Security researchers have found more malware exploiting an unpatched Windows vulnerability via .LNK shortcut files.
According to Sophos blog July 23, two other pieces of malware have been observed targeting the bug. One is a keylogging Trojan the company is calling Chymin-A that is “designed to steal information from infected computers.” The other is Dulkis-A, a “worm written in obfuscated Visual Basic” that contains several subcomponents.
“First it will self-replicate using the malicious link vulnerability to USB devices detected as TROJ/CPLnk-C,” explained Chester Wisniewski, senior security advisor at Sophos. “Then it is packed using the TDSS packer, implying it may contain the ability to infect and hide using the TDSS rootkit. It also appears to drop a very old data-stealing Trojan that was originally designed to steal data about Remote Access or dial-up connection information. I have not had enough time to analyze this piece to see if that is in fact what it still does.
“The other bit that was interesting about the Chymin-A sample was that the shortcut that triggers the infection pointed at a UNC path on a file server on the Internet,” Wisniewski added. “This means that anyone blocking outbound File and Print connections (SMB) would not be at risk.”
The vulnerability at the center of the attacks is due to the way Windows parses .LNK shortcut files. More specifically, the Windows Shell component fails to correctly validate specific parameters of the shortcut.
When the user opens an infected USB drive in Windows Explorer or any other program that parses the shortcut icon, malware can be executed. Microsoft has also warned that an attacker could set up a malicious Website or a remote network share and place the malicious component there.
“When the user browses the Website using a Web browser such as Internet Explorer or a file manager such as Windows Explorer, Windows will attempt to load the icon of the shortcut file, and the malicious binary will be invoked,” Microsoft warned in its advisory. “In addition, an attacker could embed an exploit in a document that supports embedded shortcuts or a hosted browser control.”
The malware first associated with the vulnerability was Stuxnet, which targets Siemens software used by industrial companies. Siemens began distributing a tool July 22 to help organizations thwart attacks.
It is no surprise that other malware are exploiting the vulnerability, as knowledge of new vulnerabilities spreads quickly, said Gerry Egan, director of Symantec Security Response.
“In the small number of cases we’ve observed, all of these have pointed to an information-stealing Trojan,” Egan said.