More malware exploiting Windows shortcut vulnerability

by Graham Cluley on July 23, 2010 | Leave a comment

Filed Under: Malware, Microsoft, Vulnerability

Shortcut exploit
It probably won't come as a surprise to anyone, but more evidence has come to light that cybercriminals are actively exploiting the Windows shortcut vulnerability (also known as CVE-2010-2568).

Like the earlier Stuxnet attack, more examples of specially crafted shortcut (.LNK) files that point to malicious code and trick Windows into executing it without user interaction have been analysed in our labs.

Overnight Sophos saw two malware samples that were being spread by the .LNK vulnerability. Customers of Sophos products were already protected as we detect the .LNK shortcuts generically as Exp/Cplink-A or Troj/Cplink - however, here is more information on the specific malware:

Troj/Chymin-A:
Also known as Chymine, this keylogging Trojan horse is designed to steal information from infected computers.

Troj/Chymin-A may be downloaded by exploited Windows Shortcut (.LNK) files.

W32/Dulkis-A:
W32/Dulkis-A is the more interesting of the two examples of malware we saw related to the exploit overnight, as it drops .LNK shortcut files that exploit the vulnerability to removable drives such as USB sticks. Sophos products detect these .LNK files as Exp/Cplink-A.

W32/Dulkis-A is a Windows worm, written in obfuscated Visual Basic, which copies itself to any attached removable storage device using the files 9.tmp (detected as Mal/TDSSPack-Z), xxx.dll (detected as W32/Dulkis-A) and <randomname>.tmp (detected as Troj/Nebule-Gen).

USB drive
So far, the malicious attacks we've seen exploiting the shortcut vulnerability are being spread via USB - but we have confirmed that threats based on the same exploit can also be distributed via infected websites.

I'd like to give a special mention to our corporate customers who have already switched on the "Live Protection" in version Sophos Endpoint Security and Data Protection 9.5, as they're benefiting from our very latest in-the-cloud technology to defend against the latest threats, efficiently and proactively.

If you haven't already investigated this new version of Sophos, and its great new features, maybe now is the time to do so.

Update: Find out about Sophos's free tool which protects against the shortcut exploit.

Tags: , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <pre> <q cite=""> <strike> <strong>

About the author

Graham Cluley has worked in the computer security industry for more than 20 years, developing anti-virus software and doing quite a lot of talking about internet threats. He's won awards for his blogging, but is proudest of the text adventure games he wrote when he was still wearing short trousers. You can learn more about those (the games, not the trousers) at grahamcluley.com. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.