Categories: PCSecurityWorkspace

Microsoft Releases Advisory For USB Trojan

Microsoft issued an advisory today to address a zero-day vulnerability linked to a Trojan spreading through infected USB devices.

According to Microsoft, the vulnerability at the centre of the reports exists because Windows incorrectly parses shortcuts in a way that allows malicious code may be executed when the user clicks the displayed icon of a specially crafted shortcut. This vulnerability is most likely to be exploited through removable drives.

For systems that have AutoPlay disabled, customers would need to manually browse to the root folder of the removable disk in order for the vulnerability to be exploited, Microsoft said. For Windows 7 systems, AutoPlay functionality for removable disks is automatically disabled.

USB Devices

Security vendor VirusBlokAda reported that a Trojan is using the vulnerability to propagate through infected USB devices. The malware uses rootkit functionality to hide itself, the vendor said. Microsoft said so far it is only seeing limited, targeted attacks exploiting the vulnerability.

Independent security researcher Frank Boldewin reported finding evidence the malware is targeting Siemens SCADA software, meaning it could be meant for industrial espionage. An initial analysis by Symantec also revealed references to software used on SCADA systems, but the vendor said it is still investigating. “We’re currently investigating this threat, which Symantec detects as W32.Temphid,” said Dave Cowings, senior manager of operations for Symantec Security Response, told eWEEK. “Based on our initial analysis, however, we can say that this threat is clearly not something that was created overnight…Users accessing the USB device only see LNK files (i.e. links or shortcuts) with legitimate looking icons. When a user clicks on one of these LNK files, the hidden malicious payload is triggered into action.”

Double-edged Sword

Malware that spreads via USB devices is really a double-edged sword, Cowings added. On one hand, such devices are often transferred from one machine to another, but this also requires physical action on the part of the user. “This human interaction element may in some cases be a mitigating factor to widespread distribution of such threats,” he said.

As a workaround, Microsoft suggested users disable the displaying of icons. Users can also disable the WebClient Service by following instructions contained within the advisory.

Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Share
Published by
Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved
Tags: Rootkit

Recent Posts

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

5 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

7 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

9 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

9 hours ago