Shortcut exploits have made the news in malware circles this month. After Stuxnet first used them, it wasn’t long before other malware started exploiting the zero-day vulnerability – Sality is among their numbers.
The authors of the Sality family added a new executable component, which we detect as Troj/Sallink-A, that enumerates network resources, dropping two files where it can. The first of these is a DLL file, detected as Troj/Salload-D, the other a LNK shortcut file, detected as Exp/Cplink-A. Simply browsing to the folder containing the LNK file will automatically execute the DLL file – that’s the nature of the CVE-2010-2568 vulnerability.
Different variants of Troj/Sallink-A format their payload in slightly different ways. Most drop the DLL using a filename consisting of random letters and numbers (usually ‘a’ to ‘f’, and ‘0’ to ‘9’), with earlier variants using <random>.dll and later ones using ~<random>.tmp or w<random>.tmp. For the shortcut file, earlier variants used the simple <random>.lnk, while later variants moved to using a wide variety of click-enticing names – for a full list, see the “More Information” tab of Troj/Sallink-A, but filenames include “My Photos.lnk”, “Gallery photos.lnk”, “XXX.lnk”, “Britney Spears XXX.lnk”, “Barrett Jackson nude photos.lnk”, and “Miss America Porno.lnk”.
I’m not quite sure why they’ve gone out of their way to give these the sort of filename that get people to click them, since the whole point of this vulnerability is that you don’t have to click the shortcut – in fact I’d say most of these names are far more likely to arouse suspicion on a network. But then, that’s what you get if you just steal a list of names from other malware – most of the names are recognisable as having been used by the Bagle family of malware more than 4 years ago.
For good measure, Troj/Sallink-A also tries to drop the LNK file to all subdirectories of the network share, maximising the chance that someone will browse there and trigger the DLL-executing exploit. When run, the DLL tries to contact a remote URL, and to drop a file to <temp>\<random>.exe – this is the main Sality component, which goes on to infect files, and to spread to all available drives (including USBs) and network shares. We detect this component as Mal/Sality-D.
In fact before the authors had even sent out the first dll-dropping exe or exe-dropping dll, we detected all of these files as Mal/Sality-D – we’re now using the names Troj/Sallink-A and Troj/Salload-D to help differentiate components of the chain, but we’ve always protected against them all.
It’s a bit surprising to see a malware family that concentrates on a rather old-school file infection keeping on top of new vulnerabilities, but clearly someone in their gang is reading the news – earlier in the month they sent exploited PDF spam, so (ab)using exploited LNK files is an obvious next step. It’s a shame the authors don’t spend more time on the actual virus itself, since it still has a nasty habit of corrupting files during infection.
Even once Microsoft releases a patch for the vulnerability, history has shown that lots of people won’t apply it with any due expediency, so it’s a safe bet that we’ll see more malware exploiting this in the future. We’ll continue to update our main shortcut exploit page as we get more information, and you might also want to download our Windows Shortcut Exploit Protection Tool to help keep you safe until the vulnerability has been patched.