Vulnerability in Windows "LNK" files?
We've received plenty of information over the past couple days about this alleged vulnerability in Windows's "lnk" file, and it's use against "SCADA" networks.
http://www.theregister.co.uk/2010/07/16/windows_shortcut_trojan/
http://krebsonsecurity.com/2010/07/experts-warn-of-new-windows-shortcut-flaw/
UPDATE: Two of our Handlers have copies of it now on their analyzation systems. Thank you, we will analyze it.
UPDATE 2: We have been notified via our comments that Symantec has definitions for this malware as well now.
-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler
UPDATE 3 (from Bojan):
Microsoft posted the advisory about the vulnerability in Windows Shell that has been exploited in some targeted attacks (the advisory is at http://www.microsoft.com/technet/security/advisory/2286198.mspx).
I've tested the exploit and can confirm that it works in Windows XP, Vista and Windows 7. The exploit uses a specially crafted LNK file. This file allows the attacker to execute an arbitrary file by carefully specifying its location – the LNK file in itself does not exploit any vulnerability such as buffer overflows, for example, so it is a legitimate LNK file. The LNK file used in targeted attacks was manually crafted as some fields that are normally present, such as CreationTime, AccessTime or WriteTime are all set to 0.
I will not be posting details about how the exploit works, but here are some things that you should be aware of:
- If autorun is disabled, when a USB device with malicious LNK files is inserted, the exploit will not be triggered automatically.
- The exploit is triggered every time a folder containing a malicious LNK files is opened (for example, with Windows Explorer). It does not matter where this folder is – it does not have to be on a USB device, but in order to execute to malicious binary, the attacker has to specify its location correctly.
What makes this vulnerability extremely serious is the fact that it can be opened from any place, including remote shares, for example. The victim just has to browse to the remote share in order to trigger the vulnerability. So double check permissions on any remote shares you use in your companies (you shouldn't allow users to write in root folders, for example).
Some AV vendors started adding detection for these LNK files, although it is still very, very bad.
We will, of course, keep an eye on the development of this.
UPDATE 4 (from Bojan):
A PoC that exploits this vulnerability has been posted today. I would recommend everyone to take a look at Microsoft's advisory that is available at http://www.microsoft.com/technet/security/advisory/2286198.mspx, especially the workarounds section ("Disable the displaying of icons for shortcuts").
--
Bojan
Bind 9.7.1-P2 is now available
This is a notification just to let you know that ISC.org has released a new version of BIND, 9.7.1-P2. This reverses a change made in 9.7.1.
"The change attempted to correct the behavior of a validating recursive resolver when explicitly queried for records of the type 'RRSIG'. These queries do not occur in normal DNSSEC operation, because RRSIG records are ordinarily returned along with the records they cover. However, a type 'RRSIG; query can be used for manual testing purposes. As a result of the change in 9.7.1, if the cache did not contain any RRSIG records for the name, such a query would trigger an endless loop of recursive queries to the authoritative server."
This patch backs out that change, and this will be fixed in a future release. So, those of you that upgraded to 9.7.1-P1, you'll need to apply this patch.
It can be downloaded from
ftp://ftp.isc.org/isc/bind9/9.7.1-P2/bind-9.7.1-P2.tar.gz
-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler
Comments
Anonymous
Dec 3rd 2022
9 months ago
Anonymous
Dec 3rd 2022
9 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
https://defineprogramming.com/
Dec 26th 2022
9 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
9 months ago
rthrth
Jan 2nd 2023
8 months ago