Subscribe
  • Home
  • /
  • Malware
  • /
  • Worm spreads via Windows .LNK vulnerability

Worm spreads via Windows .LNK vulnerability

Issued by Global Research Partners for SecureData
Johannesburg, 06 Aug 2010

There is a new virus that is exploiting a Microsoft vulnerability. MS has not released a patch for this vulnerability as yet!

How does this threat get into users' systems?

This threat may get into a user's system via infected removable drives and fixed drives, and network shares. It may also be distributed through malicious Web sites. It may also be embedded within documents.

How does this threat infect users?

Once users are infected, the worm detected as WORM_STUXNET.A drops a .LNK file - a shortcut file that leads to an executable file - into the drives. In turn, this .LNK file exploits a specific vulnerability in Windows Shell to automatically execute the dropped copy of the worm once the infected drive is accessed. This .LNK file is detected by Trend Micro as LNK_STUXNET.A.

Other than dropping copies of itself, WORM_STUXNET.A also drops RTKT_STUXNET.A, which the worm uses to hide its routines. The worm also attempts to connect to non-malicious sites such as www.mypremierfutbol.com and www.todaysfutbol.com - both leading to http://www.isfa.com, which is a betting site for football. The purpose of this routine is still not determined, as engineers did not find any trace of malicious activities on these sites.

Since the code for the exploit of the mentioned vulnerability was released, Trend Micro has been able to find new malware leveraging on the Windows Shell flaw. These files are detected as WORM_STUXNET.SM and LNK_STUXNET.SM.

How are users affected by this threat?

The worm drops a rootkit component, a stealth mechanism that enables the malware to hide its routines from the affected users. In turn, it makes the analysis and removal difficult. Also, since the Windows Shell flaw is yet to be patched, this leaves cyber-criminals a lot of opportunity to use the vulnerability in spreading more malware.

The Windows shortcut vulnerability also allows hackers numerous possibilities for information and data theft as the vulnerability proves to be a faster method for spreading malware. Even ZeuS/ZBOT variants have found a way to exploit this vulnerability via spam messages purporting to originate from Microsoft. Users who are not aware of this false alert are bound to become infected with the new ZBOT variant, TROJ_ZBOT.BXW, which is capable of information theft routines. SALITY file infectors are using this vulnerability as well, demonstrated by PE_SALITY.LNK-O.

What is noteworthy about this attack?

This threat was tagged as noteworthy as it exploits a vulnerability found in Windows Shell. The act of merely opening the malicious .LNK file to activate the vulnerability already poses an immediate threat to users. This vulnerability is due to incorrect parsing of shortcuts, which may result to the execution of malicious code when an icon of a crafted shortcut is displayed. The attacker may present an infected removable drive to the user with a malicious .LNK file and an associated malicious binary. Once the user opens the drive via Windows Explorer and other applications capable of parsing the shortcut icon, the malware is then executed. It may also be propagated via remote network share, wherein the said shortcut icon is placed and can be accessed by other users.

It poses a significant problem if the affected user is logged in with administrative user rights, as the attacker may have complete control of the system. In turn, the attacker could perform several activities related to installing programs, modification of data or creating new accounts without the legitimate user's consent. However, users with fewer user rights on the system are not as affected as those with administrative rights.

The exploit code used for this threat was also found to be publicly available via the Internet. This now triggered a new attack. Case in point, the .LNK vulnerability is now used to spread ZeuS/ZBOT variants as attachment to spam messages purporting to originate from Microsoft. The said attachment comes as a compressed (.ZIP) file. It contained a .LNK file and a .DLL file that Trend Micro detected as LNK_STUXNET.SM and TROJ_ZBOT.BXW, respectively.

Are Trend Micro users protected from this threat?

Trend Micro Smart Protection Network already protects product users from this threat by preventing the execution of all malware related to this attack via the file reputation service.

Enterprise users can also benefit from the additional protection offered by Deep Security and OfficeScan with the Intrusion Defence Firewall (IDF) plug-in. Recently released rules prevent this vulnerability from being exploited via network shares and WebDAV.

What can users do to prevent this threat from entering computers?

Users may avoid this threat by being wary of clicking into dubious shortcut files. Regularly scan removable drives before using or sharing it with other users, to avoid spreading malicious files. Home users should patch their systems as soon as they can to protect themselves from this threat.

Several workarounds have been identified to temporarily stop the attacks from further spreading executing on systems. Microsoft has identified several workarounds in their advisory.

A recent out-of-band patch has already been issued to address this exploit.

SecureData Security, part of JSE-listed SecureData Holdings, is the sole sub-Saharan distributor for Trend Micro.

For further information, please contact Lee Bristow at tel. +27 11 790 2500; fax +27 11 790 2599; e-mail leeb@securedata.co.za.

Share

Trend Micro

Trend Micro Incorporated, a global leader in Internet content security, focuses on securing the exchange of digital information for businesses and consumers. A pioneer and industry vanguard, Trend Micro is advancing integrated threat management technology to protect operational continuity, personal information, and property from malware, spam, data leaks and the latest Web threats. Trend Micro's flexible solutions, available in multiple form factors, are supported 24/7 by threat intelligence experts around the globe. Many of these solutions are powered by the Trend Micro Smart Protection Network, a next generation cloud-client content security infrastructure designed to protect customers from Web threats.

SecureData

SecureData is a specialist, value-added distributor of perimeter, application, network, endpoint, storage and identity information security solutions and risk management solutions for the African sub-continent and Indian Ocean islands. A cross-section of the available solutions from SecureData illustrates wide coverage of the following information security and risk management domains: business continuity, security appliances and devices, hardware authentication, identity and access management, security and vulnerability management, secure content management, threat management and security services.

SecureData's information security and risk management solutions include best-of-breed solutions, devices and appliances for the perimeter, data centres, applications, network, endpoints, messaging and Web. In addition, as a value-add to vendor, channel and customer, SecureData also provides a full complement of support, pre-sales and professional services around the solutions positioned in each discrete security vertical.

Editorial contacts

Paul Booth
Global Research Partners
(+27) 82 568 1179
pabooth@mweb.co.za
Yugan Reddy
SecureData
(+27) 11 790 2500
yuganr@securedata.co.za