Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    We recently encountered a malware posing as a legitimate font file. Detected as WORM_OTORUN.ASH, the worm is a .DLL file that uses .FON as extension name. To propagate, it drops copies of itself into shared folders in the infected system. While these routines are not entirely new, the occurrence of both instances in a single malware fits the exploit scenario described in the Microsoft OpenType Font Driver Vulnerability (MS10-091).

    However, after further analysis, we found that the malware does not contain any exploit code for MS10-091. Instead, it exploits the Windows LNK vulnerability (MS10-046) using shortcut files as its autostart component. Let’s not forget that that particular vulnerability works on any .DLL file. In this case, even though WORM_OTORUN.ASH is disguised as a font file, it still functions as a .DLL file.

    WORM_OTORUN.ASH creates two types of .LNK files—shortcut files that point to files saved in local folders (LNK_OTORUN.SM) and shortcut files that point to files saved in shared folders (EXPL_CPLNK.SM). The dropped .LNK files bear enticing file names such as myporno.avi.lnk and pornmovs.lnk to trick users into clicking them.

    Click for larger view

    Successful exploits for MS10-091 and MS10-046 both result in remote code execution so users are strongly advised to patch their systems if they haven’t yet.

    Trend Micro product users are protected from this threat through security solutions powered by the Trend Micro™ Smart Protection Network™, which detects and blocks all related malware and malicious URLs. Enterprise users are also protected from possible exploits via Deep Security and OfficeScan with Intrusion Defense Firewall (IDF) plug-in.

    Additional analysis provided by Alden Baleva and Kathleen Notario

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice