Second, the people who put this together are way smart. What I've described here is only part of the story. Those two TMP files, which are programs that get run by the jiggered LNK file(s), install Stuxnet-infected drivers signed by Realtek, the company that makes audio codecs, routers, and network interface controllers. The signature's real. Brian Krebbs in his KrebbsOnSecurity blog explains how the installed drivers work as rootkits. The Microsoft Malware Prevention Center blog goes into detail about the Stuxnet worm.
Third, the usual defense mechanisms don't apply. User Account Control, for example, never enters into the picture. Running on a Limited account makes no difference, as Sophos's Chester Wisniewski demonstrates convincingly on his blog. Disabling AutoRun for USB drives does nothing.
Fortunately, it looks like the original zero-day attack was limited, very specifically, to monkeying around with Siemens WinCC SCADA systems, which are used to control large automated production facilities -- industrial espionage. Unfortunately, the experts are betting that the same hole will be used in other exploits in the very near future.
What can you do about it? Not much. Microsoft's Security Advisory gives manual steps for disabling the display of icons in Windows Explorer and for disabling WebDAV. Neither approach blocks other icon-displaying programs, and in any case the cure may be worse than the disease. Antivirus software vendors are adding detection for Stuxnet, which will stop the current incarnation. But nobody I know has come up with a way of stopping the propagation method.
SANS Internet Storm Center reports that there’s Proof of Concept code circulating in cracker circles.
Keep your eyes open for this one. We haven't heard the last of it yet.
This article, "Watch out for this nasty zero-day exploit," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.