Rootkit.TmpHider

[syk69]

Surfright just posted they have a fix to protect against LNK vulnerability.

http://www.wilderssecurity.com/showp...postcount=1928

[CloneRanger]

Quote:

W32.Stuxnet Variants

As we have mentioned in a previous blog W32.Stuxnet contains a complex nested structure of files and components inside. We were interested to discover if the different samples we have seen in the wild were different variants or just modifications to the wrapper with the same components embedded. To determine if there are different variants of W32.Stuxnet we unraveled each sample in order to determine what the payload of each sample consisted of. Here we present the results of that analysis.

From the samples we have we reviewed (we have only reviewed a subset of the total samples to date) we observed 4 distinct file sizes for the installer component as shown below. As you can see although there are 4 different types of installers, the first 3 types are actually the same just with added junk or nulls. However, the fourth type is significantly different from the other 3 types.

http://www.symantec.com/connect/fr/b...uxnet-variants

Quote:

Product Information dated July 28, 2010:

* Latest news on the infected computers:
Currently we are only aware of the two customer cases worldwide mentioned on July 23, 2010. A production plant has so far not been affected.

http://support.automation.siemens.co...83&caller=view

*

@syk69

Thanks for the info From what i've read it only appears to be partially successful but still useful.

[subratam]

Few more related informations and with some latest followups. http://blog.emsisoft.com/2010/07/28/windows7isnotsafe/ , and any latest development is on watch.

[AvinashR]

Hitman Pro have also updated some information ... Their updated version (Beta) provides a rock solid protection against .LNK vulnerability..

Here is the more information on it:- http://www.surfright.nl/en/support/fix-2286198

[MrBrian]

Microsoft LNK vulnerability fix from Microsoft coming on August 2
(Already mentioned at http://www.wilderssecurity.com/showthread.php?t=278390)

[CloneRanger]

@AvinashR Hitman Pro

Another 2 cases reported

Quote:

Product Information dated July 29, 2010:

* Latest news on the infected computers:
Currently we are aware of in total four customer cases worldwide. A production plant has so far not been affected.

http://support.automation.siemens.co...83&caller=view

@MrBrian Also,

Quote:

Stuxnet, malicious .LNKs, ...and then there was Sality

Today, Microsoft announced plans to release of an out-of-band update to address CVE-2010-2568 (described in Microsoft Knowledge Base Article (228619). As mentioned earlier this month, the Microsoft Malware Protection Center (MMPC), along with other Microsoft Active Protection Program partners, have been keeping a close watch on the use of .LNK files exploiting this vulnerability. As with many new attack techniques, copycat attackers can act quickly to integrate new techniques. Although there have been multiple families that have picked up this vector, one in particular caught our attention this week– a family named Sality, and specifically Sality.AT. Sality is a highly virulent strain. It is known to infect other files (making full removal after infection challenging), copy itself to removable media, disable security, and then download other malware. It is also a very large family—one of the most prevalent families this year. After the inclusion of the .LNK vector, the numbers of machines seeing attack attempts combining malicious .LNKs and Sality.AT soon surpassed the numbers we saw with Stuxnet. We know that it is only a matter of time before more families pick up the technique.

The following chart shows this trend:

http://blogs.technet.com/b/mmpc/arch...as-sality.aspx

[fsr]

This Sality.AT nukes a bunch of popular home user defenses, no wonder they did that :P

[CloneRanger]

@ fsr

Hi, your link doesn't work ?

[erikloman]

We have just posted on our blog the inner workings on how Hitman Pro LNK Exploit Protection works:
http://hitmanpro.wordpress.com

[EraserHW]

Quote:

Originally Posted by erikloman

We have just posted on our blog the inner workings on how Hitman Pro LNK Exploit Protection works:
http://hitmanpro.wordpress.com

And I can assure it does work actually That's one of two methods I used in my SafeLink patch

[xxJackxx]

Looks like within 48 hours it won't matter. http://www.informationweek.com/news/...Sfeed_IWK_News

[Czerno]

Quote:

Originally Posted by xxJackxx

Looks like within 48 hours it won't matter.

