New .lnk type vulnerability

Hi aigle,

I attempted to read your thread on that forum but guests cannot read (unless I did something wrong)!

Can you summarize what you posted?

thanks,

-rich

 

Nothing much Rmus. Actually the comodo developers have removed the ability to intrcept dll loading in CIS v 5( v 5 is in RC now). I just posted a link to this thread and asked them that how they are going to intercept these exploits with version 5 but no response from developers so far.

 

Thanks.

As you know, Faronics removed DLLs from the list of white listed file types in Anti-Executable version 3, at least in the first build that I tested.

I just contacted them to see if anything has changed in the newer builds, and reminded them that if not, those with AE3 are not protected against these DLL vulnerabilities, which have been exploited in the wild for several days now.

----
rich

 

The thread title is wrong, this DLL hijacking issue has been known for 10 years.
http://www.zdnet.com/blog/security/...dll-load-hijacking-windows-attack-vector/7204

Gotta give props to MS for doing nothing for these 10 years, shows real commitment to security

 

Since KB2264107 is classified as an "Important" update, I don't understand why MS don't release it as a Windows out-of-band update, rather than users having to wait until "Patch Tuesday", when they aren't aware of the updates
availability, or the vulnerability itself perhaps.

 

I just heard back from the AE product manager at Faronics, and evidently I wasn't the only one who complained about removing DLL control in version 3. They plan to put DLL control back in the next release, targeted for the end of the year.

Aigle, you should get as many Comodo users as possible to write in and complain as you did!

Not only are users of their new version not protected against this DLL exploit, but the conficker worm (which uses a DLL) is still floating around. And the rootkit hider exploit uses DLLs disguised as TMP files.

----
rich

 

I agree! Maybe make your voice known at this wishlist item that I created, or in aigle's thread.

Update: according to a developer's response in aigle's thread, the ability to block DLLs will reappear at some point in CIS v5.x.

 

This the response from egemen- the lead CIS developer.

 

And, you make good questions. At first, looking at the way some subjects on the links are, I though that, for using, by just using avast! one could become infected!!!!

An infected/infect-able file won't appear out of nowhere. It needs to get in the system somehow.
I've read all the links provided in this thread regarding this vulnerability, but in none of them I've actually read any info regarding how the infection occurs in the first place.
Only in one I saw a mention that hackers could trick users to visit malicious/hacked websites.

OK. Fine. Then what? What is required for the infection to be successful? What does it take for the system to become infected? Is it done through social engineering, tricking users to download and install a fake flash player? Perhaps, also quicktime, etc? Fake pdf file, as well, perhaps? The possibilities are endless. But, what is it required for the infection to be successful (I'm excluding user's stupidity on this one!)?

Does it require, say, javascript? OK, not running javascript.
Fake videos requiring fake Adobe Player? OK, not viewing any unknown videos.
Tampered PDF files? OK. Then, what is it needed? Javascript? OK, disabled. Some other settings also disabled.

Everything running in LUA + sandboxed.

What happens? How does a system become infected in the first place?

I see FUD, and nothing explaining what millions of users can do to actually protect themselves, besides a patch that will cause more trouble than good.

 

The problem is search path.
I gather that you can get infected by opening an innocuous file if there is a malilious DLL in the directory housing a legit file, eg in
--a USB key
--a zip archive
--network share

 

Yes, but the infected/infect-able file needs to get into the system somehow, right?

And, to get in the system, be it USB key, etc, it needs to have come from the Internet, so... How about, actually, starting to let those millions of users how to protect themselves? All these articles do is to cause FUD and to shout out: "Hey, we are very smart people."

If the system is protected not to let any infection pass, then how can any bad thing happen?

 

Be careful, m00nbl00d, you are becoming too inquisitively logical!

Actually, without being so, without challenging the hype, one may cower in fear that the system can be compromised at any moment!

I share your frustration, in that no working exploit has shown the steps to infection, that is, where were the files located (except in one case, µTorrent, below)?

There have been premises, such as in this early article:

New code-execution bug found in Windows and 40 apps
http://www.theregister.co.uk/2010/08/18/windows_code_execution_vuln/
18th August 2010 20:28 GMT

ASPR #2010-08-18-1: Remote Binary Planting in Apple iTunes for Windows
http://www.securityfocus.com/archive/1/513190

It would seem to be easier to exploit this attack vector in a targeted, corporate environment, where enticing users to open files is ususally not very difficult.

