-windows-shortcut-attack-code-goes.html
[10] http://www.wilderssecurity.com/showpost.php?p=1712134&postcount=22
[11] http://www.networkworld.com/news/2010/071710-new-virus-targets-industrial.html
[12] http://krebsonsecurity.com/2010/07/experts-warn-of-new-windows-shortcut-flaw/
[13] http://www.networkworld.com/news/2008/112108-dod-worm.html
[14] http://online.wsj.com/article/SB10001424052748704545004575352983850463108.html
[15] http://www.wired.com/threatlevel/2010/07/nsa-perfect-citizen-denial/
[16] http://www.networkworld.com/community/print/63863?page=1
[Image: conspiracy_theory.jpg]
Reply
08-03-2010, 06:48 PM,
#2
RE: Highly Dangerous Zero-day Windows Trojan Targets Espionage
hummm I heard like a year or 2 ago of the gov thinking of a plan with or with out utility cooperation of having the power to shut down all sub systems @ once via remote, so if/ when the sun flares up it will be known sooner by gov then anyone else and the systems can be shut down and powered off so they may be savable from the damage of a solar flare. It was advised as one of 3 emergency plans. THis virus may be the way they plan to go about assuming that control to shut everything down with a button.


Or it could be foreign, the NWO is not the only bad guy out there maybe china thinks if America were to welsh on it's debt or attack, then they should be shut down....

curious though this appears to be a windows problem, any info if it affects apple 's system or LInux?
Remember Knowledge is the only thing THEY can't take from you, and Knowledge is Know how, and Know how is Power!!!

Live long and Prosper!!!! Have a plan beyond words, and worry not of why the storm is coming as to how you're going to survive in it!!!!

Deathanyl @gmail!!!!!!
Reply
08-03-2010, 07:00 PM,
#3
RE: Highly Dangerous Zero-day Windows Trojan Targets Espionage
linux's kernel isn't vulnerable to most rootkits, unless they're specifically designed for linux. It doesn't have a registry, so-to-speak. Apple's probably pretty safe too.
[Image: conspiracy_theory.jpg]
Reply


Possibly Related Threads...
Thread Author Replies Views Last Post
  Installing DNSCrypt on Windows 4cc 2 1,230 04-11-2014, 05:30 PM
Last Post: 4cc
  Microsoft says Windows 8 is a Failure! shortwave 14 2,565 05-15-2013, 09:56 PM
Last Post: ComradeRed
  Clover: Windows Explorer with Tabs (freeware) thokling 0 642 04-08-2013, 03:50 PM
Last Post: thokling
  How NSA access was built into Windows BlackFerdy 2 1,043 11-29-2012, 06:38 PM
Last Post: fujiinn
  Linux users targeted by password-stealing 'Wirenet' Trojan Easy Skanking 1 833 09-02-2012, 09:22 AM
Last Post: h3rm35
  Trojan nicks blueprints as Win Update data, backdoors gov-targeted kit w/Adobe 0-days h3rm35 2 758 02-03-2012, 01:47 AM
Last Post: h3rm35
  Android Trojan captures credit card details (Spoken or typed) drummer 0 888 02-01-2011, 10:47 PM
Last Post: drummer
  New Critical Bug In All Current Windows Versions pax681 2 1,469 01-30-2011, 09:30 AM
Last Post: pax681
  Iconoclast icon stuck in windows media player Orwell63 5 2,897 11-29-2010, 05:32 PM
Last Post: yeti
  Windows CE-based ATM's can easily be made to dole out $, security researcher says h3rm35 2 1,896 09-08-2010, 05:09 AM
Last Post: icosaface

Forum Jump:


Users browsing this thread: 1 Guest(s)