A recently discovered flaw with Windows shortcut LNK files is being exploited by installing malicious software which is then used to gain administrator level access by esoterically installing a rootkit.
Microsoft has already warned users, in the Microsoft Security Advisory (2286198), that hackers are exploiting an unpatched Windows vulnerability within the Windows Shell component where Windows incorrectly parses shortcuts. Since the warning, Microsoft has reconfirmed what researchers discovered this exploitation to be an issue with shortcut (.LNK) files. The vulnerability is apt to allow malicious code to be executed most likely through removable drives. When executed, the malware includes a Trojan horse which can implement attack code that downloads a rootkit and then remain undetected while running.
Several version of Windows are affected by the Shortcut flaw including Windows 7 and the now-unsupported Windows XP SP2 (Service Pack 2 – As of July 13, 2010 Microsoft no longer provides security updates or support for Windows XP SP2). Researchers have noticed that the related Shortcut flaw malware is mostly from an infected USB drive.
There is a strong chance anti-virus software would not have caught this malware, mainly because it is a 0day but also because it is becoming exceedingly difficult to adequately detect rootkit installations. There is strong evidence suggesting the attackers will take advantage of this vulnerability to spread malware through Windows XP SP2 installations since Microsoft is opting not to offer a patch for that version of the operating system. A lot of SP2 installs are floating around the internets, for some reason completing ignoring the fact that Microsoft released XP SP3 well over 18 months ago.
