Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Board index Community InformationNews Desk

Developing Situation!!! - Windows LNK exploit.

Notifications for Security Updates, as well as News and Information from across the web - mostly security minded.

Update Contributors: Members of the Malware Removal University.

Regular Members: Our Regular Members are invited to start and/or participate in all other topics. Join in and share the news that's important to you.
Post a reply

Developing Situation!!! - Windows LNK exploit.

Unread postby Sludge3000 » July 16th, 2010, 7:21 am

I should have posted this yesterday after I had read the analysis on the securelist blog (linked at the bottom) but wasn't sure if it was news worthy or just a write up on the malware :roll:. It's a previously unknown secuirty weakness and is now being investigated by multiple security researchers as well as Microsoft.

Hackers have developed malware that spreads via USB sticks using a previously unknown security weakness involving Windows' handling of shortcut files.

Malware targeting the security weakness in the handling of 'lnk shortcut files has been spotted in the wild by Belarus-based security firm VirusBlokAda. The malware uses rootkit-style functionality to mask its presence on infected systems. These rootlet drivers come digitally signed by legitimate software developer Realtek Semiconductor, a further mark of the sophistication of the attack.


Story @ the Register
VirusBlokAda advisory

The write up by Kaspersky can be found below and is in three parts under the title of Myrtus and Guava.
Securlist Blog
Last edited by Sludge3000 on July 27th, 2010, 8:46 am, edited 1 time in total.
User avatar
Sludge3000
Regular Member
 
Posts: 695
Joined: April 15th, 2009, 3:47 pm
Location: Somewhere fluffy
Top
Advertisement
Register to Remove

Re: USB stick worms, disabling autorun won't save you anymor

Unread postby Wingman » July 16th, 2010, 8:54 am

Some additional info...

VirusBlokAda Anti-virus
Identifies Rootkit.TmpHider (Trojan-Spy.0485 and Malware-Cryptor.Win32.Inject.gen.2) that uses digitally signed signatures and has the ability to infect 64-bit systems.

The infection installs two drivers (signed with digital signature of Realtek Semiconductor Corp): mrxnet.sys and mrxcls.sys, which are used to inject code into systems processes and hide itself.

Rootkit.TmpHider: Trojan-Spy.0485 and Malware-Cryptor.Win32.Inject.gen.2 Review
User avatar
Wingman
Admin/Teacher
Admin/Teacher
 
Posts: 14347
Joined: July 1st, 2008, 1:34 pm
Location: East Coast, USA
Top

Re: USB stick worms, disabling autorun won't save you anymor

Unread postby Sludge3000 » July 19th, 2010, 8:09 am

Microsoft have now released a zero day advisory regarding this issue and have suggested possible workarounds until the vulnerability has been patched.

Microsoft is investigating reports of limited, targeted attacks exploiting a vulnerability in Windows Shell, a component of Microsoft Windows. This advisory contains information about which versions of Windows are vulnerable as well as workarounds and mitigations for this issue.

The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the user clicks the displayed icon of a specially crafted shortcut. This vulnerability is most likely to be exploited through removable drives. For systems that have AutoPlay disabled, customers would need to manually browse to the root folder of the removable disk in order for the vulnerability to be exploited. For Windows 7 systems, AutoPlay functionality for removable disks is automatically disabled.


Story @ The Register
Microsoft Security Advisory
User avatar
Sludge3000
Regular Member
 
Posts: 695
Joined: April 15th, 2009, 3:47 pm
Location: Somewhere fluffy
Top

Re: USB stick worms, disabling autorun won't save you anymor

Unread postby Sludge3000 » July 20th, 2010, 6:36 am

This vulnerability has now been escalated at the SANS Internet Storm Center to Yellow alert status, the first time a yellow alert has been in action for years!

Internet Storm Center
Story @ The Register
User avatar
Sludge3000
Regular Member
 
Posts: 695
Joined: April 15th, 2009, 3:47 pm
Location: Somewhere fluffy
Top

Re: USB stick worms, disabling autorun won't save you anymor

Unread postby Sludge3000 » July 22nd, 2010, 3:53 am

UPDATE:
Microsoft has published an automated workaround for the newly discovered Windows vulnerability that criminals are exploiting to seize control of computers, including some used to manage sensitive equipment at power plants and other industrial facilities.

