- USB drive infection. That is, in the same style as the autorun trick without needing autorun.inf. This is the most obvious application of the hole. It is a local attack so it needs to have access to the computer in the form of a USB drive or even a CD/DVD.
- Network shares. The hole can be exploited through the network by copying the malicious shortcut file to a shared network location frequently used by users in a Windows network. If the first infected user has administrator rights, there is another application of the hole. If that infected user can access other people’s hard drives (either by having access rights or by guessing other user’s password), it can copy the .LNK file onto the Windows Start menu folder so that the malicious shortcut is displayed and executed when the user clicks the Start button. DOWNAD already used the password-guessing method but this vulnerability helps by dealing with the execution part.
- Malicious website. If the bad .LNK file is placed on a website that displays file icons, it can force Internet Explorer to check the right icon to be displayed, thus triggering exploitation. The likely candidates are pages that let users upload and download files such as a webmail client. This would affect the user as soon as the email with the attached shortcut file is opened without the need for the user to actually download the file. It is a real possibility that some Web mail software might encounter if they try to display the shortcut’s icon. We cannot confirm if this is a real scenario yet, however.
- Documents. Office productivity suites (including but are not limited to Microsoft Office) allow files to be embedded within documents. If a bad shortcut file is packaged into some kind of document, the software accesses the icon file so that it can be displayed. This allows the possibility of an email attack by means of a regular document file with an embedded shortcut. In addition, some email clients might be affected when displaying attached files.
Update as of July 24, 2010, 8:06 PM (UTC)
Not only are new malware being created to utilize this vulnerability to spread malware, old malware are also being updated to employ this new routine. We've been able to take hold of three new samples that use crafted .LNK files to spread malware:
We’ve also found other malicious .LNK files detected as LNK.STUXNET.SMB that executes a DLL we detect as TROJ_CHYMINE.A. The said Trojan connects to a remote site to download a malicious .EXE file which is also detected as TROJ_CHYMINE.A.
Lastly, we found a version of the familiar AUTORUN malware that has been updated to spread using the LNK vulnerability, which we detect as WORM_VBNA.IVN.
According to Threat Research Manager Ivan Macalintal, the usage of .LNK files is really more of an abuse of a flaw, rather than a vulnerability. “While most of the industry is still referencing this as being a vulnerability, really, it’s a flaw – an abused flaw in the strictest sense” commented Macalintal, “and this is one of the reasons delivering a patch is proving a challenge for Microsoft.”
Either way, the said technique will surely be more widely abused in the next coming days or so. Update as of August 3, 2010, 11:30 a.m. (UTC) Microsoft has issued an out-of-cycle patch to resolve this issue. Details may be found here.