USB Drive Malware Exploit Windows 7 Flaw in Apparent Espionage Effort

From DailyTech: Microsoft has done a relatively good job building a secure operating system in the form of Windows 7 and patching the few flaws that have been discovered and widely published. But like any OS there are still some gaping holes, and with Windows 7's growing market share, there's plenty of parties both malicious and altruistic to poke around and find those holes.

The latest threat is a new strain of malware that takes advantage of Windows 7's allowance of "autorun" or "autoplay" files.

The attack vector begins with an infected machine writing malware to an attached USB drive. The malware program writes two driver files -- "mrxnet.sys" and "mrxcls.sys" – to the attached drive. These rootkit files are using a likely stolen digital signature of Realtek Semiconductor Corp. The drivers serve "rootkit" functionality, disguising malware that is subsequently written to the drive.

Packed with malware and drivers that disguise it, the next infection will be initiated when the unsuspecting user plugs in their USB stick into another machine. If the user follows the prompt and selects the "Autorun" option or opts to open the drive in Windows Explorer, the stored malware will autorun, infecting the attached machine.

While autoplay/autorun is disabled by default on most Windows 7 installs, browsing to the root folder of a USB stick, or enabling autoplay on USB sticks can still trigger this attack.

Belarus anti-virus company VirusBlokAda was the first to spot the new malware in the wild. It published an advisory earlier this month. Warns VirusBlokAda researcher Sergey Ulasen, "So you just have to open infected USB storage device using [Windows] Explorer or any other file manager which can display icons (for i.e. Total Commander) to infect your Operating System and allow execution of the malware."

View: Article @ Source Site