Zero-Day vulnerability allows USB malware to run automatically, Sophos reports

July 16, 2010 Sophos Press Release

Experts at IT security and data protection firm Sophos are warning computer users of a rootkit that can install itself automatically from a USB memory stick onto a fully-patched PC, even if the user has disabled the Windows AutoRun and AutoPlay feature.

The W32/Stuxnet-B rootkit exploits a vulnerability in the way Windows handles .LNK shortcut files, that allows them to execute automatically if the USB stick is accessed by Windows Explorer. Once the rootkit is in place it effectively enters "stealth-mode", cloaking its presence on the infected PC.

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

"Threats such as the infamous Conficker worm have spread very successfully via USB devices in the past, but were in part reduced by disabling AutoPlay. The risk is that more malware will take advantage of the zero-day exploit used by the Stuxnet rootkit, taking things to a whole new level," explained Graham Cluley, senior technology consultant at Sophos. "The exploit is still being analysed by the security community, but there are disturbing suggestions that the malware could be trying to access data specific to Siemens SCADA systems - software that controls national critical infrastructure."

Curiously, the suspicious driver files carry the digital signature of Realtek Semiconductor Corp, a major supplier of computer equipment.

"It's important not to overreact to this threat, as the exploit has only recently been discovered and the security community has not yet established the extent of the risk to SCADA systems," continued Cluley. "But the fact that SCADA systems are involved at all does mean that everyone will be examining the attack closely. Eyes will also be turned to Microsoft to see how they will respond to what appears to be another unpatched vulnerability in their code that is being exploited by hackers."

Sophos detects the malicious files involved in the attack as W32/Stuxnet-B.

For more information and a full description of how the attack works, please visit Chet Wisniewski's blog.