• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

USB malware- complete with signed drivers

Modelworks

Modelworks

Lifer
This one is interesting and very bad if you are one of the targeted companies.
It installs by just putting a usb drive in the pc exploiting the way explorer handles shortcuts.

If you work at a company might want to disable USB storage completely.


http://www.us-cert.gov/control_syst...alware Targeting Siemens Control Software.pdf
The malware appears to launch when a USB storage device is viewed using a file manager such as
Windows Explorer. Because the malware exploits a zero-day vulnerability in the way that Windows
processes shortcut files, the malware is able to execute without using the AutoRun feature.

Shortcut files are Windows files that link easy-to-recognize icons to specific executable programs, and are
typically placed on the user’s Desktop or Start Menu. A shortcut will not execute until a user clicks on its
icon. While Microsoft’s advisory indicates user’s need to click an icon for the vulnerability to be
executed, VirusBlokAda reports these malicious shortcut files are capable of executing automatically
(without user interaction) if accessed by Windows Explorer.

This vulnerability is most likely to be exploited through removable drives. For systems that have
AutoPlay disabled, customers would need to manually browse to the root folder of the removable disk in
order for the vulnerability to be exploited. For Windows 7 systems, AutoPlay functionality for removable
disks is automatically disabled.

Based on current reporting , the malware drops and executes two driver files: mrxnet.sys and mrxcls.sys.
The mrxnet.sys driver works as a file system filter driver, and mrxcls.sys is used to inject malicious code.
These files are placed in the %SystemRoot%\System32\drivers directory. The drivers were signed with
the apparent digital signature of Realtek Semiconductor Corporation. No warning is displayed in
Windows when the drivers are installed, even though the certificate used to sign the files expired in June
2010. VeriSign has revoked the certificate used to sign the malware. The two drivers are used to inject
code into system processes to hide themselves. Using this method, the malware files are not visible on an
infected USB storage device.
Currently, some analysis has been performed and published on the Siemens-specific capabilities of the
malware. ICS-CERT has confirmed that the database query strings do in fact reference WinCC database
tables containing Input/Output tags. As more details become available and analysis is verified, ICS-CERT
will publish updates to this advisory.
Click to expand...
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top