Rootkit.TmpHider

Discussion in 'malware problems & news' started by sergey ulasen, Jul 12, 2010.

Thread Status:
Not open for further replies.
  1. syk69
    Offline

    syk69 Registered Member

  2. CloneRanger
    Offline

    CloneRanger Registered Member


    *

    @syk69

    Thanks for the info :thumb: From what i've read it only appears to be partially successful :( but still useful.
  3. subratam
    Offline

    subratam Registered Member

  4. AvinashR
    Offline

    AvinashR Registered Member

  5. MrBrian
    Offline

    MrBrian Registered Member

  6. CloneRanger
    Offline

    CloneRanger Registered Member

    @AvinashR Hitman Pro :thumb:

    Another 2 cases reported :eek:

    @MrBrian :thumb: Also,

  7. fsr
    Offline

    fsr Registered Member

    Last edited: Jul 30, 2010
  8. CloneRanger
    Offline

    CloneRanger Registered Member

    @ fsr

    Hi, your link doesn't work ?
  9. erikloman
    Online

    erikloman Developer

    How Hitman Pro LNK Exploit Protection works

    We have just posted on our blog the inner workings on how Hitman Pro LNK Exploit Protection works:
    http://hitmanpro.wordpress.com
  10. EraserHW
    Offline

    EraserHW Prevx Moderator

    Re: How Hitman Pro LNK Exploit Protection works

    And I can assure it does work actually :D That's one of two methods I used in my SafeLink patch ;)
  11. xxJackxx
    Online

    xxJackxx Registered Member

  12. Czerno
    Offline

    Czerno Registered Member

    Ahem? What about the millions who still run "older" Windows 2000 or Windows XP (pre-SP3) for instance ?

    Microsoft in their usual hypocritical ways said theiy're oh! so concerned about the effect of this stupid flaw on the, quote, internet ecosystem, unquote !

    If there was a grain of truth in such statements, then they would release exceptional patches for Win 2k and XP. It wouldn't really cost them much more work, as ALL windows systems have had the same blunder made in shell32.dll. They could apply the exact same correction to the sources and recompile the lot in one batch...


    What they are really concerned about however is their fat, uh, wallets. Disgusting pigs! How can anybody dare defend them is beyond me.

    --
    Czerno
    Last edited: Aug 1, 2010
  13. CloneRanger
    Offline

    CloneRanger Registered Member

    Wireless angle to the .lnk exploit

    I know the fix is imminent, but just for the record, here's a patch i wasn't aware of before.

    SALITY

  14. xxJackxx
    Online

    xxJackxx Registered Member

    The fix is out now. Run Windows Update.
  15. Czerno
    Offline

    Czerno Registered Member

    Unfortunately, his patcher/relacer combo is fragile at best. Tried it on my Windows SP4 (French), it faulted :-(

    What we need is MS releasing the fix for newly unsupported versions of Windows, like they did in 2001 on a similar occasion. After all, they care for the "internet ecosystem" don't they ? And this mess is entirely their blunder/fault isn't it ?

    In addition I'm certain (you just have to examine the inf files in the official update) MS has compiled the revised shell32.dll for "unsupported" systems, only they must be reserving them for entreprise customers paying big$$$ support contracts. Can't they be pressured to release the fix for free either through Windows update or as a standalone ?

    --
    Czerno
  16. CloneRanger
    Offline

    CloneRanger Registered Member

    Re RED

    Do they mean pre the latest official patch, or even with it ? If it's the latter :eek:

    *

    Oh dear, at least the official fix is out now, though i've read even that has messed up some people comps :D

    Interesting, so they can do it, if they want to !
  17. erikloman
    Online

    erikloman Developer

  18. Czerno
    Offline

    Czerno Registered Member

    It's with the official MS update applied. Yes, not good, MS doed it once again. There'll still be fellows to excuse/defend Microsoft, like drug addicts defend their dealers, I fear.
  19. fsr
    Offline

    fsr Registered Member

    Read on
  20. Czerno
    Offline

    Czerno Registered Member

    Now it's the user's fault, is it ? What of a mitigation/excuse is that ? ANY web page including the one you are now displaying, any FTP, WebDAV etc, site, any local folder or remote share which you open in Explorer (or similar file browser) could contain a malicious link or pif which will lead to code execution of code on affected (unpatched or unpatchable) systems. Safe usability of older unpatched systems is therefore almost reduced to nil. By refusing to patch older systems (still XP SP2 has a 15% usage share according to some stats!), MS is clearly putting users at risk. Could they be sued/forced into preventing/repairing the damage they are making possible ? -IANAL-
  21. CloneRanger
    Offline

    CloneRanger Registered Member

    Thanks, that's what i feared. Looks like it's a "feature" not a bug :D And will remain on ALL versions of OS's :eek:

    @ fsr

    Thanks for the link :thumb:

    *

    Here's an idea

    But please see my RED info and the corresponding info/links by Czerno and fsr
  22. Windchild
    Offline

    Windchild Registered Member

    This thread is starting to get out of hand with the silliness... There is a patch out. It fixes the vulnerability. Patch your system, and you're set. If you're using an unsupported version of Windows, update to a supported version. End of trouble.

