Miscreants behind the Zeus cybercrime toolkit and other strains of malware have begun taking advantage of an unpatched shortcut handling flaws in Windows. It was first used by a sophisticated worm to target SCADA-based industrial control and power plant systems.
Isolated strains of mainstream malware that took advantage of how the zero-day Windows flaw first exploited by the sophisticated Stuxnet worm began appearing late last week. The same approach has since been applied by the dodgy sorts behind Zeus, a family of sophisticated toolkits frequently used to steal bank login credentials and the like from compromised systems.
Security firm F-Secure reports the appearance of strains of Zeus that take advantage of the same security hole exploited by the Stuxnet worm. Zeus-contaminated emails pose as security messages from Microsoft, containing contaminated ZIP file attachments laced with a malicious payload that utilises the lnk flaw to infect targeted systems.
Several additional malware families have also latched onto the same Windows shortcut trick including Sality, a popular polymorphic virus. Trend Micros confirms the appearance of the exploit vector in variants on Zeus and Sality while McAfee adds that the VXers behind the Downloader-CJX Trojan have also begun feasting off the shortcut security bug.
A greater volume of malware targeting the same Windows security hole is almost inevitable.
Fortunately virus writers are, thus far at least, using the same basic exploit method, a factor that makes it easier for security firms to block attacks.
Microsoft is advising users to apply temporary workarounds while its security researchers investigate the shortcut flaw, a process likely to eventually result in a patch.
In the meantime, security firm Sophos has developed Windows shortcut exploit protection tool, which is available at no cost to sys admins, whatever variant of anti-virus they utilise. ®