New .lnk type vulnerability

Rmus · Sep 2, 2010

Yes - any executable file can be packed within another file. Easy to do with MS Office documents.

See:

Microsoft Office Security, part one
http://www.symantec.com/connect/articles/microsoft-office-security-part-one

Different MS Office files are structured similarly. Different objects can be embedded into the document and are accessed and updated from their respective stream/storage components...

3. Sample mechanism of an attack

In a common attack scenario, the vulnerability is exploited via a simple insertion of a malformed or malicious object into the document structure.
Click to expand...

Dangerous document formats and social engineering
http://isc.sans.org/diary.html?storyid=2528

As you all know, complexity and security don’t go good together. Nevertheless, lately we can see a trend of embedding everything in anything which leads to increased complexity as well. Microsoft Word documents that carry images and videos are completely normal now.
While RTF is a more human readable format (it is a plain, ASCII file at the end), this does not prevent it from embedding objects that can be very dangerous, as we will see.
Click to expand...

DLLs haven't been used (that I know of) because it seems easier to use other types of executables.

----
rich

PunchsucKr · Sep 2, 2010

Rmus said:

Yes - any executable file can be packed within another file. Easy to do with MS Office documents.

See:

Microsoft Office Security, part one
http://www.symantec.com/connect/articles/microsoft-office-security-part-one
Dangerous document formats and social engineering
http://isc.sans.org/diary.html?storyid=2528
DLLs haven't been used (that I know of) because it seems easier to use other types of executables.

----
rich
Click to expand...

Thanks for that info Rmus... and would applocker stop the dll/executable (i haven't implemented dll rules)?
More importantly, do avtivirus software identify rogue dlls (such as those used in this sort of attack) as viruses?

Rmus · Sep 2, 2010

PunchsucKr said:

Thanks for that info Rmus... and would applocker stop the dll/executable (i haven't implemented dll rules)?
Click to expand...

I don't use Applocker, so I can not answer. There is an Applocker thread somewhere...

More importantly, do avtivirus software identify rogue dlls (such as those used in this sort of attack) as viruses?
Click to expand...

There has been just one report of this exploit in the wild last week, but nothing was said about the DLL:

Microsoft unpatched DLL load hijacking exploit is in wild
http://news.techworld.com/security/...ll-load-hijacking-exploit-is-in-wild/?olo=rss

----
rich

Searching_ _ _ · Sep 3, 2010

Alert: MS Fixit for New .lnk type vulnerability

Microsoft has released a Fix-It tool to help mitigate the latest DLL load hijacking issue that exposes Windows users to remote code execution attacks.

Microsoft says it will fix its own affected products either via security bulletins or defense-in-depth operating system changes.
Click to expand...

Microsoft ships 'Fix-It' for DLL load hijacking attack vector
Knowledge Base Article

MrBrian · Sep 3, 2010

PunchsucKr said:

would applocker stop the dll/executable (i haven't implemented dll rules)?
More importantly, do avtivirus software identify rogue dlls (such as those used in this sort of attack) as viruses?
Click to expand...

Yes and yes.

PunchsucKr · Sep 4, 2010

MrBrian said:

Yes and yes.
Click to expand...

Even if i haven't implemented dll rules?? That has to be great..

MrBrian · Sep 4, 2010

PunchsucKr said:

Even if i haven't implemented dll rules?? That has to be great..
Click to expand...

One has to implement the DLL rules to potentially block DLLs.

JRViejo · Sep 9, 2010

Apple yesterday patched three vulnerabilities in Safari, including one in the Windows version that quashed a bug Microsoft said individual developers had to fix themselves.

Apple and Mozilla are the only major browser makers who have patched what most researchers have called "DLL load hijacking."

In the updates to Safari 5.0.2 and Safari 4.1.2, Apple addressed a problem shared by scores of Windows applications that can be exploited by duping users into downloading innocent files.
Click to expand...

Apple matches Mozilla, patches DLL hijacking bug in Safari by Gregg Keizer.

MrBrian · Sep 9, 2010

DLL Hijacking expands to EXE files
Clearing up Some Misconceptions About Binary Planting
Online Binary Planting Exposure Test

vasa1 · Sep 30, 2010

Is this of any use?
http://www.computerworld.com/s/arti..._hijacking_attacks?taxonomyId=17&pageNumber=1

Lucy · Sep 30, 2010

MrBrian said:

Yes and yes.
Click to expand...

It's interresting to know that this scenario of a dll or exe embedded in office format would be a fail for SRP which can't separate office from the embedded objects.

AppLocker can, as it works at kernel level and correctly identifies the different processes.

m00nbl00d · Sep 30, 2010

It's quite annoying to see that most developers aren't minimally interested in solving such.

http://secunia.com/advisories/windows_insecure_library_loading/

I wonder when laws will start to exist forcing software developers, first to put in the market not so buggy applications, and then, according to the difficulty of fixing security bugs, penalise them accordingly, if they don't fixed them within a given time.

Unfortunately, all it takes is for software developers to introduce an EULA, where you pretty much agree that if problems do happen, it's your own problem.

CloneRanger · Sep 30, 2010

Originally Posted by vasa1

Is this of any use?
Click to expand...

Indeed it is, thanks

MrBrian · Sep 30, 2010

Binary Planting Attack Vectors

Opening a Can of Binary Planting Worms: Binary Planting as Worm Propagation Method

Rmus · Sep 30, 2010

MrBrian said:

Binary Planting Attack Vectors
Click to expand...

