Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Windows Shell Attacks Increase

Microsoft and Siemens released tools to combat the zero-day exploits which autorun malicious code from USB drives.

Two new attacks have emerged to exploit the recently discovered zero-day Windows Shell vulnerability. Like Stuxnet, these new attacks use specially crafted shortcut (.LNK) files to cause Windows to automatically load and execute remote code.

According to Sophos, the new malware first appeared Thursday night.

The first piece of malware is called Dulkis-A, and is "a Windows worm, written in obfuscated Visual Basic, which copies itself to any attached removable storage device," said Graham Cluley, senior technology consultant at Sophos, writing on the firm's blog. The other piece of malware is Chymine, a keylogging Trojan application "designed to steal information from infected computers," he said.

Microsoft has yet to patch the Windows Shell vulnerability, but on Tuesday, the company detailed a workaround that would prevent attacks from exploiting the bug. It also released a tool to automatically install the workaround on a computer running Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, or Windows Server R2. Unfortunately, the workaround disables .LNK and .PIF file functionality, as a result removing all icon graphics and replacing them with a plain white icon. Microsoft plans to release a patch in the future that will eliminate the vulnerability, as well as restore the icons.

How else can IT managers block the vulnerability? Sophos says that tweaking existing security policies can help. "Only allow executable files to run from certain paths, like the hard drive, and never from a USB key or other removable media. This would prevent malware that uses this exploit from running off of a USB key, remote fileshare, or device like an iPod or BlackBerry." But attacks exploiting the vulnerability are also appearing on and being spread by websites.

Stuxnet, which targets Siemens controls systems and thus appears to be designed for industrial espionage, also continues to circulate. To help affected customers, on Thursday, Siemens released a tool developed by Trend Micro, Sysclean, to detect and remove the virus. But Siemens warned that "as each plant is individually configured, we cannot rule out the possibility that removing the virus may affect your plant in some way."

Siemens also released a security patch for its SIMATIC distributed control system that uses Microsoft's current workaround to eliminate the vulnerability, with the same side effect of eliminating all icon graphics. "Make sure that you assign meaningful names to your desktop links and those in the Windows Start menu to easily recognize them later," Siemens advised customers. The company promised to release a full patch that would restore the icons, after Microsoft released the relevant security update.

One workaround that Siemens users should avoid, however, is changing the default passwords on their control systems, warned control systems expert Joe Weiss, writing on his blog. "Microsoft wants default passwords changed -- standard IT policy -- while Siemens is telling its customers not to change the default passwords as it could cause problems," he said.

The disconnect highlights how in control environments, safety -- not security -- comes first, he said. "The IT folks do not understand why anybody would want to keep a default or hardcoded password as an emergency back door. IT in enterprises, outside of banking, simply doesn't have real-time emergencies."

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-13
A UXSS was discovered in the Thanos-Soft Cheetah Browser in Android 1.2.0 due to the inadequate filter of the intent scheme. This resulted in Cross-site scripting on the cheetah browser in any website.
PUBLISHED: 2021-04-13
The Motorola MH702x devices, prior to version, do not properly verify the server certificate during communication with the support server which could lead to the communication channel being accessible by an attacker.
PUBLISHED: 2021-04-13
A privilege escalation vulnerability in Lenovo Power Management Driver for Windows 10, prior to version, that could allow unauthorized access to the driver's device object.
PUBLISHED: 2021-04-13
A null pointer dereference vulnerability in Lenovo Power Management Driver for Windows 10, prior to version, that could cause systems to experience a blue screen error.
PUBLISHED: 2021-04-13
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.