Attacks/Breaches
7/19/2010
05:50 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

SANS Raises Infocon Alert To Yellow In Light Of New Windows 'Shortcut' Attack Threat

Security experts closely monitoring spread of new zero-day threat

A zero-day flaw being used in targeted attacks against organizations worldwide -- most notably on SCADA systems -- has security experts worried that the threat could spread further. Concerns about additional attacks using the so-called "LNK" vulnerability in Windows machines via USB devices and fileshares prompted the SANS Internet Storm Center today to raise its Infocon alert level to "yellow," up from "green," or normal, status.

SANS made the call to go Code Yellow to help raise awareness of the vulnerability, which Microsoft officially revealed on Friday after security researchers in Belarus reported finding new malware samples that could infect a Windows 7 machine via an infected USB drive. "We decided to raise the Infocon level to Yellow to increase awareness of the recent LNK vulnerability and to help preempt a major issue resulting from its exploitation," blogged SANS ISC handler and security consultant Lenny Zeltser today. "Although we have not observed the vulnerability exploited beyond the original targeted attacks, we believe wide-scale exploitation is only a matter of time. The proof-of-concept exploit is publicly available, and the issue is not easy to fix until Microsoft issues a patch. Furthermore, anti-virus tools' ability to detect generic versions of the exploit have not been very effective so far."

The number of machines hit so far is only in the tens of thousands, according to some estimates, but many security experts worry that could change fast.

"This is not something to just shrug off," says Paul Henry, security and forensics analyst for Lumension Security. Henry says the biggest targets for the attack are Microsoft XP SP2 machines, which the software giant stopped patching as of this month.

"You've got a large user base that can't move off of XP SP2, and that creates a perfect situation for the bad guys," Henry says, noting many SCADA apps only run on XP. "Now they've got a wide, open field where they can create malware, with no fear that Microsoft will create a patch for it."

Microsoft late Friday issued a security advisory that points to a flaw in Windows Shell, which was being used along with a family of malware called Stuxnet. Dave Forstrom, Microsoft's director of marketing communications for integrated communications & response, says Microsoft had only seen "limited, targeted attacks" thus far, and that the attacks were most likely to occur via removable USB drives.

While Microsoft as of that posting had spotted most of the attacks in Iran and Indonesia, researchers at ESET today report that the Stuxnet worm going after the LNK flaw is mostly hitting the U.S. now, with 58 percent of all infections, 30 percent in Iran, and more than 4 percent in Russia. "This particular attack targets the industrial supervisory software SCADA. In short, this is an example of malware-aided industrial espionage. The question is why the chart of affected nations looks as it does," says Juraj Malcho, head of ESET's Virus Lab, based in Bratislava, Slovakia.

ESET expects other malware to exploit the Windows vulnerability, which has to do with how it processes LNK files.

SANS' yellow alert indicates it's tracking a significant, new threat, and that users should take "immediate specific action" to contain any impact the threat could unleash.

While USB-born malware is nothing new, what makes this attack unique is that even if Windows Autoplay and Autorun are disabled, the Stuxnet worm can still automatically infect a USB drive. The exploit can also spread via SMB fileshares, posing the possibility of further internal infections within a targeted organization, experts say.

A few workarounds are available to defend against the threat. Microsoft suggests disabling icon shortcuts as well as the WebClient service, for instance. SANS suggests disabling autorun for USB contents and locking down SMB shares internally such that it limits who is able to write to the shares. SANS' Zeltser also points to a free tool called Ariad, which is in beta.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5395
Published: 2014-11-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Huawei HiLink E3276 and E3236 TCPU before V200R002B470D13SP00C00 and WebUI before V100R007B100D03SP01C03, E5180s-22 before 21.270.21.00.00, and E586Bs-2 before 21.322.10.00.889 allow remote attackers to hijack the authentication of users ...

CVE-2014-7137
Published: 2014-11-21
Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM before 3.6.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) contactid parameter in an addcontact action, (2) ligne parameter in a swapstatut action, or (3) project_ref parameter to projet/tasks/contact.php; (4...

CVE-2014-7871
Published: 2014-11-21
SQL injection vulnerability in Open-Xchange (OX) AppSuite before 7.4.2-rev36 and 7.6.x before 7.6.0-rev23 allows remote authenticated users to execute arbitrary SQL commands via a crafted jslob API call.

CVE-2014-8090
Published: 2014-11-21
The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nes...

CVE-2014-8469
Published: 2014-11-21
Cross-site scripting (XSS) vulnerability in Guests/Boots in AdminCP in Moxi9 PHPFox before 4 Beta allows remote attackers to inject arbitrary web script or HTML via the User-Agent header.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?