Ahem? What about the millions who still run "older" Windows 2000 or Windows XP (pre-SP3) for instance ?

Microsoft in their usual hypocritical ways said theiy're oh! so concerned about the effect of this stupid flaw on the, quote, internet ecosystem, unquote !

If there was a grain of truth in such statements, then they would release exceptional patches for Win 2k and XP. It wouldn't really cost them much more work, as ALL windows systems have had the same blunder made in shell32.dll. They could apply the exact same correction to the sources and recompile the lot in one batch...


What they are really concerned about however is their fat, uh, wallets. Disgusting pigs! How can anybody dare defend them is beyond me.

--
Czerno

[CloneRanger]

Wireless angle to the .lnk exploit

Quote:

Windows ‘LNK’ Exploit Demonstration

Anyway, there are a number of ways this could be used effectively in the field, but it requires a bit of creativity on the part of the attacker (I’m mainly talking about wireless networks). Is this effective? Definitely. Does it warrant raising infocon? Not in my opinion. I mean, look at all of the other exploits that target Windows that are totally remote, IE: enter an IP address and hit “exploit”. Those, in my opinion, are far more threatening than this.

All that said, though, I think this is going to be around for awhile and is going to definitely be a popular attack vector. I know I’m going to be using it

http://www.attackvector.org/lnk-exploit-demonstration

I know the fix is imminent, but just for the record, here's a patch i wasn't aware of before.

Quote:

Patch for 0day .LNK file handling vulnerability update - more versions of shell32.dll are supported

Patch.exe is now updated to add support for Windows XP SP1/SP1a. For more information, license and disclaimer, read Patch for 0day .LNK file handling vulnerability.
Supported operating systems:

* Windows 2000 SP1
* Windows 2000 SP4
* Windows XP - no service pack
* Windows XP SP1
* Windows XP SP1a
* Windows XP SP2
* Windows XP SP3

http://nemesis.te-home.net/News/2010...bility_up.html

Quote:

Search Results for lnk

http://www.thesecurityblog.com/?s=lnk

SALITY

Quote:

Top 10 of Infected Files (Last 24 Hours)

http://www.virustotal.com/estadisticas.html

[xxJackxx]

The fix is out now. Run Windows Update.

[Czerno]

Quote:

Originally Posted by CloneRanger

I know the fix is imminent, but just for the record, here's a patch i wasn't aware of before.

Patch for 0day .LNK file handling vulnerability update - more versions of shell32.dll are supported
...

http://nemesis.te-home.net/News/2010...bility_up.html

Unfortunately, his patcher/relacer combo is fragile at best. Tried it on my Windows SP4 (French), it faulted :-(

What we need is MS releasing the fix for newly unsupported versions of Windows, like they did in 2001 on a similar occasion. After all, they care for the "internet ecosystem" don't they ? And this mess is entirely their blunder/fault isn't it ?

In addition I'm certain (you just have to examine the inf files in the official update) MS has compiled the revised shell32.dll for "unsupported" systems, only they must be reserving them for entreprise customers paying big$$$ support contracts. Can't they be pressured to release the fix for free either through Windows update or as a standalone ?

--
Czerno

[CloneRanger]

Quote:

Product Information dated August 03, 2010:

* Important note on the Microsoft Patch

The Microsoft Patch just prevents that the trojan is installed automatically on the system. If a user with admin-rights (Microsoft Patch is installed) opens an infected LNK-file by mouse click, the computer will be infected - if no virus scanner has been installed. In order to avoid such an infection it is strongly recommended that users only come with power user rights. Power user don´t have the necessary rights in order to start code from another drive. Additional security gives the use of an actual virus scanner.

