A new malicious attack has been spreading through the internet in the last few weeks, initially using USB memory sticks to propagate. Called, the LNK vulnerability, the attack uses specially crafted shortcut (.lnk) files, which trick Windows into running code of an attacker’s choosing. Any Windows application that tries to display the shortcut’s icon—including Explorer—will cause exploitation, so even the mere act of browsing a directory with the malicious shortcuts is sufficient for a system to be exploited.
The exploit has now been tested as working from SMB network shares as well as Windows’ WebClient services. The nature of this attack is very serious as noted by the ISC raising its Infocon level to Yellow. Even Microsoft is worried enough about this vulnerability that the guys from Redmond said, “Anyone believed to have been affected by this issue … should contact the national law enforcement agency in their country.”
The malware payload appears to be designed to specifically compromise the databases used by Siemens’ SIMATIC WinCC software. WinCC is SCADA software, used to control and monitor industrial systems, found in manufacturing plants, power generation facilities, oil and gas refineries, and so on. Siemens’ software uses hardcoded passwords, making attack particularly simple and potentially dangerous. ( Question: why would anyone use Windows software for controlling industrial equipment? )
Recommended temporary solutions are to turn off icons for shortcuts and disabling WebClient Services, but these are fairly intrusive and confusing for the average user. The recent protections for AutoRun capability are useless in this case. All versions of Windows from XP/200 and later are affected. Anti-virus vendors are so far unable to successfully halt the spread of this attack.