IT security and data protection firm Sophos has today released a free tool to protect against a Windows zero-day vulnerability that is being actively exploited to infect computers.
The Sophos Windows Shortcut Exploit Protection Tool protects against a high profile vulnerability that allows malicious hackers to exploit a bug in the way that all versions of Windows handles .LNK shortcut files. If Windows just displays the icon of an exploited shortcut file, malicious code can be executed – without requiring any interaction by the user.
But Sophos’s free tool, available for download from www.sophos.com/shortcut, intercepts shortcut files that contain the exploit, warning of the executable code that was attempting to run. That means it will stop malicious threats which use the vulnerability if they are on non-local disks, such as a USB stick.
Hackers have developed malware that spreads via USB sticks using a previously unknown security weakness involving Windows’ handling of shortcut files.
Malware targeting the security weakness in the handling of ‘lnk shortcut files has been spotted in the wild by Belarus-based security firm VirusBlokAda. The malware uses rootkit-style functionality to mask its presence on infected systems. These rootlet drivers come digitally signed by legitimate software developer Realtek Semiconductor, a further mark of the sophistication of the attack.
In an advisory, VirusBlokAda says it has seen numerous incidents of the Trojan spy payloads dropped by the malware since adding detection for the malign code last month.
Even fully patched Windows 7 systems are vulnerable to attack in cases where a user views files on an infected USB drive using Windows Explorer, security blogger Brian Krebs reports. Instead of using Windows Autoplay the spread the malware takes advantage in security weaknesses involving shortcut files. Malicious shortcuts on the USB are reportedly capable of auto-executing if users open an infected storage device on Windows Explorer. Normally users would have to click on the link for anything to happen.
Independent researcher Frank Boldewin has uncovered evidence that the malware is targeting SCADA control systems, used to control industrial machinery in power plants and factories, and specifically Siemens WinCC SCADA systems.
“Looks like this malware was made for espionage,” Boldewin writes.
Firms faced with a spate of Windows autorun worms have responded by disabling outrun, but this advice may no longer be enough with the appearance of a new attack vector, Finnish security firm F-Secure warns. “Our initial analysis of the samples appears to indicate that the shortcuts somehow take advantage of the way in which Windows handles Control Panel shortcut files,” it adds.