Clicking a link to a remote shared folder on a web page will open this share in Windows Explorer without a warning for 67% of all Internet Explorer users.
Click to expand...

Evidently, a properly configured application firewall will alert at the attempted connection to a remote shared folder:

wat0114 · Sep 30, 2010

Rmus said:

Evidently, a properly configured application firewall will alert at the attempted connection to a remote shared folder:
Click to expand...

Sure, but people keep chiming in saying personal firewalls are useless and/or easily bypassed by most malware , even though you seem to prove over and over again that's not necessarily true.

CloneRanger · Sep 30, 2010

@ MrBrian

Thanks for the links

@ Rmus

So you are vulnerable but your setup blocked it

I got various errors and realised because i either don't have some of those things and/or i have disabled them i'm not vulnerable And that's running XP/SP2 with less than half a dozen updates

Good test though for others to try

trismegistos · Oct 2, 2010

http://www.physorg.com/news205050403.html or http://economictimes.indiatimes.com...rweapon-attacks-China/articleshow/6658468.cms

World's first 'cyber superweapon' attacks China

Agence France-Presse
First Posted 07:51:00 10/01/2010

Filed Under: Infotech, Computer viruses and malware, Internet

BEIJING—A computer virus dubbed the world's "first cyber superweapon" by experts and which may have been designed to attack Iran's nuclear facilities has found a new target – China.

The Stuxnet computer worm has wreaked havoc in China, infecting millions of computers around the country, state media reported this week.

Stuxnet is feared by experts around the globe as it can break into computers that control machinery at the heart of industry, allowing an attacker to assume control of critical systems like pumps, motors, alarms and valves.

It could, technically, make factory boilers explode, destroy gas pipelines or even cause a nuclear plant to malfunction.

The virus targets control systems made by German industrial giant Siemens commonly used to manage water supplies, oil rigs, power plants and other industrial facilities.

"This malware is specially designed to sabotage plants and damage industrial systems, instead of stealing personal data," an engineer surnamed Wang at antivirus service provider Rising International Software told the Global Times.

"Once Stuxnet successfully penetrates factory computers in China, those industries may collapse, which would damage China's national security," he added.

Another unnamed expert at Rising International said the attacks had so far infected more than six million individual accounts and nearly 1,000 corporate accounts around the country, the official Xinhua news agency reported.

The Stuxnet computer worm – a piece of malicious software (malware) which copies itself and sends itself on to other computers in a network – was first publicly identified in June.

It was found lurking on Siemens systems in India, Indonesia, Pakistan and elsewhere, but the heaviest infiltration appears to be in Iran, according to software security researchers.

A Beijing-based spokesman for Siemens declined to comment when contacted by AFP on Thursday.

Yu Xiaoqiu, an analyst with the China Information Technology Security Evaluation Center, downplayed the malware threat.

"So far we don't see any severe damage done by the virus," Yu was quoted by the Global Times as saying.

"New viruses are common nowadays. Both personal Internet surfers and Chinese pillar companies don't need to worry about it at all. They should be alert but not too afraid of it."

A top US cybersecurity official said last week that the country was analyzing the computer worm but did not know who was behind it or its purpose.

"One of our hardest jobs is attribution and intent," Sean McGurk, director of the National Cybersecurity and Communications Integration Center (NCCIC), told reporters in Washington.

"It's very difficult to say 'This is what it was targeted to do,'" he said of Stuxnet, which some computer security experts have said may be intended to sabotage a nuclear facility in Iran.

A cyber superweapon is a term used by experts to describe a piece of malware designed specifically to hit computer networks that run industrial plants.

"The Stuxnet worm is a wake-up call to governments around the world," Derek Reveron, a cyber expert at the US Naval War School, was quoted as saying Thursday by the South China Morning Post.

"It is the first known worm to target industrial control systems."
Click to expand...

MrBrian · Oct 30, 2010

Breaking The SetDllDirectory Protection Against Binary Planting: The curious case of Windows environment variables or how to re-hack fixed iTunes and Safari

Log in or Sign up

New .lnk type vulnerability

Rmus Exploit Analyst

PunchsucKr Registered Member

Rmus Exploit Analyst

Searching_ _ _ Registered Member

MrBrian Registered Member

PunchsucKr Registered Member

MrBrian Registered Member

JRViejo Super Moderator

MrBrian Registered Member

vasa1 Registered Member

Lucy Registered Member

m00nbl00d Registered Member

CloneRanger Registered Member

MrBrian Registered Member

Rmus Exploit Analyst

wat0114 Guest

CloneRanger Registered Member

trismegistos Registered Member

MrBrian Registered Member

Log in or Sign up

New .lnk type vulnerability

Rmus Exploit Analyst

PunchsucKr Registered Member

Rmus Exploit Analyst

Searching_ _ _ Registered Member

MrBrian Registered Member

PunchsucKr Registered Member

MrBrian Registered Member

JRViejo Super Moderator

MrBrian Registered Member

vasa1 Registered Member

Lucy Registered Member

m00nbl00d Registered Member

CloneRanger Registered Member

MrBrian Registered Member

Rmus Exploit Analyst

wat0114 Guest

CloneRanger Registered Member

trismegistos Registered Member

MrBrian Registered Member

Useful Searches