Today, Microsoft announced plans to release of an out-of-band update to address CVE-2010-2568 (described in Microsoft Knowledge Base Article (2286198)).  As mentioned earlier this month, the Microsoft Malware Protection Center (MMPC), along with other Microsoft Active Protection Program partners, have been keeping a close watch on the use of .LNK files exploiting this vulnerability. As with many new attack techniques, copycat attackers can act quickly to integrate new techniques.  Although there have been multiple families that have picked up this vector, one in particular caught our attention this week– a family named Sality, and specifically Sality.AT.  Sality is a highly virulent strain.  It is known to infect other files (making full removal after infection challenging), copy itself to removable media, disable security, and then download other malware.  It is also a very large family—one of the most prevalent families this year.  After the inclusion of the .LNK vector, the numbers of machines seeing attack attempts combining malicious .LNKs and Sality.AT soon surpassed the numbers we saw with Stuxnet.  We know that it is only a matter of time before more families pick up the technique.

The following *chart shows this trend:

Malware Infection Attempts Most Frequently Detected Same Day as CVE-2010-2568

These numbers show infection attempts upon systems we protect (Microsoft Security Essentials, Microsoft Forefront Client Security, Windows Live OneCare, the Forefront Threat Management Gateway, and the Windows Live Safety Platform).  Even though they do not represent the number of actual infections, these attack attempts indicate when threats are becoming more widespread.

Another indicator that other families are picking up this exploit is the change in the geolocation of the attack attempts.  Brazil had seen very little attack attempt activity when Stuxnet was initially discovered, but an analysis of the change in geolocation for CVE-2010-2568 attack attempts shows how Brazil and other countries are now seeing much more activity.  Sality, in particular, has historically had a heavy presence in Brazil.

Geolocation of Computers Reporting CVE-2010-2568 Attack Attempts

Although there are likely other threats that have integrated this technique, many of the samples we have seen so far are detected by our existing family signatures.  Signatures covering related threats we have confirmed are listed below.  These signatures are available for customers of Microsoft Security Essentials, Microsoft Forefront Client Security, Windows Live OneCare, the Forefront Threat Management Gateway, and the Windows Live Safety Platform.

Malicious links exploiting CVE-2010-2568
Exploit:Win32/CplLnk.A
Exploit:Win32/CplLnk.B

Stuxnet
TrojanDropper:Win32/Stuxnet.A
Trojan:WinNT/Stuxnet.A
Trojan:WinNT/Stuxnet.B (initially called VirTool:WinNT/Rootkitdrv.HK)
Trojan:Win32/Stuxnet.A
Worm:Win32/Stuxnet.A
Worm:Win32/Stuxnet.B

Sality
Virus:Win32/Sality.AU (initial detection provided by generic signature Virus:Win32/Sality.AT)

Vobfus
Worm:Win32/Vobfus.H
Worm:Win32/Vobfus.P

Chymine
Trojan:Win32/Chymine.A
TrojanSpy:Win32/Chymine.A
TrojanDownloader:Win32/Chymine.A

 

* Charts above were updated to indicate data since July 28, 2010 and through midnight July 29, 2010.

-- Holly Stewart, MMPC