Antivirus Advice - advices to keep your computer safe

Earlier this month “VirusBlokAda” reported about StuxNet, the first exploit using the .LNK vulnerability (Windows Shortcut) in all of Microsoft operating systems.

Malware may compromise any Windows operating system by exploiting the way file managers, (also 3rd party file managers like Total Commander), displays icons. Specially crafted shortcuts use this vulnerability to execute malware.

W32/Stuxnet was the first malware using this vulnerability to “attack” SCADA (Supervisory Control And Data Acquisition) systems from Siemens, using a default password to access the SQL based database. Clearly a targeted attack.

Updates about this particular vulnerability

Microsoft has issued an updated version of their advisory, ver.1.2, Microsoft Security Advisory (2286198).

At first the spreading vector was reported to be local USB drives only. As more research have been made by both Microsoft and other partners in the MAPP (Microsoft Active Protection Program) we see that there are several other spreading vectors.  Basically, most of the spreading vectors that other malware use, is viable.

In addition to USB drives these would typically be:

Network drives
The malicious shortcut file can for example be copied to any network drive, along with the malware. Any Windows user accessing this drive can get compromised, and may spread the shortcut file to other network drives where they have access.

WebDav
Web servers can be used to spread crafted shortcuts to visiting computers, compromising the operating system and potentially leaving them open to be further compromised by droppers or downloaders.

Documents
Microsofts latest advisory also list Microsoft Office documents as a spreading vector. Basically all file formats that provide files to be embedded may be used as a spreading vector, i.e. archive files ZIP or RAR.

Known malware exploiting the .LNK vulnerability

W32/Stuxnet
W32/Zbot
W32/Dulkis
W32/Autorun.BJZ
W32/Autorun.BJZJ

All Norman’s product will detect and remove these malware.

We expect more malware which utilizes the .LNK vulnerability to appear very soon. It also seems safe to assume that more advanced malware variants will come along, combining the .LNK vulnerability with even more targeted and generalized malware.

Known fixes or workarounds

Disable .LNK and .PIF file functionality manually or automatically by using the “Fix it for me” button at this Microsoft web page: http://support.microsoft.com/kb/2286198#FixItForMe

[Note that in this particular case with the .LNK vulnerability, vendors' patching ability may not apply as usual. This vulnerability is in the design of the functionality itself and may not be regarded as a bug. Changing a function may take some time.]