NEWS FROM THE LAB - Monday, July 26, 2010

LNK Vulnerability: Chymine, Vobfus, Sality and Zeus Posted by Sean @ 15:46 GMT

Here's the bad news: several additional malware families are now attempting to exploit Microsoft's LNK vulnerability (2286198).

But here's the good news: so far, the new exploit samples are detected by us, and by many other vendors. Basically we're seeing new payloads using the same basic exploit method, which is being detected generically, and not new versions of the exploit.

Here's a review of the landscape. The Stuxnet rootkit was the family that first made use of the LNK zero-day. Then, last week, Chymine and Vobfus followed. Our detection names are Trojan-Downloader:W32/Chymine.A and Worm:W32/Vobfus.BK.

Chymine is a new keylogger (which you can see from the .A variant). It uses the LNK vulnerability to infect, but it doesn't create additional .LNK files to spread (so no worm vector). The folks at ESET discovered Chymine.


Vobfus is an older family that has always used shortcuts, combined with social engineering. This latest variant is merely adding to its feature set. Microsoft researcher, Marian Radu, named the Vobfus family.

Today's news involves Sality (a popular polymorphic virus), and Zeus (a popular botnet). We generically detect the Sality sample and the LNK file it uses as a spreading vector.

The Zeus variant was discovered as an e-mail attachment with a message supposedly from "Security@microsoft.com" and the subject "Microsoft Windows Security Advisory."

This is the body:

Hello, we are writing to you about a new Microsoft security advisory issue for Windows. There is a new potentially dangerous software-worm, attacking Windows users through an old bug when executing .ICO files. Although this is quite an old way of infecting software, which first was used in 1982 with Elk Cloner worm, the new technique the new worm is using is more complicated, thus the speed and number of attacs has strongly increased. Since you are the special Microsoft Windows user, there is a new patch attached to this e-mail, which eliminates the possibility of having you software infected. How to install: open an attached file

Zeus is a challenging threat to combat, and not many vendors detect this variant yet. We're adding detection now. Fortunately, the exploit used is detected by many and the entire thing relies on socially engineering its victim into opening a password protected zip file and copying the lol.dll to the root of the C: since the path must be known in order for the exploit to work.

We don't really expect great success for this particular variant of Zeus.