It starts from several Italian Web pages. From there, the whole LINKOPTIM attack branches out to countless possibilities, putting the Italian computing population in a sticky security situation.

After numerous redirections, obfuscations, different techniques for different Web browsers, and ever changing download URLs and files to download, there is no definite indication of a LINKOPTIM infection. Two users who visit the same Italian Web page can end up with completely different infections, and thus would require different solutions.

The eventual effect of the LINKOPTIM event on systems in Italy is becoming hosts to countless downloaders that drop and endlessly download numerous other downloaders and rootkits that are more difficult to remove than your usual malware. But more than the finish line, the journey is what caused a stir in the antivirus industry. The whole attack is so palpably complex and coordinated, that it doesn't seem like an attack against a particular group of users. It has become more like a statement to the antivirus industry itself.

The starting line: Italian Web pages that contain links spark the event

The starting line for the long journey of LINKOPTIM infection is a number of Italian Web pages that were created, or reportedly in some cases hacked, to contain links to JavaScripts hosted on a different server. When a user clicks on a link, the browser is redirected numerous times. If this were a regular security threat, it would have been easy for Trend Micro to block the sites to which the browser is redirected, and stop infection at this point.

The race: Multiple redirections to obfuscated URLs

But this is not a regular security threat. The JavaScript is obfuscated, such that it is not a simple task to determine the URL where it redirects. And there are not a few redirections. While antivirus outfits try to un-obfuscate the URLs, with each redirection LINKOPTIM gains ground.

It has been found that numerous servers host the related URLs and files to be downloaded, and that the URLs are randomly generated. A specific URL is generated for each redirection, and the URL becomes available for only about an hour, just enough time for more redirection or file download. This makes URL blocking a difficult task, and affords LINKOPTIM even more advantage in its race against antivirus companies.

At the very last redirection before finally infiltrating the system, infection schemes vary for different browsers.

Trend Micro has identified at least five ways in which a malicious file finally infiltrates the system:

1. File download – The last Web page to which the user is redirected attempts to download a file. Like any other file download, this prompts the user to confirm the download. This is the social engineering technique of the LINKOPTIM attack: the file it attempts to download is named www.google.com. To some users, that does not look like a malicious file at all. It looks like a legit Web page – of the most powerful search engine the computing world has known. Unbeknownst to the unsuspecting user, it is a .COM file, an executable file. By confirming the download, the user agrees to install the malware on the system.
2. Installing an ActiveX dropper
3. Using a malicious WMF downloader
4. Exploiting Internet Explorer vulnerabilities (MS05-014)
5. Exploiting the Java Byte.Verify vulnerability

The long jump: LINKOPTIM installs an army in the compromised machine, then protects it

When a component has infiltrated the system through any of the five ways, the whole process of numerous redirections has done its job. But the LINKOPTIM attack has just begun. It has more up its sleeve.

The malicious file that ends up on the system could be a downloader that drops and downloads rootkits and even more downloaders. The download URLs and files to download constantly change, making the detection of downloaded files difficult.

Rootkits are some of the most menacing security threats that have recently become used by more and more malware, because they hide malicious files and processes, and are difficult to remove. The LINKOPTIM rootkits are even more difficult to detect and remove than other known rootkits because they use reserved DOS device names, such as "CON", "COM1", "COM2", "LPT1", "LPT2", etc.

Windows does not allow these device names to be used for file naming. However, using a special operation, LINKOPTIM uses these names for its rootkits. Part of the restriction of Windows in the use of these device names is that they can't also be deleted using normal file operations. These can only be deleted using the same special operation that LINKOPTIM uses.

As another means to evade detection and removal, LINKOPTIM rootkits also use the Alternate Data Stream (ADS) feature of the NTFS file system. ADS provides a hidden stream that programs can write to during execution. By copying rootkit code into these data streams, which are usually hidden from file browsers, and even antivirus software, LINKOPTIM makes its rootkit even more evasive.

But the true surprise of LINKOPTIM is in the downloaders, which create a randomly named user account, then encrypt their downloaded files using EFS, providing a steel-strong protection for their files without exploiting any vulnerabilities. Being encrypted, the downloaded files are accessible only to the LINKOPTIM-generated account, making it almost impossible to make detection patterns for these files.

Only a Recovery Agent account can decrypt and therefore detect the files. This brought to light the fact that the Administrator account is not a member of the Recovery Agent security group by default. What this means to the customer is that when the Administrator or any other account has not been configured to be a member of the Recovery Agent security group, there is no way to detect the encrypted downloaded files. The files are run using the Run As feature of Windows, furthering the ability of LINKOPTIM to protect its files using exactly the design of Windows.

Eventually, the system becomes a host of countless rootkits and downloaders that download more malicious files and even more downloaders, full to the brim, until the system’s resources cannot handle them and the system crashes.

The gold cup: What is LINKOPTIM really after?

Surely an attack as huge, complex, and coordinated as this is not staged by a few malicious authors who just want to wreak havoc. In all likelihood, it is an organized attack that is fueled by the greatest motivator of all: money. As different as it is from the malware attacks in recent months, ultimately it seems to be profit-driven.

Some components are DLLs that are injected into Internet Explorer. Once registered, these DLLs have the capability to affect Google search results, such that the displayed results serve as advertisement somewhat for certain sites.

As the most widely used search engine, Google’s search results could make or break a business. LINKOPTIM’s ability to mess up with these search results makes it a powerful advertisement tool.

Catching up: The Trend Micro solution

Overall, LINKOPTIM is a concerted effort of multiple components that attempt to make the vicious infection an endless cycle. One component was even found to spam the URLs of the Italian Web pages where it all starts.

As the LINKOPTIM attack has had its head start, antivirus outfits, including Trend Micro, had catching up to do. To prevent infection, detection had catch up with the seemingly endless number of files involved in the whole scheme. Trend Micro created specific detections for as many related files as possible, but as this is a race against a coordinated attack that involves countless files, Trend Micro also resorted to generic detections. Trend Micro also caught up with the URLs to be blocked.

For infected systems, Trend Micro continually created generic DCT patterns to clean computers based on files that are already known. This solution is coupled with SysClean, a technology that terminates processes and cleans the registry to help ensure successful system cleanup.

In addition, Trend Micro released Rootkit Buster to remove LINKOPTIM rootkits, which have characteristics that have made them even more difficult to remove than regular rootkits.

To address the downloaded files that are protected by EFS, detection is done by characteristic checking. Since the LINKOPTIM-created account is randomly generated, there is no available way to accurately identify LINKOPTIM-downloaded files. Instead, the user is provided a list of all possible encrypted files related to LINKOPTIM, and their corresponding owners (user accounts). The user can then decide which files to delete.

The Finish Line: Lessons from the LINKOPTIM event

The race against the LINKOPTIM attack is over. Even though it seemed the number of URLs to block and files to detect would not end, Trend Micro closed in on the race. But on the course of the journey, lessons were picked up.

For customers, the lesson is, as always, to be intelligent Internet browsers who understand the true danger of reckless browsing, and who cannot be easily tricked into downloading files onto their systems, even if they look as harmless as www.google.com, and to patch their systems.

For Trend Micro, the lesson is to always be guided by the great responsibility it holds in providing security for the computing world, to be vigilant, to be even more proactive in order stop an attack while it is still a spark and prevent it from becoming a huge fire.