LNK Vulnerability: Chymine, Vobfus, Sality and Zeus

Here's the bad news: several additional malware families are now attempting to exploit Microsoft's LNK vulnerability (2286198).But here's the good news: so far, the new exploit samples are detected by us, and by many other vendors. Basically we're seeing new payloads using the same basic exploit method, which is being detected generically, and not new versions of the exploit.Here's a review of the landscape. The Stuxnet rootkit was the family that first made use of the LNK zero-day. Then, last week, Chymine and Vobfus followed. Our detection names are Trojan-Downloader:W32/Chymine.A and Worm:W32/Vobfus.BK.Chymine is a new keylogger (which you can see from the .A variant). It uses the LNK vulnerability to infect, but it doesn't create additional .LNK files to spread (so no worm vector). The folks at ESET discovered Chymine.Vobfus is an older family that has always used shortcuts, combined with social engineering. This latest variant is merely adding to its feature set. Microsoft researcher, Marian Radu, named the Vobfus family.Today's news involves Sality (a popular polymorphic virus), and Zeus (a popular botnet). We generically detect the Sality sample and the LNK file it uses as a spreading vector.The Zeus variant was discovered as an e-mail (continue reading...)