Attacks/Breaches
7/19/2010
05:50 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

SANS Raises Infocon Alert To Yellow In Light Of New Windows 'Shortcut' Attack Threat

Security experts closely monitoring spread of new zero-day threat

A zero-day flaw being used in targeted attacks against organizations worldwide -- most notably on SCADA systems -- has security experts worried that the threat could spread further. Concerns about additional attacks using the so-called "LNK" vulnerability in Windows machines via USB devices and fileshares prompted the SANS Internet Storm Center today to raise its Infocon alert level to "yellow," up from "green," or normal, status.

SANS made the call to go Code Yellow to help raise awareness of the vulnerability, which Microsoft officially revealed on Friday after security researchers in Belarus reported finding new malware samples that could infect a Windows 7 machine via an infected USB drive. "We decided to raise the Infocon level to Yellow to increase awareness of the recent LNK vulnerability and to help preempt a major issue resulting from its exploitation," blogged SANS ISC handler and security consultant Lenny Zeltser today. "Although we have not observed the vulnerability exploited beyond the original targeted attacks, we believe wide-scale exploitation is only a matter of time. The proof-of-concept exploit is publicly available, and the issue is not easy to fix until Microsoft issues a patch. Furthermore, anti-virus tools' ability to detect generic versions of the exploit have not been very effective so far."

The number of machines hit so far is only in the tens of thousands, according to some estimates, but many security experts worry that could change fast.

"This is not something to just shrug off," says Paul Henry, security and forensics analyst for Lumension Security. Henry says the biggest targets for the attack are Microsoft XP SP2 machines, which the software giant stopped patching as of this month.

"You've got a large user base that can't move off of XP SP2, and that creates a perfect situation for the bad guys," Henry says, noting many SCADA apps only run on XP. "Now they've got a wide, open field where they can create malware, with no fear that Microsoft will create a patch for it."

Microsoft late Friday issued a security advisory that points to a flaw in Windows Shell, which was being used along with a family of malware called Stuxnet. Dave Forstrom, Microsoft's director of marketing communications for integrated communications & response, says Microsoft had only seen "limited, targeted attacks" thus far, and that the attacks were most likely to occur via removable USB drives.

While Microsoft as of that posting had spotted most of the attacks in Iran and Indonesia, researchers at ESET today report that the Stuxnet worm going after the LNK flaw is mostly hitting the U.S. now, with 58 percent of all infections, 30 percent in Iran, and more than 4 percent in Russia. "This particular attack targets the industrial supervisory software SCADA. In short, this is an example of malware-aided industrial espionage. The question is why the chart of affected nations looks as it does," says Juraj Malcho, head of ESET's Virus Lab, based in Bratislava, Slovakia.

ESET expects other malware to exploit the Windows vulnerability, which has to do with how it processes LNK files.

SANS' yellow alert indicates it's tracking a significant, new threat, and that users should take "immediate specific action" to contain any impact the threat could unleash.

While USB-born malware is nothing new, what makes this attack unique is that even if Windows Autoplay and Autorun are disabled, the Stuxnet worm can still automatically infect a USB drive. The exploit can also spread via SMB fileshares, posing the possibility of further internal infections within a targeted organization, experts say.

A few workarounds are available to defend against the threat. Microsoft suggests disabling icon shortcuts as well as the WebClient service, for instance. SANS suggests disabling autorun for USB contents and locking down SMB shares internally such that it limits who is able to write to the shares. SANS' Zeltser also points to a free tool called Ariad, which is in beta.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5485
Published: 2014-09-30
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

CVE-2012-5486
Published: 2014-09-30
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

CVE-2012-5487
Published: 2014-09-30
The sandbox whitelisting function (allowmodule.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain privileges to bypass the Python sandbox restriction and execute arbitrary Python code via vectors related to importing.

CVE-2012-5488
Published: 2014-09-30
python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to createObject.

CVE-2012-5489
Published: 2014-09-30
The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
In our next Dark Reading Radio broadcast, we’ll take a close look at some of the latest research and practices in application security.