Researchers have found two distinct new malware families that are exploiting the newly discovered Windows shell LNK vulnerability, leading to concerns that the development of a worm could be in the offing.
One of the new pieces of malware, dubbed Chymine by researchers at Eset, exploits the LNK vulnerability to infect new machines and then tries to connect to a remote server and download another piece of malicious code. That piece of malware is a keylogger, designed to monitor an infected PC’s input and look for high-value data such as online banking passwords. Chymine does not create new, malicious LNK files on its own, however.
Another piece of malware, known as Autorun.VB.RP, does have the ability to produce malicious LNK files that contain an exploit for the Windows shell vulnerability. That means that the malware has the ability to spread on its own and could become a more serious problem.
The appearance of Chymine and the adaptation of Autorun.VB.RP to exploit the LNK flaw follow the emergence of Stuxnet, the worm that was first seen last month and has been making headlines for exploiting the previously unknown LNK vulnerability. Microsoft has said that it is working on a patch for the flaw, which can be exploited via infected USB drives, via WebDAV or possibly through drive-by downloads, experts say.
“These new families represent a major transition: Win32/Stuxnet
demonstrates a number of novel and interesting features apart from the
original 0-day LNK vulnerability, such as its association with the
targeting of Siemens control software on SCADA sites and the use of
stolen digital certificates, However, the new malware we’re seeing is
far less sophisticated, and suggests bottom feeders seizing on
techniques developed by others,” the Eset researchers said.