Experts at IT security and data protection firm Sophos are
warning computer users of a rootkit that can install itself
automatically from a USB memory stick onto a fully-patched PC, even
if the user has disabled the Windows AutoRun and AutoPlay
feature.
The
W32/Stuxnet-B rootkit exploits a vulnerability in the way
Windows handles .LNK shortcut files, that allows them to execute
automatically if the USB stick is accessed by Windows Explorer.
Once the rootkit is in place it effectively enters "stealth-mode",
cloaking its presence on the infected PC.
(Enjoy this video? You can check out more on the SophosLabs YouTube channel
and subscribe if you like)
"Threats such as the infamous Conficker worm have spread very
successfully via USB devices in the past, but were in part reduced
by disabling AutoPlay. The risk is that more malware will take
advantage of the zero-day exploit used by the Stuxnet rootkit,
taking things to a whole new level," explained Graham
Cluley, senior technology consultant at Sophos. "The exploit is
still being analysed by the security community, but there are
disturbing suggestions that the malware could be trying to access
data specific to Siemens SCADA systems - software that controls
national critical infrastructure."
Curiously, the suspicious driver files carry the digital
signature of Realtek Semiconductor Corp, a major supplier of
computer equipment.
"It's important not to overreact to this threat, as the exploit
has only recently been discovered and the security community has
not yet established the extent of the risk to SCADA systems,"
continued Cluley. "But the fact that SCADA systems are involved at
all does mean that everyone will be examining the attack closely.
Eyes will also be turned to Microsoft to see how they will respond
to what appears to be another unpatched vulnerability in their code
that is being exploited by hackers."
Sophos detects the malicious files involved in the attack as
W32/Stuxnet-B.
For more information and a full description of how the attack
works, please visit
Chet Wisniewski's blog.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.