LNK Vulnerability Exploited by More Families of Malware

Chymine, Vobfus, Sality and ZeuS

By on 27 Jul 2010, 13:57 GMT
Antivirus companies are warning that virus writers are slowly adopting the exploit targeting the currently unpatched Windows LNK vulnerability in their creations. New families of malware to leverage this flaw in order to propagate and infect systems are Chmine, Vobfus, Sality and ZeuS.

The new Windows shortcut processing bug, which allows attackers to execute potentially malicious code by tricking users into simply opening a folder containing malformed LNK files, is one of the most serious vulnerabilities to be discovered this year. Since it is more of a design flaw than an actual bug, which has been around since as far back as Windows 2000, if not longer, Microsoft is expected to have quite a bit of trouble in coming up with a patch that doesn't hinder important functionality.

Given the flaw's broad attack surface, security researchers and antivirus vendors predicted that it won't be long until malware writers integrate the exploit into the threats they develop – and they were right. ESET started by reporting last Thursday that a new keylogger, which has since been dubbed Chymine is exploting the LNK flaw to infect computers.

Just a day later, Microsoft announced that another malware family called Vobfus, which has historically been abusing shortcut files to perform social engineering attacks, is now leveraging the LNK vulnerability to execute automatically. Now, Trend Micro and F-Secure both warn that hackers behind Sality, a family of file infectors, have adopted the LNK exploit and are using it to spread a variant of the notorious polymorphic viruses.

And finally there's ZeuS, otherwise known as Zbot, a information stealing computer trojans commonly used by fraudsters to steal money from their victims' compromised accounts. Zbot usually spreads through email spam and this latest variant is not different in that respect.

"Zeus is a challenging threat to combat, and not many vendors detected this variant yet. We're adding detection now. Fortunately, the exploit used is detected by many and the entire thing relies on socially engineering its victim into opening a password protected zip file and copying the lol.dll to the root of the C: since the path must be known in order for the exploit to work. We don't really expect great success for this particular variant of Zeus," F-Secure security researchers, note.

You can follow the editor on Twitter @lconstantin

Comments