Over the past few days, reports of a new attack against Windows based SCADA systems (the computer software which control power plants, water treatment facilities and other parts of the critical infrastructure) have been making the rounds of the security blogosphere. While the payload carried in the new attacks is aimed specifically at these vital control systems (specifically a system called Siemens SCADA WinCC + S7) , the vulnerability used to deliver it looks like it could be quite dangerous to all Windows XP, Server 200x, Vista and 7 users. The previously unknown flaw allows arbitrary code to be executed simply by browsing to a folder containing a specially crafted .lnk file. In the attacks seen to date, the malware attempts to access information from the control system, suggesting that it is meant to aid in corporate espionage or reconnaissance of electrical power distribution systems for purposes unknown, but probably nefarious.
In addition to raising the spectre of an attack against critical infrastructure, this series of attacks also provides makers of all sorts of malware targeting corporate and personal systems with a new 0-day vector for infection. The flaw can be exploited by getting users to browse a USB drive, a Windows file share or a WebDAV file share. The flaw seems to be able to bypass the No Autorun protections in Windows as well as Windows 7’s UAC protections. If I were a malware author, I would be all over this as a way to get my creation installed on as many machines as possible before Microsoft issues a fix.
Microsoft is aware of the problem and has issued a tech bulletin with a workarounds that is are pretty unworkable for most corporate environments. According to a blog post by Chester Wisniewski of Sophos, one way to effectively combat this attack in a corporate environment is to set up a GPO (group policy object) which prevents executables from running from drives other than the C: drive. This may be the best way to respond to this threat until Microsoft issues a patch, hopefully before the next Patch Tuesday.
The malware arms race goes on…
RSS - Posts
For those of you who would like to mitigate the LNK risk by keeping people from executing software from drives other than C:, here is a link to instructions:
http://blog.didierstevens.com/2010/07/20/mitigating-lnk-exploitation-with-srp/