What is lnkget?

TrojanDownloader:Win32/Lnkget.* is a malicious Windows shortcut. Once executed, it is able to carry out actions like downloading new files (in this case malware).

To be successful, it must use only executables that exist by default on any given system. However, the only executable that is really required is cmd.exe. All others can be carried by the shortcut itself. The executables must of course also be command-line executable only and must not have any user interface. One executable that is available on all Windows (non-server) operating systems versions previous to Vista is ftp.exe.

The shortcut uses cmd.exe as its root process, with which it creates files and executes other processes. The file that is created is a data input file (stdin) containing the parameters and commands used by the next process to be launched. The next process to be launched is ftp.exe (see detailed example at the end).

Then, the shortcut  uses the ‘start’ command to run the file downloaded by the ftp.exe process. For some malware shortcuts, the downloaded file is itself another script, normally a Visual Basic script, instead of an executable. The Visual Basic script, which is obfuscated, will then connect out to another ftp server and download the actual malware. Some malware shortcuts also open up Internet Explorer to certain websites that contain messages in Chinese.

This completes the life of the shortcut, with the malware downloaded and now executed. Interestingly, I haven’t seen any of the malware shortcuts try to delete itself. In recent variants of the LnkGet malware family, the malware authors have implemented rudimentary obfuscation techniques. Many of the malicious shortcuts do try to masquerade themselves by using common icons for the shortcut file.

Here are some examples:

Is it new?
The method of using Windows shortcuts to run malicious code isn’t new. However, the TrojanDownloader:Win32/Lnkget threat is new and very active. Since the end of December and the beginning of January, we have been seeing a surge of these types of samples coming in. I have investigated where/why these samples are coming in, if they are associated with other threats, and why their prevalence is increasing.

Prevalence Trend?
In this graph, you can see the trend of prevalence of this malware threat since December.

Spreading Vector
The main spreading vector of this threat is through email. These emails are spreading between email addresses with Chinese or East Asian domains like .cn or .tw.

Messages used in the email messages include:

1. take the last picture of 2008
2. feel very bad
3. please mail me ASAP

Related Threats?
This malware threat is specifically related to the OnlineGames malware genre. The malware downloaded by this TrojanDownloader has been detected as some type of OnlineGames malware. Some examples of downloaded malware are Trojan:Win32/Helpud.A and PWS:Win32/Lineage.gen!A. The downloaded malware gives us insight into the intended geographical affect of this attack, namely East Asia and China. Most of the OnlineGames malware (like Lineage) are specific for games played in East Asia.

In the wild?
Clearly, this threat is in the wild affecting customers. This threat is spreading via email in the China/East Asia region with custom email messages to social-engineer the user into downloading the file. We have had many customer submissions with these malicious shortcut files.

Malware Download Sources?
What is also interesting are the sources from which the malicious shortcuts download the malicious samples. There are about 65 domain names distributing these threats and they all located within the .cn or the .tw top level domain at the time of this writing. These domains resolve to only 20 unique IP addresses.By resolving the above domain names, we can see the unique number of ‘servers’ based on IP addresses. There are 20 unique IP addresses.

FTP Servers?
The majority of the FTP servers used were Serv-U FTP Servers. Some were properly configured, allowing files to be downloaded but not allowing directory listings. Others were not configured properly.

It seems that the individuals who are doing this are few and perhaps belong to the same group because many of the domains come back to the same IP addresses. What is interesting though is even for the domains that resolve to the same IP address, the username/password combination distributed with that domain are different and leads to different FTP directories on login. So, there is a small chance that the IP addresses are from a hosting company selling different domain name and username/password combinations to customers, but it is unlikely. Also, many of the username/password combinations are simplistic and very similar.

--Huzefa Mogri