An unpatched shortcut handling flaw in Windows has begun to be exploited by the infamous Zeusbot. The flaw was first used by the sophisticated Stuxnet worm to target SCADA-based industrial control and power plant systems.

Attacks began appearing last week, and now the criminals behind the Zeusbot toolkit have joined in. The toolkit is used frequently to steal back login details from compromised systems.

the appearance of Zeus strains taking advantage of the flaw was first reported by F-Secure. E-mails posing as security messages from Microsoft are infected with the Zeusbot. The e-mails contain Zip attachments that dump the malicious payload onto systems once unzipped.

Other viruses have also joined in the exploitation, including the polymorphic Sality virus. Trend Micro have picked up variant strains of Zeus and Sality, while McAfee report the Downloader-CJX Trojan as having begun to exploit the bug too. So it seem inevitable that even more malware will start targeting the Windows hole.

the good news is that the all attackers a re currently using the same exploit method which makes it easier to block. A temporary work around has been provided by Microsoft until a full patch is released. Sophos have released a Shortcut exploit protection tool, which sys admins can obtain free of charge regardless of what AV they are using.

You can read more about the exploit in a previous blog here.