Zero Day LNK Vulnerability - ESET identifies two new malware attacks

ESET has identified two new attacks that exploit the new unpatched Windows Shortcut vulnerability (e.g., malicious LNK files)

Zero Day LNK Vulnerability - ESET identifies two new malware attacks
http://blog.eset.com/2010/07/22/new-malicious-lnks-here-we-go

QUOTE: Having implemented generic detection of the CVE-2010-2568 vulnerability used to propagate the now infamous Win32/Stuxnet, ESET has identified not one but two new malware families that exploit the same vulnerability.  This vulnerability allows code execution through malicious LNK (shortcut) files.

We have identified a new family that exploits this unpatched vulnerability in order to spread, which we have labelled Win32/TrojanDownloader.Chymine.A.  At the time of analysis, this threat downloads and install a key stroke logger which we detect as Win32/Spy.Agent.NSO trojan.  The server used to deliver the components used in this attack is presently located in the US, but the IP is assigned to a customer in China.

Minutes after identifying this new attack, we observed a known threat, Win32/Autorun.VB.RP, which has been updated to include the CVE-2010-2568 exploit as a new propagation vector.  Win32/Autorun.VB.RP seems to download and install additional components on infected machines.

This new development follows a typical path of evolution in malware.  Often there are only days between the initial release of information regarding a critical vulnerability, and the discovery of its exploitation being executed in the wild by malware authors.  It is safe to assume that more malware operators will start using this exploit code in order to infect host systems and increase their revenues.