Sophos security researchers report observing more malware targeting a Windows zero-day vulnerability.
Security researchers have found more
malware exploiting an unpatched Windows
vulnerability via .LNK
According to Sophos blog July 23, two other pieces of malware have been
observed targeting the bug. One is a keylogging Trojan the company is
calling Chymin-A that is "designed to steal information from infected
computers." The other is Dulkis-A, a "worm written in obfuscated
Visual Basic" that contains several subcomponents.
"First it will self-replicate using the malicious link vulnerability to
USB devices detected as TROJ/CPLnk-C,"
explained Chester Wisniewski, senior security advisor at Sophos. "Then it
is packed using the TDSS packer, implying it may contain the ability to infect
and hide using the TDSS rootkit. It also appears to drop a very old data-stealing
Trojan that was originally designed to steal data about Remote Access or dial-up
connection information. I have not had enough time to analyze this piece to see
if that is in fact what it still does.
"The other bit that was interesting about the Chymin-A sample was that
the shortcut that triggers the infection pointed at a UNC path on a file server
on the Internet," Wisniewski added. "This means that anyone blocking
outbound File and Print connections (SMB) would not be at risk."
at the center of the attacks
is due to the way Windows parses .LNK shortcut
files. More specifically, the Windows Shell component fails to correctly
validate specific parameters of the shortcut.
When the user opens an infected USB drive
in Windows Explorer or any other program that parses the shortcut icon, malware
can be executed. Microsoft has also warned that an attacker could set up a
malicious Website or a remote network share and place the malicious component
"When the user browses the Website using a Web browser such as Internet
Explorer or a file manager such as Windows Explorer, Windows will attempt to
load the icon of the shortcut file, and the malicious binary will be
invoked," Microsoft warned
in its advisory.
"In addition, an attacker could embed an exploit in a
document that supports embedded shortcuts or a hosted browser control."
The malware first associated with the vulnerability
which targets Siemens software used by industrial companies.
Siemens began distributing a tool July 22 to help organizations thwart attacks.
It is no surprise that other malware are exploiting the vulnerability, as
knowledge of new vulnerabilities spreads quickly, said Gerry
Egan, director of Symantec Security Response.
"In the small number of cases we've observed, all of these have pointed
to an information-stealing Trojan," Egan said.