There's a new threat that spreads via USB storage devices, by exploiting a previously unknown flaw in Windows shortcuts.

We have added detection for the shortcut LNK exploit as Exploit:W32/WormLink.A. The shortcut file used in this case is 4.1 KB. Files associated with the trojan-dropper, backdoor, rootkit are detected as the Stuxnet family.

We mentioned two interesting details yesterday, that the rootkit was signed, and that it was targeting SCADA systems.

The rootkit components are digital signed and we've confirmed that a valid Realtek Semiconductor Corp. signature is used. The dropped drivers are properly signed, while the trojan-dropper itself only attempted to copy the digital signature.

In any case, the certificate, while valid, expired in June. The H Security has a screenshot of the certificate.

Malicious software using valid digital signatures is something that our Jarno Niemelä recently predicted in his Caro 2010 Workshop presentation: It's Signed, therefore it's Clean, right?

Regarding the SCADA systems that are being targeted, the Siemens SIMATIC WinCC database appears to use a hardcoded admin username and password combination that end users are told not to change.

Thus, any organization successfully compromised by this targeted attack could be completely vulnerable to database compromise. This Slashdot comment has additional details.

We'll have more on this case as it develops. On 16/07/10 At 10:30 AM



**Hidden Content: To see this hidden content your post count must be 1 or greater.**