For home users, the question for one to ask is, What determines when I choose to open/play an iTunes file? Do I click on any suggested ploy? Most likely the "minimal social engineering trick" would be a message on a blog, social networking site, possibly email: "Hey, listen to this!" It probably would work in many cases, and one can argue that it's no one's business to dictate what should or shouldn't be listened to/viewed.

Fair enough. So, from Register article:

While that offers protection against this particular attack vector, taking your comment about not letting any infection pass, one can proactively prevent any unauthorized executable file from running from any location, with a variety of available solutions.

A later article expands the attack vectors:

DLL hijacking vulnerabilities
http://isc.sans.edu/diary.html?storyid=9445
2010-08-23

Now, we've reduced this vulnerability to the level of many others, where a legitimate file type along with a malicious executable coexist in the same location: many of the USB exploits, for example.

The only difference here is that many applications can be used to trigger the exploit, where in other exploits, a particular application is targeted, such as a PDF reader, Flash plugin, media application (WMF exploit), and so forth.

In all cases, either or both social engineering and remote code execution are the starting points, and the preventative measures are the same.

That is to say, even though vendors will patch their particular application -- µTorrent has already:

µTorrent 2.0.4 released
http://forum.utorrent.com/viewtopic.php?id=82840

-- nonetheless, users are protected against all 'binary planting' exploits who have proactive security measures in place, thus putting this 'exploit with binary payload' in the box with "the same old stuff."


----
rich

 

These protection measures, be it AV/AM or microsoft updates...they are for systems assuming the outside world is hostile. There are millions of compromised computers, and there will always be. MS can try as much as they want, but still there will always be millions of people, millions of reasonably intelligent people who will have no interest in securing their computers, guarenteeing the existence of malware. Websites can be compromised, my USB key can be compromised when I use it on my friends computer etc If I work with a group of people I may have to do remote sharing, opening common files etc.

Of course, SRP+LUA shoots down this attack without breaking a sweat, but thats another story

 

M00nBl00d, I agree. The amount of hype some of these exploits get astounds me, including a recent x64 exploit that in these forums is practically being hailed as the impending doomsday wrath sent by the Antichrist

 

Thank you Rmus, wearetheborg and wat0114.

Within an enterprise environment, infections do happen a lot, but, why? Unconscious users? Or, simply stupid system Administrators?

A decent Administrator will deny execution of anything else of what isn't already strictly allowed. There may be exceptions, but not blind exceptions. These exceptions may be the use of some software that some user may need to perform a certain task, but the Administrator needs to know more about the software, if he/she doesn't know already, and if not entirely trusting it, but if it still will do the job, then deploy it in an isolated environment.
This will be one less vector of any possible infection that could damage the main system.

What about the rest? Say, web browsing. Even by simply opening a known and deemed to be safe website, there's still, at least, 1% of probability that that website may have been hacked to attack systems, when a visitor enters it.
An Administrator could force the users to browser in an isolated environment. Another option, if some user simply doesn't get the hang of it, is to restrict what the web browser will actually let the websites make use of: javascript, plugins, java, etc.

I'll give you an example. And, this one sure can be taken into account by home users.

My web browser is Chromium.
I have different profiles for what I want to do.

Unknown browsing: Pretty much everything is denied, from javascript to plugins. Chromium has its own sandbox, so together with such restrictions, pretty much nullifies any possible attack. Sure, perhaps, there's still 1% of probability of an infection occurring. Something that is beyond blocking what is already being blocked.

Known browsing: Javascript, Java and plugins are allowed, but only for websites that I consider to be safe, and that I know, obviously, before hand, that I'll visit them. (I have other ways to protect this profile, as way for any other, so I'm covered.)

Webmail access: Everything blocked, except for the email service. Even in the remote chance of some accident by clicking on something I shouldn't, say like being redirected to a malicious web site, what happens is the following: It simply won't connect to that website! All allowed website access in this profile is for the email service itself. Nothing else. There goes any trick down the drain!

