New malicious LNKs: here we go...

Having implemented generic detection of the CVE-2010-2568 vulnerability used to propagate the now infamous Win32/Stuxnet, ESET has identified not one but two new malware families that exploit the same vulnerability.  This vulnerability allows code execution through malicious LNK (shortcut) files. 

We have identified a new family that exploits this unpatched vulnerability in order to spread, which we have labelled Win32/TrojanDownloader.Chymine.A.  At the time of analysis, this threat downloads and install a key stroke logger which we detect as Win32/Spy.Agent.NSO trojan.  The server used to deliver the components used in this attack is presently located in the US, but the IP is assigned to a customer in China.

Minutes after identifying this new attack, we observed a known threat, Win32/Autorun.VB.RP, which has been updated to include the CVE-2010-2568 exploit as a new propagation vector.  Win32/Autorun.VB.RP seems to download and install additional components on infected machines.

This new development follows a typical path of evolution in malware.  Often there are only days between the initial release of information regarding a critical vulnerability, and the discovery of its exploitation being executed in the wild by malware authors.  It is safe to assume that more malware operators will start using this exploit code in order to infect host systems and increase their revenues.

These new families represent a major transition: Win32/Stuxnet demonstrates a number of novel and interesting features apart from the original 0-day LNK vulnerability, such as its association with the targeting of Siemens control software on SCADA sites and the use of stolen digital certificates, However, the new malware we're seeing is far less sophisticated, and suggests bottom feeders seizing on techniques developed by others. Peter Kosinar comments:

It should be noted that we have NOT observed Win32/TrojanDownloader.Chymine.A or any of the related stuff generating any malicious LNK; we've only seen LNKs exploiting the latest vulnerability, which pointed to it. In other words, Win32/TrojanDownloader.Chymine.A doesn't spread by itself, there must be something (or someone) else "helping" it.

In contrast to that, Win32/Autorun.VB.RP (which looks very much like like an updated version of the malware described at http://isc.sans.edu/diary.html?storyid=9229), DOES actually produce new LNK files exploiting the CVE-2010-2568 vulnerability to facilitate its own spreading.

Special thanks to Richard Baranyi and Peter Kosinar for their contribution to this research.

Pierre-Marc Bureau, Senior Researcher
David Harley, Senior Research Fellow