Sophos finds malware vulnerability in Windows

Sophos is reporting a vulnerability in Windows that will allow malicious software to run automatically on a PC even if Windows Autoplay and Autorun features have been disabled.

The security company said the Stuxnet rootkit can install itself automatically from a USB memory stick even if a PC is fully patched.

This is because the rootkit exploits a vulnerability in the way Windows handles .LNK shortcut files, that allows them to execute automatically if the USB stick is accessed by Windows Explorer.

Once the rootkit is in place it effectively enters 'stealth-mode', cloaking its presence on the infected PC.

Graham Cluley, senior technology consultant at Sophos said: "Threats such as the infamous Conficker worm have spread very successfully via USB devices in the past, but were in part reduced by disabling Autoplay.

“The risk is that more malware will take advantage of the zero-day exploit used by the Stuxnet rootkit, taking things to a whole new level.

"The exploit is still being analysed by the security community, but there are disturbing suggestions that the malware could be trying to access data specific to Siemens Scada systems – software that controls national critical infrastructure."

However he said that at the moment it was “important not to overreact to this threat” because the risk to Scada systems has not been fully analysed. Plus the fact that Scada systems are involved means everyone will be examining the attack closely.

“Eyes will also be turned to Microsoft to see how they will respond to what appears to be another unpatched vulnerability in their code that is being exploited by hackers,” said Cluley

Sophos detects the malicious files involved in the attack as W32/Stuxnet-B. More information and a full description of how the attack works, is available on Chet Wisniewski’s blog.