Malicious Windows shortcut files (LNK extension) used in targeted attacks

Common Tasks

Community

Email Notifications

Personal Links

Security Protection - Harry Waldron (CS)

Security Best Practices, Breaking News, & Updates

Users should be careful with any unusual or unexpected icons or shortcuts presented to them. So far these attacks are limited and AV protection is emerging

Malicious Windows shortcut files (LNK extension) used in targeted attacks
http://isc.sans.edu/diary.html?storyid=9181
http://www.theregister.co.uk/2010/07/16/windows_shortcut_trojan/
http://krebsonsecurity.com/2010/07/experts-warn-of-new-windows-shortcut-flaw/

QUOTE: (ISC) I've tested the exploit and can confirm that it works in Windows XP, Vista and Windows 7. The exploit uses a specially crafted LNK file. This file allows the attacker to execute an arbitrary file by carefully specifying its location – the LNK file in itself does not exploit any vulnerability such as buffer overflows, for example, so it is a legitimate LNK file. Some things that you should be aware of:

* If autorun is disabled, when a USB device with malicious LNK files is inserted, the exploit will not be triggered automatically.

* The exploit is triggered every time a folder containing a malicious LNK files is opened (for example, with Windows Explorer). It does not matter where this folder is – it does not have to be on a USB device, but in order to execute to malicious binary, the attacker has to specify its location correctly.

CORPORATE DANGERS: What makes this vulnerability extremely serious is the fact that it can be opened from any place, including remote shares, for example. The victim just has to browse to the remote share in order to trigger the vulnerability. So double check permissions on any remote shares you use in your companies (you shouldn't allow users to write in root folders, for example).

Microsoft Security Advisory (2286198)
Vulnerability in Windows Shell Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/2286198.mspx

QUOTE: The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the user clicks the displayed icon of a specially crafted shortcut. This vulnerability is most likely to be exploited through removable drives. For systems that have AutoPlay disabled, customers would need to manually browse to the root folder of the removable disk in order for the vulnerability to be exploited. For Windows 7 systems, AutoPlay functionality for removable disks is automatically disabled.

WHAT IS LNK EXTENSION?
http://filext.com/file-extension/LNK

Posted: Jul 17 2010, 10:33 AM by Harry Waldron | with no comments

Questions? Contact Susan at Susan-at-msmvps.com. Each post's copyright held by the original author. All rights reserved. Blog site is an independent site not sponsored by Microsoft.
Our servers would like to thank www.ownwebnow.com and www.exchangedefender.com. We wouldn't be here without the generosity of Vlad Mazek and his companies.

Powered by Community Server (Commercial Edition), by Telligent Systems

Theme based on the Paperclip Blog Theme included in Community Server.
Enhanced to a Site-Wide Theme by Interscape Technologies.