Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    December 2014
    S M T W T F S
    « Nov    
     123456
    78910111213
    14151617181920
    21222324252627
    28293031  
  • Email Subscription

  • About Us

    As reported last week, exploits targeting the Windows shortcut zero-day vulnerability have risen in number.

    It is also now being used to spread ZBOT variants via malicious attachments to spammed messages, now blocked by Trend Micro products, with the subject Microsoft Windows Security Advisory and the following message:

    Click

    The message claims to come from Microsoft and suggests that users apply the attached update to protect them from a threat that is currently proliferating in the wild. It even gives the password to the protected .ZIP file attachment as well as instructions for installing the supposed security update. Note, however, that Microsoft has not issued a patch to resolve the said vulnerability, only a “fix tool” which disables .LNK and .PIF.

    Upon investigation, we found that the attached archive contains a malicious .LNK file that Trend Micro proactively detects as LNK_STUXNET.SM. Also included is a malicious .DLL file detected as TROJ_ZBOT.BXW.

    When the exploit code in the shortcut is triggered, it runs the malware component, which then downloads and executes the main malware, TROJ_ZBOT.BXW. TROJ_ZBOT.BXW is one of the ZBOT 2.0 variants that we spotted earlier this year, highlighting how widespread the vulnerability is now being exploited.

    SALITY file infectors are now using this vulnerability as well, as demonstrated by PE_SALITY.LNK-O:

    Let us compare the previous commonly used method by USB malware, AUTORUN.INF, to spread:

    AUTORUN.INF LNK Vulnerability
    Removable drives Any drive (shared drives, removable drives, optical drives, etc.)
    Target file should have .EXE, .BAT, .SCR, or .CMD extension Any file name as long as it is a .DLL file

    It should be made clear, however, that malware using the LNK vulnerability can spread more easily than those that use the AUTORUN.INF file. Until a patch to resolve the vulnerability is released, even more malware families are likely to exploit it.

    Update as of August 3, 2010, 3:30 a.m. (UTC-7)

    Microsoft has issued an out-of-cycle patch to resolve this issue. Details may be found here.

    Additional text by Julius Dizon and Marvin Cruz, Escalation Engineers





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon






     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice