Worm Poses as a Font File, Uses LNK Vulnerability to Propagate
We recently encountered a malware posing as a legitimate font file. Detected as WORM_OTORUN.ASH, the worm is a .DLL file that uses .FON as extension name. To propagate, it drops copies of itself into shared folders in the infected system. While these routines are not entirely new, the occurrence of both instances in a single malware fits the exploit scenario described in the Microsoft OpenType Font Driver Vulnerability (MS10-091).
However, after further analysis, we found that the malware does not contain any exploit code for MS10-091. Instead, it exploits the Windows LNK vulnerability (MS10-046) using shortcut files as its autostart component. Let’s not forget that that particular vulnerability works on any .DLL file. In this case, even though WORM_OTORUN.ASH is disguised as a font file, it still functions as a .DLL file.
WORM_OTORUN.ASH creates two types of .LNK files—shortcut files that point to files saved in local folders (LNK_OTORUN.SM) and shortcut files that point to files saved in shared folders (EXPL_CPLNK.SM). The dropped .LNK files bear enticing file names such as myporno.avi.lnk and pornmovs.lnk to trick users into clicking them.
 |
Successful exploits for MS10-091 and MS10-046 both result in remote code execution so users are strongly advised to patch their systems if they haven’t yet.
Trend Micro product users are protected from this threat through security solutions powered by the Trend Micro™ Smart Protection Network™, which detects and blocks all related malware and malicious URLs. Enterprise users are also protected from possible exploits via Deep Security and OfficeScan with Intrusion Defense Firewall (IDF) plug-in.
Additional analysis provided by Alden Baleva and Kathleen Notario
Post from: TrendLabs | Malware Blog – by Trend Micro
Worm Poses as a Font File, Uses LNK Vulnerability to Propagate
Spotlight
Cloud Computing
- US makes large investment in cyber weaponry
- Wall Street has data security concerns over Bloomberg reporting
- Security in backups means more than just encryption
- Employees must buy into the company policy for better cloud security
Virtualization
- Virtualization-specific challenges could threaten data security
- Evolving threats put security skills in high demand
- Virtualization security requires education, access control management
- Tips for launching effective virtual security tools
Internet Safety
- Virtualization-specific challenges could threaten data security
- Evolving threats put security skills in high demand
- Virtualization security requires education, access control management
- Tips for launching effective virtual security tools
Vulnerabilities & Exploits
CTO Insights
First Line of Defense
Newsletter
Stay up to date with the latest news and information on online threats.
Recent News
- Cloud security group develops third-party certification program
- US makes large investment in cyber weaponry
- SEC may ask for more information after cyberattacks
- FBI trying to train financial execs on cyber threats
Tag Cloud
cloud cloud computing cloud computing security Cloud Security Compliance & Regulations Consumerization Current News cybercrime Data Privacy data security Encryption Government Policy Internet Protection Internet Safety Internet Safety - DO NOT USE Internet Security Malware Mobile Security Mobility Policy Policy - DO NOT USE Privacy Privacy & Policy Private Cloud Public Cloud Reports Research Spotlight threat intelligence threat research Trend Labs Underground Economy virtualization Vulnerabilities Vulnerabilities - DO NOT USE web security web threats
Comments
No comments yet