New Exploits of LNK vulnerability in the Wild

Rmus · Aug 2, 2010

I've found these descriptions of new exploits of the LNK vulnerability. Please post others as you find them.

ZeuS/ZBOT and SALITY Jump on the LNK Exploit Bandwagon
http://blog.trendmicro.com/zeuszbot-and-sality-jump-on-the-lnk-exploit-bandwagon/

It is also now being used to spread ZBOT variants via malicious attachments to spammed messages...

The message claims to come from Microsoft and suggests that users apply the attached update to protect them from a threat that is currently proliferating in the wild. It even gives the password to the protected .ZIP file attachment as well as instructions for installing the supposed security update.
Click to expand...

This one appears to be a retake on the old fake MS update emails. The difference here is that if the victim chooses to open the ZIP file, the LNK files will execute automatically.

_______________________________________________________________

Downloader-CJX Cashing In on Microsoft .LNK Flaw
http://www.avertlabs.com/research/blog/index.php/category/exploit-research/

our research team found a new variant of Downloader-CJX that extended its previous .LNK propagation strategy using social engineering with the new Exploit-CVE2010-2568 .LNK files.
Downloader-CJX is a malware family that installs .LNK files mimicking current Windows and user folders such as Music, Documents, or New Folder.

The malware changes the attributes of the real folder to hide it from Explorer, and drops the .LNK files with folder icons, so the user is lured into clicking on these malicious links that appear as legitimate folders.
Click to expand...

This one appears to require both malware to install the malicious LNK files, and some social engineering.

_______________________________________________________________

----
rich

dlimanov · Aug 2, 2010

Hitman Pro, build 108 protects against this vulnerability, as described here:
http://hitmanpro.wordpress.com/2010/07/31/how-lnk-exploit-protection-works/
I wish Microsoft would react as fast as Hitman in releasing the patch for this.

Rmus · Aug 2, 2010

I'd prefer to keep this thread about the new exploits.

Protection/detection are discussed in other threads.

thanks,

rich

CloneRanger · Aug 2, 2010

Hi, here's another for you

LNK Vulnerability: Chymine, Vobfus, Sality and Zeus

http://www.f-secure.com/weblog/archives/00001996.html
Click to expand...

Rmus · Aug 2, 2010

CloneRanger said:

Hi, here's another for you
Click to expand...

http://www.f-secure.com/weblog/archives/00001996.html

Thanks - I see it's one of the fake MS update emails:

Fortunately, the exploit used is detected by many and the entire thing relies on socially engineering its victim into opening a password protected zip file and copying the lol.dll to the root of the C: since the path must be known in order for the exploit to work.

We don't really expect great success for this particular variant of Zeus.
Click to expand...

This is funny in a sense, because the PoC that everyone was testing had the user copy the DLL to C: and I said that exploits in the Wild don't work that way.

Well, here is one that does! Do you suppose the creators of this fake MS update were influenced by the PoC?

----
rich

ParadigmShift · Aug 2, 2010

Originally Posted by Rmus
Do you suppose the creators of this fake MS update were influenced by the PoC?
Click to expand...

Probably, but I think they lurk here as well.

Log in or Sign up

New Exploits of LNK vulnerability in the Wild

Rmus Exploit Analyst

dlimanov Registered Member

Rmus Exploit Analyst

CloneRanger Registered Member

Rmus Exploit Analyst

ParadigmShift Registered Member

Log in or Sign up

New Exploits of LNK vulnerability in the Wild

Rmus Exploit Analyst

dlimanov Registered Member

Rmus Exploit Analyst

CloneRanger Registered Member

Rmus Exploit Analyst

ParadigmShift Registered Member

Useful Searches