More LNK exploiting malware, by Jove!*

*Jove, or Jupiter, was the Roman equivalent of the Greek god Zeus, the king of the gods. Ah, the benefits of a classical education. If GCE O-Level Latin counts as a classical education…

Pierre-Marc and I reported a few days ago that we were seeing both new malware and older families starting to incorporate the same .LNK exploit used by Win32/Stuxnet. We also predicted that "…more malware operators will start using this exploit code in order to infect host systems and increase their revenues." Well, that was a pretty safe bet.

And sure enough, F-Secure's Sean Sullivan has publicised versions of the Zeus botnet and of Win32/Sality making use of the same exploit. Meanwhile, Sophos and GDATA are offering tools that check LNK files for the exploit, which we detect generically as LNK/Exploit.CVE-2010-2568. This approach may be useful for system administrators and anyone who isn't, for whatever reason, using an anti-virus scanner or security suite. However, as Sean also pointed out, a good many AV companies are, by now, also detecting the exploit generically, so this development is a lot less dramatic than it would have been a few days ago.

In fairness to other companies, I should reiterate that when a VirusTotal report indicates no detection by other companies listed, that shouldn't be taken as an infallible indication that those companies can't detect it. As I've said many times before, that's not how the VirusTotal service works, or what it's intended for.

In fact, the aspect of this outbreak that I've found really encouraging is the willingness of most of the major companies to acknowledge the research of others and to give links to competitor sites where appropriate. While linking to competitor sites may not seem good marketing, there are occasions when it's in the interest of the consumer for cooperation to trump competitive marketing.

ESET Senior Research Fellow

Author David Harley, ESET

Follow us

Copyright © 2017 ESET, All Rights Reserved.