* Latest news on the infected computers:
Currently we are aware of in total five customer cases worldwide. A production plant has so far not been affected.

http://support.automation.siemens.co...83&caller=view

Re RED

Do they mean pre the latest official patch, or even with it ? If it's the latter

*

Quote:

Originally Posted by Czerno

Unfortunately, his patcher/relacer combo is fragile at best. Tried it on my Windows SP4 (French), it faulted

Oh dear, at least the official fix is out now, though i've read even that has messed up some people comps

Quote:

In addition I'm certain (you just have to examine the inf files in the official update) MS has compiled the revised shell32.dll for "unsupported" systems, only they must be reserving them for entreprise customers paying big$$$ support contracts.

Interesting, so they can do it, if they want to !

[erikloman]

I wrote a little article on our blog about LNK exploit protection on Windows 2000, XP RTM, SP1 and SP2:
http://hitmanpro.wordpress.com/2010/...m-sp1-and-sp2/

[Czerno]

Quote:

Originally Posted by CloneRanger

Do they mean pre the latest official patch, or even with it ? If it's the latter

It's with the official MS update applied. Yes, not good, MS doed it once again. There'll still be fellows to excuse/defend Microsoft, like drug addicts defend their dealers, I fear.

[fsr]

Quote:

Originally Posted by Czerno

It's with the official MS update applied. Yes, not good, MS doed it once again. There'll still be fellows to excuse/defend Microsoft, like drug addicts defend their dealers, I fear.

Quote:

A: Microsoft cannot conclusively comment on the behavior of all possible malware families that use this vulnerability. However, this vulnerability cannot be exploited without user interaction, and cannot be used to spread in an environment without the user actually using an infected USB stick, or browsing a malicious network location. User interaction is required for this vulnerability to be exploited.

Read on

[Czerno]

Quote:

Originally Posted by fsr

this vulnerability cannot be exploited .... without the user actually using an infected USB stick, or browsing a malicious network location. User interaction is required for this vulnerability to be exploited.

Now it's the user's fault, is it ? What of a mitigation/excuse is that ? ANY web page including the one you are now displaying, any FTP, WebDAV etc, site, any local folder or remote share which you open in Explorer (or similar file browser) could contain a malicious link or pif which will lead to code execution of code on affected (unpatched or unpatchable) systems. Safe usability of older unpatched systems is therefore almost reduced to nil. By refusing to patch older systems (still XP SP2 has a 15% usage share according to some stats!), MS is clearly putting users at risk. Could they be sued/forced into preventing/repairing the damage they are making possible ? -IANAL-

[CloneRanger]

Quote:

Originally Posted by Czerno

It's with the official MS update applied.

Thanks, that's what i feared. Looks like it's a "feature" not a bug And will remain on ALL versions of OS's

@ fsr

Thanks for the link

*

Here's an idea

Quote:

Originally Posted by OZO

To those who can't install that critical fix on their XP SP2 computers - here is my story.

Yesterday I've replaced shell32.dll manually:
old: v.6.0.2900.3402 8,460,800 bytes
new: v.6.0.2900.6018 8,462,336 bytes

There is no any problem at all, as expected. If I notice anything "unexpected" - I'll let you know, of cause.

http://www.broadbandreports.com/foru...-2010~start=40

But please see my RED info and the corresponding info/links by Czerno and fsr

[Windchild]

This thread is starting to get out of hand with the silliness... There is a patch out. It fixes the vulnerability. Patch your system, and you're set. If you're using an unsupported version of Windows, update to a supported version. End of trouble.

Quote:

Originally Posted by CloneRanger

Do they mean pre the latest official patch, or even with it ? If it's the latter

What's there to about? Let's stop and think for a moment. LNK files are shortcuts that point to executables. If a user opens - that's to say double-clicks, for example - a malicious LNK file, the computer may be infected because the user just executed whatever malicious file the LNK points to. Nothing strange about that. That's how LNK files are intended to work: you click on them, and then some program that the LNK file points to is executed. Anything else would make LNK files utterly useless. If the LNK points to a malicious program, and you click on the LNK, then the malicious program obviously runs. The actual LNK vulnerability discussed in this thread is a different situation: even if you don't click on a LNK, code gets executed when Windows tries to load the icon for the LNK file. That vulnerability should now be fixed.

