Exploits for the recently discovered Windows shortcut vulnerability are now fully out in the wild and affecting users. While earlier samples were seen in more narrowly targeted attacks, the new samples Trend Micro analysts found are now aimed at broader audiences and pose a threat to users at large. Indonesia and India have been particularly hard-hit by this attack, accounting for more than 75 percent of the total number of infections.
In addition, a recent update to Microsoft’s advisory has added a new vector for this vulnerability. File formats that support embedded shortcuts (e.g., Microsoft Office documents) can now be used to spread exploits as well. This means that users who download and open such files could find themselves the latest victim of this vulnerability. It has also been reported that this attack could be used in drive-by attack scenarios, further increasing risks.
However, the good news is that Trend Micro proactively detects shortcut files that exploit this security flaw as LNK_STUXNET.SM. The malware’s payloads are also proactively detected as WORM_STUXNET.SM. Earlier variants were already detected as LNK_STUXNET.A, RTKT_STUXNET.A, and WORM_STUXNET.A. This mitigates the risks faced by users dealing with this threat.
According to the Microsoft security advisory page for this vulnerability, this hole presents a number of possibilities for attackers. This is scary and intriguing at the same time. Below is a summary of these possibilities:
- USB drive infection. That is, in the same style as the autorun trick without needing autorun.inf. This is the most obvious application of the hole. It is a local attack so it needs to have access to the computer in the form of a USB drive or even a CD/DVD.
- Network shares. The hole can be exploited through the network by copying the malicious shortcut file to a shared network location frequently used by users in a Windows network. If the first infected user has administrator rights, there is another application of the hole. If that infected user can access other people’s hard drives (either by having access rights or by guessing other user’s password), it can copy the .LNK file onto the Windows Start menu folder so that the malicious shortcut is displayed and executed when the user clicks the Start button. DOWNAD already used the password-guessing method but this vulnerability helps by dealing with the execution part.
- Malicious website. If the bad .LNK file is placed on a website that displays file icons, it can force Internet Explorer to check the right icon to be displayed, thus triggering exploitation. The likely candidates are pages that let users upload and download files such as a webmail client. This would affect the user as soon as the email with the attached shortcut file is opened without the need for the user to actually download the file. It is a real possibility that some Web mail software might encounter if they try to display the shortcut’s icon. We cannot confirm if this is a real scenario yet, however.
- Documents. Office productivity suites (including but are not limited to Microsoft Office) allow files to be embedded within documents. If a bad shortcut file is packaged into some kind of document, the software accesses the icon file so that it can be displayed. This allows the possibility of an email attack by means of a regular document file with an embedded shortcut. In addition, some email clients might be affected when displaying attached files.
Cybercriminals are always after the biggest bang for their buck and an unpatched vulnerability such as this provides a prime target that, if left unchecked, could earn them a lot of money while causing great pain and inconvenience to computer users worldwide. We will almost certainly continue to see a slew of attacks taking advantage of this issue.
Enterprise users can also benefit from the additional protection offered by Deep Security and OfficeScan with the Intrusion Defense Firewall (IDF) plug-in. Rules released earlier this week prevent this vulnerability from being exploited via network shares and WebDAV.
Update as of July 24, 2010, 8:06 PM (UTC)
Not only are new malware being created to utilize this vulnerability to spread malware, old malware are also being updated to employ this new routine. We’ve been able to take hold of three new samples that use crafted .LNK files to spread malware:
We’ve also found other malicious .LNK files detected as LNK.STUXNET.SMB that executes a DLL we detect as TROJ_CHYMINE.A. The said Trojan connects to a remote site to download a malicious .EXE file which is also detected as TROJ_CHYMINE.A.
Lastly, we found a version of the familiar AUTORUN malware that has been updated to spread using the LNK vulnerability, which we detect as WORM_VBNA.IVN.
According to Threat Research Manager Ivan Macalintal, the usage of .LNK files is really more of an abuse of a flaw, rather than a vulnerability. “While most of the industry is still referencing this as being a vulnerability, really, it’s a flaw – an abused flaw in the strictest sense” commented Macalintal, “and this is one of the reasons delivering a patch is proving a challenge for Microsoft.”
Either way, the said technique will surely be more widely abused in the next coming days or so.
Update as of August 3, 2010, 11:30 a.m. (UTC)
Microsoft has issued an out-of-cycle patch to resolve this issue. Details may be found here.