SANS made the call to go Code Yellow to help raise awareness of the vulnerability, which Microsoft officially revealed on Friday after security researchers in Belarus reported finding new malware samples that could infect a Windows 7 machine via an infected USB drive. "We decided to raise the Infocon level to Yellow to increase awareness of the recent LNK vulnerability and to help preempt a major issue resulting from its exploitation," blogged SANS ISC handler and security consultant Lenny Zeltser today. "Although we have not observed the vulnerability exploited beyond the original targeted attacks, we believe wide-scale exploitation is only a matter of time. The proof-of-concept exploit is publicly available, and the issue is not easy to fix until Microsoft issues a patch. Furthermore, anti-virus tools' ability to detect generic versions of the exploit have not been very effective so far."
The number of machines hit so far is only in the tens of thousands, according to some estimates, but many security experts worry that could change fast.
"This is not something to just shrug off," says Paul Henry, security and forensics analyst for Lumension Security. Henry says the biggest targets for the attack are Microsoft XP SP2 machines, which the software giant stopped patching as of this month.
"You've got a large user base that can't move off of XP SP2, and that creates a perfect situation for the bad guys," Henry says, noting many SCADA apps only run on XP. "Now they've got a wide, open field where they can create malware, with no fear that Microsoft will create a patch for it."
Microsoft late Friday issued a security advisory that points to a flaw in Windows Shell, which was being used along with a family of malware called Stuxnet. Dave Forstrom, Microsoft's director of marketing communications for integrated communications & response, says Microsoft had only seen "limited, targeted attacks" thus far, and that the attacks were most likely to occur via removable USB drives.
While Microsoft as of that posting had spotted most of the attacks in Iran and Indonesia, researchers at ESET today report that the Stuxnet worm going after the LNK flaw is mostly hitting the U.S. now, with 58 percent of all infections, 30 percent in Iran, and more than 4 percent in Russia. "This particular attack targets the industrial supervisory software SCADA. In short, this is an example of malware-aided industrial espionage. The question is why the chart of affected nations looks as it does," says Juraj Malcho, head of ESET's Virus Lab, based in Bratislava, Slovakia.
ESET expects other malware to exploit the Windows vulnerability, which has to do with how it processes LNK files.
SANS' yellow alert indicates it's tracking a significant, new threat, and that users should take "immediate specific action" to contain any impact the threat could unleash.
While USB-born malware is nothing new, what makes this attack unique is that even if Windows Autoplay and Autorun are disabled, the Stuxnet worm can still automatically infect a USB drive. The exploit can also spread via SMB fileshares, posing the possibility of further internal infections within a targeted organization, experts say.
A few workarounds are available to defend against the threat. Microsoft suggests disabling icon shortcuts as well as the WebClient service, for instance. SANS suggests disabling autorun for USB contents and locking down SMB shares internally such that it limits who is able to write to the shares. SANS' Zeltser also points to a free tool called Ariad, which is in beta.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.