Malware Exploiting LNK Flaw Most Prevalent in Iran and Indonesia

According to Microsoft, the recently discovered piece of malware, which exploits a previously unknown Windows vulnerability, is most active in Iran and Indonesia. The software giant has also worked with Verisign and Realtek to revoke the rogue certificate used by the threat.

The new malware, which Microsoft dubbed Stuxnet, was discovered by Belarusian antivirus vendor VirusBlokAda, which also reported that it exploits a zero-day Windows vulnerability to spread. The bug is in the way Windows processes shortcut icons and allows the execution of arbitrary code by simply opening the folder containing a specially crafted .LNK file.

Microsoft has been tracking Stuxnet attacks since over a week and so far has determined that Iran and Indonesia are the most affected regions. It's important to note that by attacks the company means infection attempts and not successful infections.

The largest number of attacks was actually registered in the United States, but in total only 0.05% of computers monitored by Microsoft's Malware Protection Center have registered infection attempts. In comparison, in Iran so far the malware targeted 1.60% of computers using Microsoft's anti-malware programs.

With a rate of 1.29% attacked computers Indonesia also appears to be a hotspot for this malware and is followed by India with 0.14%. Ecuador (0.06%), US (0.05%), Pakistan and Lebanon (0.04%), Taiwan (0.03%) complete the list. The global average for computers targeted by Stuxnet so far is 0.02%.

Microsoft warns that the number of attacks per computer has been on an ascending trend since July 6th. “Although the number of new machines reporting an infection attempt has remained constant at around a thousand per day, the number of attempts (tries per machine) has increased over the past few days,” the company's researchers write on the MMPC blog. As far as attack vectors go, most Stuxnet infectors arrive via email or are downloaded from hacking websites, where they are advertised as game cheats.

Microsoft also points out that the Realtek certificate used to sign the malware's drivers with, has been revoked. “Microsoft MMPC has been working with Verisign to revoke this certificate, and did so at 08:05:42 PM UTC with the agreement and support of Realtek,” the company said on Friday.

You can follow the editor on Twitter @lconstantin