Reports have been circulating for a few weeks about a new attack being targeted at certain Windows users that used USB memory sticks to propagate. More details have now emerged, including confirmation
from Microsoft that a new flaw exists and is being exploited.
The attack uses specially crafted shortcut (.lnk) files, which trick Windows into running code of an attacker's choosing. Any Windows application that tries to display the shortcut's icon—including Explorer—will cause exploitation, so even the mere act of browsing a directory with the malicious shortcuts is sufficient for a system to be exploited. Analysis
suggests that the shortcuts are not improperly formed; rather they depend on a flaw in the way that Windows handles shortcuts to Control Panel icons.
The first reports of the problem came last month from Belorussian security company VirusBlokAda
. The company found systems infected with the flaw through infected USB keys. The keys use the flaw to install a rootkit to hide the shortcuts, dubbed Stuxnet
, including kernel-mode drivers, and a malicious payload. The rootkit is itself noteworthy: the drivers it installs are signed. The certificate used to sign them belongs to Realtek, suggesting that somehow the attackers have access to Realtek's private key. The certificate used to sign the rootkit has now been revoked by Verisign.