Youtube access: Same as Webmail access, but in this case, only for Youtube. Would I be stupidly be tricked into a fake video, well, nothing would be downloaded, at all. Main reason? As above, no access to any other website, but youtube. There goes social engineering down the drain!

I've got one other profile, but it's like second one I mentioned above, the only different is that I've got cookies blocked. I'm lazy, so I rather have two different profiles to work with websites demanding cookies.

For my self, to protect these other profiles even further, just in case! (I like to play with the odds! I can't help my self!), I make use of Sandboxie.

I'll deploy (Well, actually already is done) the same for two of my relatives, but since I don't know if they'll handle Sandboxie just fine, I advise the following:

* AVG LinkScanner, which will prevent a lot exploits. (I'm looking into other solutions to complement it, but not the likes of WOT which may not be 100% accurate, but I'll see what's out there.)

Obviously, running in a LUA and with UAC on. UAC is on to make things easier to work with, and also - a lot people don't know it - to force Internet Explorer to execute with Low IL, which would otherwise run with Medium IL. IE not in use by me, but still in use by any application requesting it to work, so it needs to be covered as well.

That's just to cover the web browsing, and in my case, also web-mail.

There are certain things that I can't advise them or make them do it, like SRP or AppLocker. I'd love too, considering they have Ultimate version.

But, that covers a lot! And, my profiles, are most of what does the actually job.
And, I've also found a great way to block access to all domains but just one!

Imagine you'd like to allow access to www.wilderssecurity.com and block access to everything else. You can set Chromium (or any browser based on it) with the folllowing command:

There are a few other tweaks to use with these option, though. Say, like natively blocking ads, which many contain malware!


Cheers

Edit: The reason why I'm not running with SRP/AppLocker is that this system I'm working with belongs to my relatives. I borrowed it, while I still don't have mine. The security was so poor that I changed a lot, but wanted to do it in a way they could also make use of it and be a lot safer, without compromising the usability of the system by them.

 

Typically, in a windows environment, users are given root access; because some things may not run properly, users may wish to install their own crap etc when they take their laptops on the road, interact with people from other companies etc.

And most management people are not willing to learn using different profiles etc; their comprehension stops at 2x2 matrices; and thats why are not in engineering

 

The computers in the enterprise environ where I work are administered quite well. Most employees run as lua and warnings pop up whenever anyone attempts to visit sites deemed inappropriate according to the policy. Users are warned if they venture further they will be flagged and monitored. However, this does not deter everyone, because, after all, there are stupid people. Users are also able to install single file executables into their user space, so the boxes (XP pro) are not locked down as well as they could be using, say, SRP or another anti-executable platform such as, for example, Faronics. The Acceptable use policies are readily available for anyone to read, and they are written unequivically, warning of action, which could include dismissal, against those who violate the policy. Again, however, this does not necessarily stop stupidness.

 

Yes, sadly, but truth. That was one of Microsoft's biggest mistakes. Hopefully when XP SP3 no longer becomes supported by Microsoft, perhaps most users will move towards Windows 7, or even Windows 8. Some, unfortunately, won't ever realize a new version is out and that the one they have no longer have updates available.

Most also aren't aware of the dangers, specially because when they buy their computers, those folks themselves aren't aware of such dangers, like in those malls, etc.

But, for them, the least of their concerns is to get infected when visiting some website, e-mail or social engineering. Most likely, they're already running some pirated software, which bundles with certain dangers.
These are hopeless users, until the day something bad happens. Maybe nothing bad happened so far, to them, because they don't access their bank account using the Internet.

Very true. But, then again, those hiring them are far more stupid than them!
The sad fact is that, some enterprises don't actually have an IT member or staff. They hire outside companies to do such job, and obviously, their main concern is to get the more money they can from those unaware enterprises, and come with something like: "We're sorry, but thing is that, danger still exists for an infection, so the best we can do is to try to do everything (right! to make their pockets full!) we can (read: selling more crap!))

 

This is true, but I've always argued that the responsibility for security in Enterprise environments lies with managment. Directives to Adminstrators should originate with Management. For example:

http://www.faronics.com/whitepapers/CaseStudy_LAPD.pdf

Nine years earlier, Microsoft provided a way to achieve the same result:

http://msdn.microsoft.com/en-us/library/ms974604.aspx
October 8, 2001

In discussions with those in IT, I've learned that there is a reluctance to be so restrictive to employees. One went so far as to say that disgruntled employees would leave. Translation: if they can't use the company computer as their own, they will find some place where they can.

