Cyber-Criminals are Maximizing on the Windows Shortcut Zero-day Vulnerability

Jul 27th, 2010 | Posted by
Filed under Internet News, Spam, Malware & Hoaxes Alerts
Leave a comment | Trackback

Recent research has revealed that cyber-criminals are making the most out of the Windows shortcut zero-day vulnerability. This zero-day vulnerability affects all Windows shortcut zero-day vulnerabilityWindows versions and it allows a Windows shortcut link, known as an .lnk file, to run a malicious .dll file.

A spam e-mail with the subject heading “Microsoft Windows Security Advisory” is currently in circulation and assisting in the distribution of vulnerability exploiting malware. The e-mail is purportedly from Microsoft and it informs a recipient that there “is a new potentially dangerous software-worm, attacking Windows users through an old bug when executing .ICO files”. It continues to say “since you are a special Microsoft Windows user, there is a new patch attached to this e-mail, which eliminates the possibility of having you software infected.”

The e-mail also provides a password to the protected .zip file attachment followed by instructions on how to install the alleged security update. Further research by Trend Micro revealed that the e-mail attachment contains a harmful .lnk file detected as LNK_STUXNET.SM as well as a .dll file which is detected as TROJ_ZBOT.BXW. Once the exploit code in the shortcut is executed, it will run the malware component, which will then download and execute the main malware, TROJ_ZBOT.BXW.

Before this zero-day vulnerability, AUTORUN.INF was the most commonly used method by USB malware. However cyber-criminals have seen the advantages of exploiting the LNK vulnerability as opposed to using AUTORUN.INF and they are running with it:

Advantages of AUTORUN.INF

  • It infects removable drives.
  • Target file should have .EXE, .BAT, .SCR, or .CMD extension

Advantages of LNK Vulnerability

  • It infects all drives including shared, removable and optical drives.
  • Target file can have any file name as long as it is a .DLL file

This goes to show that malware that uses the LNK vulnerability can spread more easily than malware that uses the AUTORUN.INF file. So far, Microsoft has not issued a patch to resolve the Windows shortcut zero-day vulnerability, however they have made a “fix tool” available which will disable .lnk and .pif files. AZZKJXXK7JS5

Popularity: 2%

No comments yet.

*
To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
Click to hear an audio file of the anti-spam word