New malware, called W32/Stuxnet-B, has been reported. This malware propagates using USB drives apparently infected with malformed shortcut (.lnk) files. F-Secure detects the LNK exploit as Exploit:W32/WormLink.A. Reports suggest that the malformed shortcuts exploit a remote code execution vulnerability in Microsoft Windows, which has been reported in Alert 20918.
Reports suggest that a successful exploit would require the targeted user to view the contents of the USB drive using Windows Explorer or other applications that display file icons. However, the malicious link vulnerability could be used to target any Windows systems through removable media.
The malicious code is contained in drivers that appear to be digitally signed by Realtek Semiconductor Corp, which could help the code bypass controls that require drivers to be signed. The same reports confirm the vulnerability on completely patched Microsoft Windows 7 installations as of July 15, 2010.
Event data from Cisco Remote Management Services has detected intrusion prevention system signature activity related to this vulnerability. The data, which was captured on July 27, 2010, could indicate that malicious software distribution is increasing in the wild.
One suggested method of additional propagation is through the SQL facilities in WinCC. Reports have indicated that the WinCCAdmin and WinCCConnect account passwords for WinCC are hard-coded, allowing potential exploits to run commands on the host operating system through SQL instructions executed using these account credentials. Further, Siemens forum postings suggest that administrators are advised against changing the passwords. If these reports are accurate, this could result in a wide exposure for sites that use WinCC, which is human-machine interface software for process control systems used for things like critical infrastructure and manufacturing.
User interaction, if needed, is limited to inserting the USB drive and viewing its contents. Further user interaction is not needed.
Systems that have disabled AutoRun for USB drives do not appear to be protected from this automatic execution of .lnk files.
Administrators are advised to configure antivirus software to scan media upon insertion. Administrators may also consider disallowing USB drives or other removable media from sensitive environments.
Users are advised not to plug in USB drives from unknown sources.
Microsoft has released a security bulletin at the following link: MS10-046. Microsoft customers can obtain updates directly by using the links in the security advisory. These updates are also distributed by Windows automatic update features and available on the Windows Update website. Microsoft Windows Server Update Services (WSUS), Systems Management Server, and System Center Configuration Manager can assist administrators in deploying software updates.
Proof-of-concept code that exploits this vulnerability is publicly available.
Siemens has confirmed that the malicious code exploiting this vulnerability is targeting Siemens WinCC SCADA systems. Further details are available at the following link: SIMATIC WinCC / SIMATIC PCS 7. However, software updates are not available.
ICS-CERT has released advisories at the following links: ICSA-10-201-01C and ICSA-10-238-01
US-CERT has released a vulnerability note at the following link: VU#940193