Only Management can intervene in these cases to set things right.

It's true, that locking down the computer is restrictive. But once the software necessary to perform their tasks are installed, why should employees be permitted to install anything else?

As Peter2150 has mentioned before, you can't have a "don't open unknown attachments" rule, since company employees often receive MSOffice documents from solicitors and other people inquiring about something in the company. In his office, he chooses to use a Sandbox that would prevent accidents/infections resulting from targeted emails which his employees might open, such as this one I wrote about sometime ago:

http://www.urs2.net/rsj/computing/tests/rtf/

You can discuss forever the problems in the corporate and business world, but all of the exploits I've seen reported against this environment could have been prevented by any of the above security measures. One such exploit:

Attackers Employed IE Zero-Day Against Google, Others
http://www.darkreading.com/vulnerab...attacks/showArticle.jhtml?articleID=222301050

Preventative measures are available. It's just a matter of implementing them!

----
rich

 

How about just run Sandboxie, allow only what is NEEDED to run and access the Internet in the sandbox, and test files/software downloaded over the internet in a separate sandbox created just for such purposes, and then, delete the contents of the sandboxes when done? Sure sounds a HELL of a lot easier than screwing around with other security software and worrying about if such and such alerts to a particular malware and yada, yada, yada. No, I didn't pop in to preach about my or anyone elses "comfort zone" ability or lack of ability to understand or even want to bother with all the stuff you guys are talking about. I simply think that this and the .DLL situation are the perfect examples where the simplicity and effectiveness of Sandboxie and others shine.

Think about it, if the malware executes in the sandbox, who cares? Wipe the sandbox. If the malware knows it is inside a sandbox and won't run, well that's just beautiful, isn't it? Problem solved, wipe the sandbox. It doesn't require knowing a thing about deep OS functions, it doesn't require you to log in and out of accounts to do this and that, it's 100 times simpler to configure for ultimate safety AND usability than HIPS, SRP, and on and on. Unless Sandboxie itself is vulnerable, I don't see where even the free version wouldn't stop all this nonsense dead in its tracks. Please correct me if I am mistaken, Rmus or anyone?

 

Yes, I mentioned in my post that Peter2150 uses Sandbox in his office with several employees. Last year he tested a number of exploits for me, including the RTF email I cited above: nothing infected from the Sandbox.

----
rich

 

Would you say the same applies generally on 64bit systems as well, taking in consideration the known limitations of Sandboxie on that platform?

 

I would suspect it is. It is known for 64 bit it is. For 32 bit I'm sure there are malware that can bypass it.

Companies would care, if confidential info is leaked out by malware.

And you can be SURE that in a company people will neglect to use the sandbox.


Proper security requires care on part of the employees. All of them. And that is impossible to achieve.


Rmus, regarding your previous post, I suspect its because there simply are not that many admins to teach/be on call for users. Locking down the system means having admins available in case something new needs to be installed. And usually admins are short staffed.

 

What do you mean it is "known in 64bit"? A known vulnerability that allows this attack to occur? I'm sure that risk is killed off by downloading Sandboxie from its website and not elsewhere. And, my question was actually answered at the website. On 64, Sandboxie uses DropRights, so, malware that needs admin to run/install won't be able to, and malware that doesn't isn't LIKELY to escape the sandbox. So again, wipe the box and you're fine.

That isn't to say it's impossible for malware to escape, it's going to eventually happen, we know that. Tzuk does too, and I'm sure he already has gone over these scenes in his head. In the meantime, I'd say Sandboxie, even with its limitations in a 64bit environment, provides an extremely easy, very effective solution to this issue. Couple that with what is going on here: https://www.wilderssecurity.com/showthread.php?t=278657, and, I believe, only true stupidity and a lack of care would allow malware and easy shot at a users system.

 

Yep, I agree an excellent solution

SB can be configured to allow only specific programs network acces, as well as force specific programs into the sandbox. However, I doubt it is currently used in a typical enterprise environment, nor it may never catch on in this type scenario, though one never knows what the future holds.