The software giant began distributing the Fix It on Tuesday evening, five days after the vulnerability in every supported version of Windows became widely known. It automatically changes operating-system settings to protect users until a permanent patch is available. Previously, users had to make the changes manually, a process that risked bricking a PC in the event it wasn't carried out correctly.


Story @ The Register
Microsoft 'Fix It'
User avatar
Sludge3000
Regular Member
 
Posts: 695
Joined: April 15th, 2009, 3:47 pm
Location: Somewhere fluffy
Top

Re: USB stick worms, disabling autorun won't save you anymor

Unread postby Sludge3000 » July 23rd, 2010, 6:49 am

UPDATE:
Siemens are distributing SysClean by Trend Micro to their business customers who use their SCADA systems in an attempt to remove the Stuxnet rootkit.
Siemens has made a program available for detecting and disinfecting malware attacking its software used to control power grids, gas refineries, and factories but warned customers who use it could disrupt sensitive plant operations.

The Munich-based engineering company on Thursday began distributing Sysclean, a malware scanner made by Trend Micro. It has been updated to remove Stuxnet, a worm that spreads by exploiting two separate vulnerabilities in Siemens's SCADA, or supervisory control and data acquisition, software and every supported version of Microsoft Windows.


Story @ The Register


UPDATE:
The Chymine-A Trojan and the Autorun-VB-RP worm have been found to be exploiting this vulnerability ITW.
Virus writers have begun using the unpatched shortcut flaw in Windows first exploited by the Stuxnet worm, which targets power plant control systems, to create malware that infects the general population of vulnerable Windows machines.

Slovakian security firm Eset reports the appearance of two malware strains that exploit security vulnerabilities in the way Windows handles .lnk (shortcut) files, first used by Stuxnet to swipe information from Windows-based SCADA systems from Siemens.


Story @ The Register
Blog Post @ ESET

FOR INFO:
Check out the Kaspersky blog linked below. They currently have a couple of articles up regarding the Realtek certificates now being revoked however a new varient is using a certificate assigned to JMicron Technology Corp.

Kaspersky Blog
User avatar
Sludge3000
Regular Member
 
Posts: 695
Joined: April 15th, 2009, 3:47 pm
Location: Somewhere fluffy
Top

Re: USB stick worms, disabling autorun won't save you anymor

Unread postby Sludge3000 » July 25th, 2010, 3:44 am

UPDATE:
An exploit can also be included in specific document types that support embedded shortcuts.
As such we are likely to see infected documents being sent out by spam in an aim to maximise the contact with this vulnerability.

Blogpost @ F-Secure
User avatar
Sludge3000
Regular Member
 
Posts: 695
Joined: April 15th, 2009, 3:47 pm
Location: Somewhere fluffy
Top

Re: USB stick worms, disabling autorun won't save you anymor

Unread postby Sludge3000 » July 27th, 2010, 8:45 am

Miscreants behind the Zeus cybercrime toolkit and other strains of malware have begun taking advantage of an unpatched shortcut handling flaws in Windows. It was first used by a sophisticated worm to target SCADA-based industrial control and power plant systems.

Isolated strains of mainstream malware that took advantage of how the zero-day Windows flaw first exploited by the sophisticated Stuxnet worm began appearing late last week. The same approach has since been applied by the dodgy sorts behind Zeus, a family of sophisticated toolkits frequently used to steal bank login credentials and the like from compromised systems.


Zeus and Sality have both been confirmed as exploiting this vulnerability as well as other malware. Keep your eyes out guys. Sophos have released a free vendor-neutral tool for preventing exploitation.

Story @ The Register
Windows Shortcut Exploit Protection Tool by Sophos

EDIT: Renamed topic to better reflect the content and ongoing development of the issue.
User avatar
Sludge3000
Regular Member
 
Posts: 695
Joined: April 15th, 2009, 3:47 pm
Location: Somewhere fluffy
Top

Re: Developing Situation!!! - Windows LNK exploit.

Unread postby Gary R » August 2nd, 2010, 6:19 pm

Patch available.

http://www.microsoft.com/technet/securi ... 0-046.mspx
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Top
Advertisement
Register to Remove
Post a reply

Return to News Desk



Who is online

Users browsing this forum: No registered users and 39 guests

The teamDelete all board cookiesAll times are UTC - 5 hours [ DST ]

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware

Board index