Full story is here.

Summary is that Microsoft issued a security bulletin last week on a remote code execution vulnerability in the way the Windows shell parses LNK shortcut files. However, for six weeks before that, a virus (called Stuxnet) had been circulating which attacked control (SCADA, or Supervisory Control and Data Acquisition) systems manufactured by Siemens. The scary part is that SCADA systems are commonly used to run critical infrastructure such as power plants (although anyone who remembers the Blaster worm already knew that Windows is used in critical infrastructure).

A detailed technical analysis of Stuxnet is here.

Making the situation even more interesting is that the virus includes a rootkit driver binary which has been digitally signed using an apparently compromised code signing key, issued by VeriSign to a company called Realtek.

Still, there are three potential mitigations that could have protected a well locked-down system, even prior to the installation of the above security patch:

1. Gee, don’t stick the unknown USB key into your C&C terminal in the first place
2. Use low-privileged accounts. This would likely have prevented the rootkit driver from being installed.
3. Don’t trust 3rd party root certificates. This is configurable in Windows (although the LNK code execution still would have run).

No Comments »