New Microsoft Windows LNK exploit the most dangerous of all

A new malicious attack has been spreading through the internet in the last few weeks, initially using USB memory sticks to propagate. Called, the LNK vulnerability, the attack uses specially crafted shortcut (.lnk) files, which trick Windows into running code of an attacker’s choosing. Any Windows application that tries to display the shortcut’s icon—including Explorer—will cause exploitation, so even the mere act of browsing a directory with the malicious shortcuts is sufficient for a system to be exploited.

The exploit has now been tested as working from SMB network shares as well as Windows’ WebClient services. The nature of this attack is very serious as noted by the ISC raising its  Infocon level to Yellow. Even Microsoft is worried enough about this vulnerability that the guys from Redmond said, “Anyone believed to have been affected by this issue … should contact the national law enforcement agency in their country.”

The malware payload appears to be designed to specifically compromise the databases used by Siemens’ SIMATIC WinCC software. WinCC is SCADA software, used to control and monitor industrial systems, found in manufacturing plants, power generation facilities, oil and gas refineries, and so on. Siemens’ software uses hardcoded passwords, making attack particularly simple and potentially dangerous. ( Question: why would anyone use Windows software for controlling industrial equipment? )

Recommended temporary solutions are to turn off icons for shortcuts and disabling WebClient Services, but these are fairly intrusive and confusing for the average user.  The recent protections for AutoRun capability are useless in this case. All versions of Windows from XP/200 and later are affected and Anti-virus vendors are so far unable to successfully halt the spread of this attack.

Robby Pedrica

Robby Pedrica is a storage and security specialist providing IT and ITSM consulting services in Southern Africa to SME and Enterprise clients. With 20 years of experience, and numerous certifications, Robby excels in niche areas such as systems monitoring, load balancing, advanced storage functions like virtualisation, backup and replication, virtual security appliances, and FOSS software infrastructure such as web, email and application servers. He also runs 'Robby Pedrica's Tech Blog' expounding the mantra of security, security, security.

robbypedrica has 22 posts and counting.See all posts by robbypedrica

Pin It on Pinterest