Microsoft Releases Advisory For USB Trojan

Microsoft issued an advisory today to address a zero-day vulnerability linked to a Trojan spreading through infected USB devices.

According to Microsoft, the vulnerability at the centre of the reports exists because Windows incorrectly parses shortcuts in a way that allows malicious code may be executed when the user clicks the displayed icon of a specially crafted shortcut. This vulnerability is most likely to be exploited through removable drives.

For systems that have AutoPlay disabled, customers would need to manually browse to the root folder of the removable disk in order for the vulnerability to be exploited, Microsoft said. For Windows 7 systems, AutoPlay functionality for removable disks is automatically disabled.

USB Devices

Security vendor VirusBlokAda reported that a Trojan is using the vulnerability to propagate through infected USB devices. The malware uses rootkit functionality to hide itself, the vendor said. Microsoft said so far it is only seeing limited, targeted attacks exploiting the vulnerability.

Independent security researcher Frank Boldewin reported finding evidence the malware is targeting Siemens SCADA software, meaning it could be meant for industrial espionage. An initial analysis by Symantec also revealed references to software used on SCADA systems, but the vendor said it is still investigating. “We’re currently investigating this threat, which Symantec detects as W32.Temphid,” said Dave Cowings, senior manager of operations for Symantec Security Response, told eWEEK. “Based on our initial analysis, however, we can say that this threat is clearly not something that was created overnight…Users accessing the USB device only see LNK files (i.e. links or shortcuts) with legitimate looking icons. When a user clicks on one of these LNK files, the hidden malicious payload is triggered into action.”

Double-edged Sword

Malware that spreads via USB devices is really a double-edged sword, Cowings added. On one hand, such devices are often transferred from one machine to another, but this also requires physical action on the part of the user. “This human interaction element may in some cases be a mitigating factor to widespread distribution of such threats,” he said.

As a workaround, Microsoft suggested users disable the displaying of icons. Users can also disable the WebClient Service by following instructions contained within the advisory.