Lỗi này được phát hiện từ ngày 10/7/2010 và đến nay vẫn chưa có bản vá (lỗ hổng zero-day).
Theo đó, chỉ cần người dùng mở USB có chứa file Shortcut bị lỗ hổng, virus sẽ tự động thâm nhập vào máy tính ngay cả khi chức năng Autorun đã bị vô hiệu hóa. Từ đó, hacker có thể chiếm toàn quyền điều khiển máy tính để thực hiện hành vi ăn cắp thông tin, phá hủy dữ liệu... 

The security community was buzzing today about a potential new zero-day vulnerability in Windows. The attack that exploits the vulnerability was originally discovered by VirusBlokAda in Belarus. It contains several components and is still being analyzed by SophosLabs.

It starts with a yet unexplained flaw in Windows that allows a Windows shortcut file (.lnk) placed on a USB device to run a DLL simply by being viewed. This means that, even with AutoRun and AutoPlay disabled, you can open a removable media device (USB) and execute malicious code without user interaction. The danger associated with this attack is large considering how many computers were infected through USB devices by Conficker using the AutoPlay functionality. If you can execute malware even when AutoPlay is disabled, the risk is very high. Sophos detects these malicious .lnk files as W32/Stuxnet-B.

Although analysis is not complete, it would appear that the flaw is in how Windows Explorer loads the image to display when showing a shortcut. This feature is being used to exploit a vulnerability and execute a DLL to load the malware on the system.

The DLL that is loaded in this case is a rootkit dressed up as a device driver. It is able to load undetected into the system because it is digitally signed by RealTek Semiconductors, a legitimate hardware vendor. Why RealTek would digitally sign a driver that is in fact a rootkit, or whether their systems were compromised has yet to be determined. The rootkit, once loaded, disguises the malicious files on the USB device, making further investigation difficult.

The .lnk files used to spread the infection via USB are specific to each USB key infected. The malware dynamically generates the .lnk file for each device it infects. At this time it is unclear whether this is necessary for the exploit to work, or whether it is a control mechanism for the perpetrators of this attack.

Brian Krebs reported on his blog that the payload appears to be looking for content specific to Siemens SCADA software. SCADA systems control much of our nations' critical infrastructure. If this is the case, it's a disturbing turn of events. The implication would be that the samples that we are looking at are part of a true "Advanced Persistent Threat" attack against specific targets. Knowledge of this exploit could also lead to widespread adoption by opportunistic malware writers similar to what happened in the Google Aurora attacks.

This is why we need to be careful not to call every data-stealing piece of malware an Advanced Persistent Threat. We need to be sure that when a wolf really does come along -- when our adversaries target critical infrastructure providers with malware designed to steal information or disrupt their operations -- our cries don't go unheeded. 

According to Threat Research Manager Ivan Macalintal, the usage of .LNK files is really more of an abuse of a flaw, rather than a vulnerability. “While most of the industry is still referencing this as being a vulnerability, really, it’s a flaw – an abused flaw in the strictest sense” commented Macalintal, “and this is one of the reasons delivering a patch is proving a challenge for Microsoft.”