Attacks/Breaches
7/19/2010
05:50 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

SANS Raises Infocon Alert To Yellow In Light Of New Windows 'Shortcut' Attack Threat

Security experts closely monitoring spread of new zero-day threat

A zero-day flaw being used in targeted attacks against organizations worldwide -- most notably on SCADA systems -- has security experts worried that the threat could spread further. Concerns about additional attacks using the so-called "LNK" vulnerability in Windows machines via USB devices and fileshares prompted the SANS Internet Storm Center today to raise its Infocon alert level to "yellow," up from "green," or normal, status.

SANS made the call to go Code Yellow to help raise awareness of the vulnerability, which Microsoft officially revealed on Friday after security researchers in Belarus reported finding new malware samples that could infect a Windows 7 machine via an infected USB drive. "We decided to raise the Infocon level to Yellow to increase awareness of the recent LNK vulnerability and to help preempt a major issue resulting from its exploitation," blogged SANS ISC handler and security consultant Lenny Zeltser today. "Although we have not observed the vulnerability exploited beyond the original targeted attacks, we believe wide-scale exploitation is only a matter of time. The proof-of-concept exploit is publicly available, and the issue is not easy to fix until Microsoft issues a patch. Furthermore, anti-virus tools' ability to detect generic versions of the exploit have not been very effective so far."

The number of machines hit so far is only in the tens of thousands, according to some estimates, but many security experts worry that could change fast.

"This is not something to just shrug off," says Paul Henry, security and forensics analyst for Lumension Security. Henry says the biggest targets for the attack are Microsoft XP SP2 machines, which the software giant stopped patching as of this month.

"You've got a large user base that can't move off of XP SP2, and that creates a perfect situation for the bad guys," Henry says, noting many SCADA apps only run on XP. "Now they've got a wide, open field where they can create malware, with no fear that Microsoft will create a patch for it."

Microsoft late Friday issued a security advisory that points to a flaw in Windows Shell, which was being used along with a family of malware called Stuxnet. Dave Forstrom, Microsoft's director of marketing communications for integrated communications & response, says Microsoft had only seen "limited, targeted attacks" thus far, and that the attacks were most likely to occur via removable USB drives.

While Microsoft as of that posting had spotted most of the attacks in Iran and Indonesia, researchers at ESET today report that the Stuxnet worm going after the LNK flaw is mostly hitting the U.S. now, with 58 percent of all infections, 30 percent in Iran, and more than 4 percent in Russia. "This particular attack targets the industrial supervisory software SCADA. In short, this is an example of malware-aided industrial espionage. The question is why the chart of affected nations looks as it does," says Juraj Malcho, head of ESET's Virus Lab, based in Bratislava, Slovakia.

ESET expects other malware to exploit the Windows vulnerability, which has to do with how it processes LNK files.

SANS' yellow alert indicates it's tracking a significant, new threat, and that users should take "immediate specific action" to contain any impact the threat could unleash.

While USB-born malware is nothing new, what makes this attack unique is that even if Windows Autoplay and Autorun are disabled, the Stuxnet worm can still automatically infect a USB drive. The exploit can also spread via SMB fileshares, posing the possibility of further internal infections within a targeted organization, experts say.

A few workarounds are available to defend against the threat. Microsoft suggests disabling icon shortcuts as well as the WebClient service, for instance. SANS suggests disabling autorun for USB contents and locking down SMB shares internally such that it limits who is able to write to the shares. SANS' Zeltser also points to a free tool called Ariad, which is in beta.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8802
Published: 2015-01-23
The Pie Register plugin before 2.0.14 for WordPress does not properly restrict access to certain functions in pie-register.php, which allows remote attackers to (1) add a user by uploading a crafted CSV file or (2) activate a user account via a verifyit action.

CVE-2014-9623
Published: 2015-01-23
OpenStack Glance 2014.2.x through 2014.2.1, 2014.1.3, and earlier allows remote authenticated users to bypass the storage quote and cause a denial of service (disk consumption) by deleting an image in the saving state.

CVE-2014-9638
Published: 2015-01-23
oggenc in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (divide-by-zero error and crash) via a WAV file with the number of channels set to zero.

CVE-2014-9639
Published: 2015-01-23
Integer overflow in oggenc in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (crash) via a crafted number of channels in a WAV file, which triggers an out-of-bounds memory access.

CVE-2014-9640
Published: 2015-01-23
oggenc/oggenc.c in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted raw file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.