ZeuS/ZBOT and SALITY Take Advantage of LNK Flaw

Written by: Dianne Lagrimas

How do users get this Web threat?

The threat arrives via a spoofed email message from Microsoft with the subject "Microsoft Windows Security Advisory." The message warns users of a "potentially dangerous software worm" targeting Windows users. It then advises them to download the new patch attached to the email. This .ZIP file contains a .LNK file (EXPL_CPLNK.SM) and a .DLL file (TROJ_ZBOT.BXW).

WORM_SALITY.RL also took advantage of the vulnerability as part of its routine. This file infector may be downloaded from malicious sites or may be dropped by other malware.

What happens once it gets into a user's system?

Once the exploit code in the shortcut is triggered, it runs the malware component, which then downloads and executes the main malware, TROJ_ZBOT.BXW. This particular ZBOT variant bypasses Windows Firewall via registry creation. It is worth noting that TROJ_ZBOT.BXW performs several information theft routines. It hooks specific application programming interfaces (APIs) in order to get hold of data that the affected system sends and receives. By hooking certain APIs, it is also able to intercept data to and from Mozilla Firefox as well as to private keys to certificates.

Another data theft technique is that it connects to a remote site to download a configuration file. This file contains links to an updated copy of itself, the list of online banking websites it monitors, and its drop zone. It may also take screenshots and login keystrokes.

On the other hand, WORM_SALITY.RL uses the .LNK exploit to execute the .DLL file that it drops. Upon execution, this file infector drops a .LNK file (EXPL_CPLNK.SM) onto the system, disguised itself as a shortcut to adult-themed videos.

How are users affected by this threat?

Users whose systems are not protected from attacks that exploit vulnerabilities may inadvertently be infected by this .LNK exploit and the other malware that come with it. With its urgent and alarming tone, the spammed message can effectively persuade users to download the attached file.

What is noteworthy about this attack?

This particular attack signals the evolution of how malware propagates. Compared with the popular method of spreading malware through infected USB drives, malware exploiting this .LNK flaw can spread more easily. Unlike USB infections, however, this technique can spread via other drives such as shared and optical drives as well as shared folders.

Are Trend Micro product users protected from this threat?

Trend Micro users are protected from this threat via the Smart Protection Network, which secures users from the different components of this attack. It immediately detects and deletes the files EXPL_CPLNK.SM, TROJ_ZBOT.BXW, WORM_SALITY.RL and PE_SALITY.BA-O. With the email reputation technology, spammed messages related to this threat are blocked, preventing the said messages from even reaching users' inboxes.

What can users do to prevent this threat from affecting their computers?

Microsoft has released a patch to address the said vulnerability. Users are advised to download the said patch to keep their systems protected. Users are also advised to be cautious when opening dubious-looking email messages and when downloading email attachments.