Security firms are warning of a new Trojan that can affect every version of Windows, including Windows 7 and is being spread through USB devices. The Trojan takes advantage of a previously unknown vulnerability in Microsoft’s .lnk files, which are shortcut files that can activate an application. The Trojan is able to hide itself on USB drives, and once activated, it installs two Windows drivers on the infected system.

Attack Uses Previously Unknown Exploit

The viral Windows drivers belong to rootkits, which install themselves undetected with the assistance of a legitimately signed driver that belongs to RealTek Semiconductors. The particular attack targets Siemens SCADA WinCC control systems. This niche software is used by power plants, leading security experts to conclude that this particular attack was designed to effect industrial espionage.

VirusBlokAda, a cybersecurity firm located in Belarus, first discovered the attack. The virus poses a serious security risk because it doesn’t rely on an autorun exploit, as most USB-borne attacks do. At the moment, there is no credible way to detect the attack as it is happening, and all Windows computer, even fully patched systems running Windows 7 are vulnerable to the attack.

The attacks are significant for another reason: until now, it was thought that .lnk files had no ability to do anything until the user clicked on the file. In this particular attack, the mere presence of the .lnk file is enough to trigger the infection. Apparently, no user action – other than connecting an infected USB drive to a system that runs Microsoft Explorer – is required to trigger the viral transfer. The malicious files are undetectable on the USB drives, leaving users completely vulnerable to the attack.

Security experts are warning users not to get complacent about the fact that this particular attack is directed toward a niche product. The major danger with this attack is that other hackers can use the same approach that the Trojan uses to target other systems. The likelihood of success is high because there is no inherent protection against this type of attack within Windows OS products at the moment.

This particular attack installs two apparently-legitimate Windows drivers called mrxnet.sys and mrxcls.sys, which in turn install two rootkits, Rootkit.TMPHider and SScope.Rootkit.TmpHider.2. Cybersecurity firms report that infections of these two rootkits have risen since the attacks began, leading them to speculate that the incidence of undetected infections is rising.

Photo Credit: viZZZual.com, via Flickr