Wiretapp has reported the discovery of malicious email that tries to take advantage of the .LNK exploit news by claiming to be a Microsoft security patch for the vulnerability. It's not a very clever trick and the email is so poorly worded, it's hopeful that few would fall for the ruse. Those that do won't be getting a Microsoft security patch as the email alleges; instead they'll be infecting their systems with a variant of the Zeus trojan.

The malicious email reads as follows:

Hello, we are writing to you about a new Microsoft security advisory issue for Windows.
There is a new potentially dangerous software-worm, attacking Windows users
through an old bug when executing .ICO files. Although this is quite an old
way of infecting software, which first was used in 1982 with Elk Cloner
worm, the new technique the new worm is using is more complicated, thus the
speed and number of attacs has strongly increased.

Since you are the special Microsoft Windows user, there is a new patch
attached to this e-mail, which eliminates the possibility of having you
software infected.

The email then tells recipients to open the email's attached zip file using the password "security" and copy the enclosed "lol.dll" to the root of drive C:/. Detection by antivirus vendors is fairly low, as seen in this VirusTotal report. Remember: Microsoft never sends security patches by email; any claims that an attached file is a Microsoft patch will be patently false.

The recently discovered .LNK vulnerability in Windows is apparently far more severe than originally reported. Research conducted by HD Moore, CSO of Rapid7 and Chief Architect of Metasploit, reveals that the flaw is also exploitable via the Web and via malformed Word doc files. Unfortunately, there are few options available to users until Microsoft releases a patch.

Currently, the two options that are available include disabling the rendering of shortcut icons altogether using the Microsoft FixIt tool or manually editing the registry. The second option is a free tool complements of Sophos. The Sophos Windows Shortcut Exploit Protection Tool intercepts shortcut files that contain the exploit and issues a warning.

Neither method is perfect but, if you're a Windows user, either is better than doing nothing.

Turns out that Realtek signed rootkit was really digitally signed. It's not clear how the attackers were able to get their hands on a digitally signed Realtek certificate but it looks like they have one from JMicron as well. The problem, of course, is that digitally signed programs from trusted sources are often automatically trusted by the operating system and much security software. Which in the case of a rootkit-enabled data theft trojan is a very bad thing indeed.

At least one of these trojans (dubbed Stuxnet by antivirus vendors) was exploiting a zero day vulnerability in Windows Shell. The vulnerability has to do with specially crafted .LNK (shortcut) files and how they get rendered in Windows Explorer. It seems just browsing to a folder with one of these .LNK files can cause it to load. Of course, that means that attackers also have to get the .LNK file and the target trojan file onto the system first, or trick the victim into inserting a pre-infected USB drive. In other words, the exploit doesn't get them inside, it just helps them once they've already gotten in.

There's some disagreement among researchers regarding the .LNK exploit and just how distributable it really is. According to H-Onlne:

"Andreas Marx of AV-Test says that every .lnk file is linked to the ID of the newly infected USB Flash drive. This means that the sample trojans found so far can't simply be started on an arbitrary Windows system - the malware will only start in the OllyDbg debugger after some modifications to the code."

Others do claim success in getting the .LNK exploit to work, though in many of those cases a read between the lines reveals some debugger was in use at the time. Either way, proof of concept code built on the original exploit has since been released, increasing the odds that this exploit will soon become a real threat.  And if the .LNK exploit does end up working as effectively as some claim, it would be far worse than even autorun has proven to be.

By the way, if you haven't yet disabled autorun, you should do so now as it will also help mitigate the .LNK exploit (as well as stop the tens of thousands of autorun worms). Microsoft has listed some other workarounds to help reduce the risk of the .LNK exploit until a patch is made available. For details, see Microsoft Security Advisory 2286198.

Via Kaspersky Lab's Threatpost:

Security researchers have identified a new suspicious program that is copying itself to PCs via USB mass storage devices and is digitally signed with the certificate of Realtek Semiconductor, a major manufacturer of computer products based in Taiwan.

The million dollar question, of course, is whether this rootkit is indeed new malware or if it's some legitimate app using a rootkit to hide itself (anyone remember the Sony rootkit debacle, circa 2005?). According to Kaspersky, "Realtek did not respond to a request for comment".