Shortcut exploit still quiet – Keep your fingers crossed

Windows shortcut splat

Windows shortcut splat

I have been closely monitoring the recently disclosed vulnerability in the method that all versions of Windows use to render shortcuts. Fortunately, no major attacks aside from Stuxnet have had much success, but we are starting to see malware authors experimenting with its potential.

First we saw Troj/Chymin-A. This new sample is a keylogger, and fortunately is not a worm. It uses the shortcut out of convenience.

Then we discovered W32/Dulkis-A. This virus uses VB Script obfuscation to disguise itself and is in fact a replicator. It will infect removable devices with malicious shortcut files to facilitate its spread.

Things were reasonably quiet over the weekend and started up at the beginning of Monday UTC. We came across a Zbot (Zeus) variant attempting to use the exploit that I found downright entertaining. It is being disseminated via email and pretends to be a Microsoft security advisory. The email contains a .zip attachment and requires you to extract the Zip file to the C:\ drive in order for it to successfully exploit you. Fortunately, the authors seem to have completely missed the point. Why on earth would you use an attack vector that requires loads of user intervention when you have an exploit that doesn’t?

Microsoft’s mitigation advice will certainly provide protection, but as I noted in my blog last week the results are undesirable. That is why Sophos launched a free shortcut exploit mitigation tool to both enterprises and consumers today. The tool protects against malware targeting the exploit without the undesirable side effect of disguising your shortcuts. In addition to anti-virus, this is a great way to protect yourself and it has no impact on productivity. Be sure to apply the Microsoft patch once it is available, but this should help in the meantime.

I have also seen a lot of discussion as to whether this exploit requires AutoRun or AutoPlay to be enabled. The answer is: absolutely not. In today’s Ask Chet, I will demonstrate how a simple web link can infect an unprotected PC. Others have asked whether they’re safe if they avoid using USB drives. Again, no. This will even work on your hard drive if a correctly malformed shortcut is placed there.

Time to pack my bags as I am off to Black Hat 2010 and Defcon. If you’ll be there as well. drop me a note and maybe we can have a chat over a root(beer).