New Malware Exploiting Windows Shortcut (.LNK) 0-Day

Vobfus and Chymine, in addition to Stuxnet

By on July 26th, 2010 10:13 GMT
Malicious software in the wild is evolving with new capabilities designed to allow it to exploit the Critical 0-day vulnerability affecting all supported versions of Windows, and even Windows 7 SP1 Beta and Windows Server 2008 R2 SP1 Beta. According to information supplied by the Redmond company, Win32/Vobfus and Chymine are the latest examples of malware families to include exploits for a Critical flaw in Windows Shell, which allows malicious software to infect vulnerable machines through malformed .LNK and .PIF files. Previously, Microsoft has revealed that the Stuxnet malware family was the only one spreading through the new Windows shortcut zero-day security hole.

Vobfus variants only recently started to take advantage of the Windows .LNK vulnerability in order to spread from one machine to another, Microsoft informed. The first version of Vobfus that was capable of taking advantage of the new0-day Windows hole was Worm:Win32/Vobfus.H.

“Vobfus and shortcut files have a longstanding relationship: this family has, from the beginning, been using shortcut files as a social engineering technique to get users to run its code. However, these shortcut files DID NOT automatically run. Rather, Vobfus also drops an autorun.inf file to run its copy in the drive if Autorun is enabled (see how to disable Autorun in your Windows computer). New samples of Vobfus.H, however, as we previously mentioned, drop a specially-crafted, malicious shortcut file that exploits the vulnerability discussed in SA2286198,” revealed Microsoft’s Francis Allan Tan Seng & Elda Dimakiling.

In addition to new flavors of Vobfus, the Chymine malware family is also targeting computers which contain the Windows .LNK vulnerability. Microsoft reveals that it has detected the specially-crafted, malicious shortcut files exploiting the 0-day to launch the Chymine dropper component.

“In this case, Trojan:Win32/Chymine.A is launched by a malicious shortcut that we detect as Exploit:Win32/CplLnk.A. It, in turn, drops another trojan we detect as TrojanSpy:Win32/Chymine.A, which we’ve observed to be logging user keystrokes and downloading other malware. Aside from that, it seems to be just another malware that exploits a new attack vector. We’re keeping an eye out for this family and other potential malware that may be using the same vector,” Dimakiling added.

Microsoft notes that the inclusion of Windows .LNK exploits into more and more malware is an integral part of the evolution of the attack landscape. The Redmond company has yet to produce a security update designed to patch this vulnerability, and as such, for the time being Windows computers are opened to attacks, and easy targets. Users should apply the mitigations described in this Security Advisory in order to fend off potential attacks.

“What we’re seeing with the use of this new vulnerability by two other malware families is typical when an exploitable vulnerability is made public: initially, details emerge about a proof-of-concept malware or a targeted attack, then someone releases a public exploit, then the exploit gets incorporated into malware crime kits, and then we begin seeing different families using it,” Dimakiling said.

Follow me on Twitter @MariusOiaga.

1 Comment