<<< NEWS FROM THE LAB - Monday, July 26, 2010 >>> ARCHIVES | SEARCH LNK Vulnerability: Chymine, Vobfus, Sality and Zeus Posted by Sean @ 15:46 GMT Here's the bad news: several additional malware families are now attempting to exploit Microsoft's LNK vulnerability (2286198).



But here's the good news: so far, the new exploit samples are detected by us, and by many other vendors. Basically we're seeing new payloads using the same basic exploit method, which is being detected generically, and not new versions of the exploit.



Here's a review of the landscape. The Stuxnet rootkit was the family that first made use of the LNK zero-day. Then, last week, Chymine and Vobfus followed. Our detection names are Trojan-Downloader:W32/Chymine.A and Worm:W32/Vobfus.BK.



Chymine is a new keylogger (which you can see from the .A variant). It uses the LNK vulnerability to infect, but it doesn't create additional .LNK files to spread (so no worm vector). The folks at ESET discovered Chymine.







Vobfus is an older family that has always used shortcuts, combined with social engineering. This latest variant is merely adding to its feature set. Microsoft researcher, Marian Radu, named the Vobfus family.



Today's news involves Sality (a popular polymorphic virus), and Zeus (a popular botnet). We generically detect the Sality sample and the LNK file it uses as a spreading vector.



The Zeus variant was discovered as an e-mail attachment with a message supposedly from "Security@microsoft.com" and the subject "Microsoft Windows Security Advisory."



This is the body:







Zeus is a challenging threat to combat, and not many vendors detect this variant yet. We're adding detection now. Fortunately, the exploit used is detected by many and the entire thing relies on socially engineering its victim into opening a password protected zip file and copying the lol.dll to the root of the C: since the path must be known in order for the exploit to work.



We don't really expect great success for this particular variant of Zeus.





















