News about a new attack via USB flash drive, known as Stuxnet.B, is surfacing. The Belarusian antivirus company VirusBlokAda recently discovered it and published a report on it. There are several points about this attack which make it both novel and unique, even though infection / propagation via USB flash drives is very common. To wit:

• Outwits Autorun – the malware exploits a previously unknown vulnerability with Windows link shortcut files (.lnk), thus circumventing Windows Autorun or Autoplay. This means that our usual fall-back advice of turning Autorun off does not help in this case.
• Credentialed – it uses rootkit functionality to hide two drivers (“mrxnet.sys” and “mrxcls.sys”) which load without being detected because they are signed by RealTek Semiconductors, a legitimate chip manufacturer. This suggests a fairly sophisticated malware writer / organization.
• Focused – according to the Frank Boldewin at Reconstructor.org, this malware uses a default password to extract some data from the Siemens SCADA WinCC + S7 control system database, indicating the Trojan may be meant for industrial espionage.

[If you’re interesting in more details, I can recommend this piece by the always reliable Brian Krebs or this post by Chester Wisniewski at Sophos. If you need to geek out on it, read this thread at Wilder Security.]

So, we have the makings of a real potboiler – a Windows zero-day vulnerability that even impacts Win7, a cleverly disguised piece of malware, and a seemingly targeted attack. Zowie!

Obviously this matters to folks in the processing and utilities space – but it even matters to those who aren’t. Why? Well …

• Industrialized Hacking – we know that the bad guys are developing malware with an eye towards reuse / resale (or even for rent), including modern business practices such as QA and helpdesk support. It’s very possible this is just a beta test with a relatively benign, proof-of-concept payload, and that it will shortly be repackaged for broader use.
• Reduced Defenses – if you’re relying on just a couple of defenses in your layered approach (say, a firewall and antivirus and perhaps even shutting off Autorun), you’re basically defenseless against this attack. It’s time to augment your approach to protecting your network.
• Reduced Trust – faked certificates are nothing new, but a legitimate vendor certificate (especially one we expect to see on our system) providing cover to a rootkit is unusual. It begs the question: whom can you trust, and are you still willing to rely on a single proof of that?

If this all sounds particularly dire – well, it is … but it isn’t. It’s just another inevitable step in the on-going cat-n-mouse “game” we are forced to deal with these days. So, what to do? Here are some suggestions:

• Oldies but Goodies – just because this is attack represents a new approach does not mean you should drop the tried and true capabilities you have in place (or should) – eliminate vendor default passwords everywhere: your routers, your databases, your servers; patching continues to be vital in closing the known holes; AV and firewalls help prevent malware from getting a foothold; and turn off autorun as part of your secure configuration to reduce malware susceptibility and propagation. You need to stay on top of these basic security building blocks lest you get pwned by the old (or lazy) attacks.
• Think New – this attack suggests that you should augment your defenses to increase the difficulty and to reduce the attractiveness of your network – implement encryption across the board: your endpoints, your databases, your removable devices – a recent survey suggest that 22% of US organizations haven’t even thought about this yet; whitelist removable devices / media to those of known provenance; and increase / control the trust factors (e.g., a new, multi-faceted trust model which scores factors like code source, whence it came, who authorized it, and so on) required to enable code execution.
• Move Beyond Technology – there are several factors to a good security posture which you need to continue to work on – revise your policies to reflect changes in the changes in your business and network environment, and in the threats you face; update your processes for the same reasons, and to ensure your incident response plans are capable of dealing with today’s environment; and revisit your end user training, because that one-time discussion on the first day at work has been long forgotten and is undoubtedly obsolete – and besides, as I’ve said before, these folks really *are* your first, last and best defense.

I guess the main point is this: the bad guys are constantly upping the ante, and their game – what are you doing to keep them from winning?