Internet Security Systems - AlertCon(TM)

MS10-046 .lnk vulnerability? We have that...

Posted by John Kuhn on August 19, 2010 at 10:33 AM EDT.

Yes, we are picking up the MS10-046 issue being actively exploited in the wild in the form of a few resilient worms.  Stuxnet was the first worm to adopt the technique and got plenty of press because of its unique attack vector against SiemensWinCC and PCS7 devices. 

Sality however, is the bigger threat to the general public because of the numerous methods it utilizes to spread.  The most troublesome of those vectors is .lnk files being copied to all file shares and subsequent directories that the computer has access to (MS10-046 issue).  The .lnk files typically take on the name of an original file on the infected computer such as “important.lnk”. The double extension causes the windows shell to give it the icon of a .htm file, masking what it truly is.  Once the directory is viewed, the .lnk file causes the windows shell to execute another file located at \\someshare\somedir\important.tmp.  The .tmp file is a dropper that ultimately downloads and executes the Sality malware, which results in more .lnk being placed on files shares.

Coverage in the IBM Proventia products comes in the form of LNK_MsWin_Code_execution which can protect systems from drive-by downloads, and spreading malware internally.  It’s of the utmost importance that users patch this vulnerability as well as keep their AV updated.

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.