This aside, the Siemens link reads like non-sense, with odd claims like "Power user don´t have the necessary rights in order to start code from another drive."

Quote:

Originally Posted by CloneRanger

Oh dear, at least the official fix is out now, though i've read even that has messed up some people comps

Well, to be fair, the only cases of this patch messing up comps that I've heard of are cases where security software like ESET's AV screwed up the system as this patch was installed. I haven't seen anyone who didn't have stuff like that installed have any trouble with the patch.

Quote:

Originally Posted by CloneRanger

Interesting, so they can do it, if they want to !

Obviously they can do it, if they want to. They made the entire OS. They can surely make a few changes to a single component of said OS. Thing is, they're not making those changes for unsupported versions. If you want the patch, install SP3. SP3 will not cause you any harm, unless your hardware and/or software positively sucks and is unsupported for up-to-date versions of XP.

Quote:

Originally Posted by Czerno

By refusing to patch older systems (still XP SP2 has a 15% usage share according to some stats!), MS is clearly putting users at risk. Could they be sued/forced into preventing/repairing the damage they are making possible ?

It's not MS putting the SP2 users at risk. It's the SP2 users putting themselves at risk, by stubbornly refusing to update to newer and still completely free-of-charge versions of their software that would fix the issue and remove the risk. Software is not supported for eternity - that's quite clearly stated everywhere. If you want fixes, you update to the supported versions. Anything else would make the entire software business mostly impossible.

As for any chance of lawsuit against MS on this subject, my forecast is no sane judge or jury would ever punish Microsoft for no longer supporting a service pack originally released in 2004, especially because a supported service pack is available for free. It's ok to hate MS, but it's not ok to be irrational.


I could go on, but it wouldn't do much good.

Quote:

Originally Posted by Windchild

This thread is starting to get out of hand with the silliness...

For this and everything else you posted, thank you! This vulnerability is being made to appear as some cryptic, Babylonian black magic that conjures up spirits from the underworld

[Pliskin]

For XP SP2 users, according to http://nemesis.te-home.net/News/2010...bility_up.html:

Quote:

If you have Windows XP, you can use the patch released by Microsoft for Windows XP Service Pack 3 with other disallowed service packs.
Download the patch from here
Extract all files to a directory called "Patch": execute this command in the directory where the patch is located: WindowsXP-KB2286198-x86-ENU.exe /q /xatch
Download Replacer from here
Use replacer to replace %windir%\system32\shell32.dll with Patch\SP3QFE\shell32.dll .

[Revo59ndx]

Hello.

Glad to join the forum. After some efforts to register, finally succeded.

I would like to share my opinion and give my advice to:

Those who still run Windows SP2 Pro to upgrade to SP3. Just consider this:

List of fixes that are included in Windows XP Service Pack 3

Even there was a LNK volnurability patch for XP Service Pack 2 how about that endless list of fixes, let alone the earlier versions ? Is it worth while ?

Those who are going to use other LNK volnurability patches:

1. Those patches were only temporary and partial solution. They blocked some regular LNKs and did not block the dangerous LNKs from every possible location.

2. Those patches were not coordinated with the Windows Messages system which, for example, with the Hitman Pro LNK Exploit Protection, led to numerous error messages to pop up when openning Control Panel causing explorer.exe to freeze:



Microsoft LNK volnurability fix modifies not only Windows Shell but also Windows Messages System, actually, two files are modified:

C:\WINDOWS\system32\shell32.dll * Windows Shell Common Dll *
C:\WINDOWS\system32\spmsg.dll * Service Pack Messages *

After installing the Microsoft LNK volnurability fix the dangerous LNK file treatment is as follows:





Windows Shell is looking for the shortcut icon in the target file but expects it to be in the system32 folder, otherwise does nothing.