It is also now being used to spread ZBOT variants via malicious attachments to spammed messages, now blocked by Trend Micro products, with the subject Microsoft Windows Security Advisory and the following message:
The message claims to come from Microsoft and suggests that users apply the attached update to protect them from a threat that is currently proliferating in the wild. It even gives the password to the protected .ZIP file attachment as well as instructions for installing the supposed security update. Note, however, that Microsoft has not issued a patch to resolve the said vulnerability, only a “fix tool” which disables .LNK and .PIF.
Upon investigation, we found that the attached archive contains a malicious .LNK file that Trend Micro proactively detects as LNK_STUXNET.SM. Also included is a malicious .DLL file detected as TROJ_ZBOT.BXW.
When the exploit code in the shortcut is triggered, it runs the malware component, which then downloads and executes the main malware, TROJ_ZBOT.BXW. TROJ_ZBOT.BXW is one of the ZBOT 2.0 variants that we spotted earlier this year, highlighting how widespread the vulnerability is now being exploited.
SALITY file infectors are now using this vulnerability as well, as demonstrated by PE_SALITY.LNK-O:
Let us compare the previous commonly used method by USB malware, AUTORUN.INF, to spread:
|Removable drives||Any drive (shared drives, removable drives, optical drives, etc.)|
|Target file should have .EXE, .BAT, .SCR, or .CMD extension||Any file name as long as it is a .DLL file|
It should be made clear, however, that malware using the LNK vulnerability can spread more easily than those that use the AUTORUN.INF file. Until a patch to resolve the vulnerability is released, even more malware families are likely to exploit it.
Update as of August 3, 2010, 3:30 a.m. (UTC-7)
Microsoft has issued an out-of-cycle patch to resolve this issue. Details may be found here.
Additional text by Julius Dizon and Marvin Cruz, Escalation Engineers