Exploits for .LNK vulnerability are growing fast (UPDATED 3 August)
Earlier this month "VirusBlokAda" reported about StuxNet, the first exploit using the .LNK vulnerability (Windows Shortcut) in all of Microsoft operating systems.
Malware may compromise any Windows operating system by exploiting the way file managers, (also 3rd party file managers like Total Commander), displays icons. Specially crafted shortcuts use this vulnerability to execute malware.
W32/Stuxnet was the first malware using this vulnerability to “attack” SCADA (Supervisory Control And Data Acquisition) systems from Siemens, using a default password to access the SQL based database. Clearly a targeted attack.
Updates about this particular vulnerability (29 July)
Microsoft has issued an updated version of their advisory, ver.1.2, Microsoft Security Advisory (2286198).
At first the spreading vector was reported to be local USB drives only. As more research have been made by both Microsoft and other partners in the MAPP (Microsoft Active Protection Program) we see that there are several other spreading vectors. Basically, most of the spreading vectors that other malware use, is viable.
In addition to USB drives these would typically be:
Network drives
The malicious shortcut file can for example be copied to any network drive, along with the malware. Any Windows user accessing this drive can get compromised, and may spread the shortcut file to other network drives where they have access.
WebDav
Web servers can be used to spread crafted shortcuts to visiting computers, compromising the operating system and potentially leaving them open to be further compromised by droppers or downloaders.
Documents
Microsofts latest advisory also list Microsoft Office documents as a spreading vector. Basically all file formats that provide files to be embedded may be used as a spreading vector, i.e. archive files ZIP or RAR.
Known malware exploiting the .LNK vulnerability
W32/Stuxnet
W32/Zbot
W32/Dulkis
W32/Autorun.BJZ
W32/Autorun.BJZJ
All Norman's antivirus products will detect and remove these malware.
We expect more malware which utilizes the .LNK vulnerability to appear very soon. It also seems safe to assume that more advanced malware variants will come along, combining the .LNK vulnerability with even more targeted and generalized malware.
Known fixes or workarounds
Disable .LNK and .PIF file functionality manually or automatically by using the “Fix it for me” button at this Microsoft web page: http://support.microsoft.com/kb/2286198#FixItForMe
[Note that in this particular case with the .LNK vulnerability, vendors' patching ability may not apply as usual. This vulnerability is in the design of the functionality itself and may not be regarded as a bug. Changing a function may take some time.]
Update 2 August
Microsoft has announced an out-of-band security update that addresses this vulnerability. This will be relased 2 August.
Update 3 August
Microsoft has released its announced out-of-band security update for this vulnerability in Windows Shell. More information and links to the update is available from Microsoft's Security Bulletin MS10-046.
Norman strongly advices affected customers to install this update as soon as possible. Various malware exploiting this vulnerability are in the wild.