Windows LNK vulnerability attracts more attacks

The unpatched LNK vulnerability in all versions of Windows ( from XP onwards ) is attracting a lot more attention from malicious code authors. A further 2 exploits have been detected in the wild. The 1st .lnk trojan Stuxnet, was very specific about it’s payload, attacking Siemens SCADA software specifically. But the effectiveness of .lnk attacks lies in the fact that the payload can be customised and changed as required to suit the attack.

Win32/TrojanDownloader.Chymine.A contacts a server in the US and downloads the Win32/Spy.Agent.NSO key logger from there. The Win32/Autorun.VB.RP worm is now also said to have discovered the .lnk hole as a suitable means for propagation. The worm even actively produces further compromised .lnk files so it can spread faster.

The German Federal Office for Security in Information Technology (BSI) has issued a warning (German language link): until the hole has been patched users are to follow the steps for the work around described in Microsoft’s security advisory. Microsoft’s fix-it is indeed the easiest way to protect a system from impending attacks. However, it does cause a loss of convenience, as Windows will only display standard icons for all short-cuts once the fix-it has been applied.

Incidentally, Microsoft has removed the official documentation for the .lnk file format from its server without comment. Critics sneer that this was done to remove the description of the format’s security measures on page 48 (see screen-shot below).