Latest critical Windows Shell vulnerability

jimbell · July 19, 2010, 11:37am

Is CIS able to protect against the latest Windows Shell vulnerability?

More information about it can be found at:

The danger with this one is that it is so easy to get a machine infected. Hopefully Microsoft will not wait until the next patch Tuesday before this one gets fixed.

BlackList · July 19, 2010, 11:50am

Please checkout:
https://forums.comodo.com/leak-testingattacksvulnerability-research/comodo-bypassed-t43061.30.html

Regards
BlackList

Citizen_K · July 19, 2010, 12:52pm

Please check out https://forums.comodo.com/virusmalware-removal-assistance/rootkittmphider-t59193.0.html .

salmon · July 19, 2010, 8:37pm

Does anyone know how long this has been around?

salmonela · July 19, 2010, 10:46pm

VirusBlokada specialists are detected malware which uses this particularly exploit to propagate itself at 17th of June, 2010, you can try to search for “Stuxnet”, I guess all worms from “stuxnet” family uses that technique but I am not sure

Victor_Popescu · July 20, 2010, 1:46pm

Yeah, saw this on the news today ! They say this has been arround for at least a month and it targets companies that deal in energy mostly ! They say that this malware is rare among home users !

Also in what I’ve read from different articles online, they say that this infection is most spread in U.S. with some 50+ percentage and then Iran with a 30+ percentage !
Could this be a connection with the fact that Iran wants to have nuclear energy and some say that they want to develop a nuclear weapon even ?! U.S. promptly stated that Iran shouldn’t have this tech !
I think this malware was developed by an espionage agency to monitor Iran but it got out in the public somehow ! It doesn’t seem likely that a mere programmer developed this malware !
This seems very well thought up ! But hey… maybe it’s just my paranoia kickin’ in !!

knk2006 · July 20, 2010, 5:16pm

so guys , to sum up , are we protected from that ? ???

as far as I can see if that’s temp file got executed and it drops this rootkit , sandbox will catch it , however , since this is a vulnerability , only those who got a hand on this malware can tell whether it does protect or not …

regards

Soothsayer · July 20, 2010, 7:51pm

I wouldn’t count on the sandbox catching this. The rootkit is reported to have a valid digital signature from Realtek. Therefore on default settings CIS will let it run, access the Internet etc.

knk2006 · July 20, 2010, 8:30pm

so all what we need to do is to remove it from the list of trusted vendors ?

brucine · July 20, 2010, 9:09pm

No.

I have myself no trusted vendors list, and i am (like everybody) vulnerable to the POC for default cis settings and even for default defense+ paranoid mode.
The only cis setting seeming able to intercept it at the time speaking is setting defense+ image execution to agressive.

But try but yourself, please follow this thread:
https://forums.comodo.com/virusmalware-removal-assistance/rootkittmphider-t59193.0.html