14 DAY TRIAL // Security researchers are concerned about new variants of the Sality virus, which exploit the currently unpatched Windows shortcut vulnerability. Microsoft reports a surge in related attack traffic generated by threats from the Sality family of malware.
The recently discovered bug in how Windows processes shortcuts (identified as CVE-2010-2568) is one of the most serious vulnerabilities of 2010. This is because exploitation only requires victims to open a folder containing a specially crafted LNK file, and because of the wide attack surface, which includes USB drives, network shares and even WebDAV.
During the past two weeks, antivirus vendors have reported that various families of malware, like Stuxnet, Chymine, Vobfus, ZeuS or Sality, began targeting the zero-day flaw. However, out of these, a particular variant of the Sality file infecting virus seems to stand out as most active.
Microsoft reports that 20% to 25% of computers protected by its anti-malware products are reporting attacks originating from the new Sality.AT version every day. Additionally, 10% register similar LNK exploit traffic generated by another variant called Sality.AM.
The geolocation of CVE-2010-2568-related attacks has also changed. Brazil is now the top country in number of exploitation attempts and is followed by the United States, Indonesia, India and Iran. “Even though they do not represent the number of actual infections, these attack attempts indicate when threats are becoming more widespread,” Microsoft says.
”It’s a bit surprising to see a malware family that concentrates on a rather old-school file infection keeping on top of new vulnerabilities, but clearly someone in their gang is reading the news [...]. It’s a shame the authors don’t spend more time on the actual virus itself, since it still has a nasty habit of corrupting files during infection,” commented Richard Cohen, a lead malware researcher at SophosLabs Canada, who posted a more in-depth analysis of the new Sality threats.
You can follow the editor on Twitter @lconstantin