    What's there to :eek: about? Let's stop and think for a moment. LNK files are shortcuts that point to executables. If a user opens - that's to say double-clicks, for example - a malicious LNK file, the computer may be infected because the user just executed whatever malicious file the LNK points to. Nothing strange about that. That's how LNK files are intended to work: you click on them, and then some program that the LNK file points to is executed. Anything else would make LNK files utterly useless. If the LNK points to a malicious program, and you click on the LNK, then the malicious program obviously runs. The actual LNK vulnerability discussed in this thread is a different situation: even if you don't click on a LNK, code gets executed when Windows tries to load the icon for the LNK file. That vulnerability should now be fixed.

    This aside, the Siemens link reads like non-sense, with odd claims like "Power user don´t have the necessary rights in order to start code from another drive."


    Well, to be fair, the only cases of this patch messing up comps that I've heard of are cases where security software like ESET's AV screwed up the system as this patch was installed. I haven't seen anyone who didn't have stuff like that installed have any trouble with the patch.

    Obviously they can do it, if they want to. They made the entire OS. They can surely make a few changes to a single component of said OS. Thing is, they're not making those changes for unsupported versions. If you want the patch, install SP3. SP3 will not cause you any harm, unless your hardware and/or software positively sucks and is unsupported for up-to-date versions of XP.


    It's not MS putting the SP2 users at risk. It's the SP2 users putting themselves at risk, by stubbornly refusing to update to newer and still completely free-of-charge versions of their software that would fix the issue and remove the risk. Software is not supported for eternity - that's quite clearly stated everywhere. If you want fixes, you update to the supported versions. Anything else would make the entire software business mostly impossible.

    As for any chance of lawsuit against MS on this subject, my forecast is no sane judge or jury would ever punish Microsoft for no longer supporting a service pack originally released in 2004, especially because a supported service pack is available for free. It's ok to hate MS, but it's not ok to be irrational.


    I could go on, but it wouldn't do much good.
  23. wat0114
    Offline

    wat0114 Guest

    For this and everything else you posted, thank you! This vulnerability is being made to appear as some cryptic, Babylonian black magic that conjures up spirits from the underworld :rolleyes:
  24. Pliskin
    Offline

    Pliskin Registered Member

    For XP SP2 users, according to http://nemesis.te-home.net/News/20100723_Patch_for_0day__LNK_file_handling_vulnerability_up.html:
  25. Revo59ndx
    Offline

    Revo59ndx Registered Member

    Hello.

    Glad to join the forum. After some efforts to register, finally succeded.

    I would like to share my opinion and give my advice to:

    Those who still run Windows SP2 Pro to upgrade to SP3. Just consider this:

    List of fixes that are included in Windows XP Service Pack 3

    Even there was a LNK volnurability patch for XP Service Pack 2 how about that endless list of fixes, let alone the earlier versions ? Is it worth while ?

    Those who are going to use other LNK volnurability patches:

    1. Those patches were only temporary and partial solution. They blocked some regular LNKs and did not block the dangerous LNKs from every possible location.

    2. Those patches were not coordinated with the Windows Messages system which, for example, with the Hitman Pro LNK Exploit Protection, led to numerous error messages to pop up when openning Control Panel causing explorer.exe to freeze:

    pic_20.jpg

    Microsoft LNK volnurability fix modifies not only Windows Shell but also Windows Messages System, actually, two files are modified:

    C:\WINDOWS\system32\shell32.dll * Windows Shell Common Dll *
    C:\WINDOWS\system32\spmsg.dll * Service Pack Messages *

    After installing the Microsoft LNK volnurability fix the dangerous LNK file treatment is as follows:

    pic_22.jpg

    pic_23.jpg

    Windows Shell is looking for the shortcut icon in the target file but expects it to be in the system32 folder, otherwise does nothing.

    :doubt:
    Last edited: Aug 5, 2010
Thread Status:
Not open for further replies.