Is CIS able to protect against the latest Windows Shell vulnerability?
More information about it can be found at:
The danger with this one is that it is so easy to get a machine infected. Hopefully Microsoft will not wait until the next patch Tuesday before this one gets fixed.
Does anyone know how long this has been around?
VirusBlokada specialists are detected malware which uses this particularly exploit to propagate itself at 17th of June, 2010, you can try to search for “Stuxnet”, I guess all worms from “stuxnet” family uses that technique but I am not sure
Yeah, saw this on the news today ! They say this has been arround for at least a month and it targets companies that deal in energy mostly ! They say that this malware is rare among home users !
Also in what I’ve read from different articles online, they say that this infection is most spread in U.S. with some 50+ percentage and then Iran with a 30+ percentage !
Could this be a connection with the fact that Iran wants to have nuclear energy and some say that they want to develop a nuclear weapon even ?! U.S. promptly stated that Iran shouldn’t have this tech !
I think this malware was developed by an espionage agency to monitor Iran but it got out in the public somehow ! It doesn’t seem likely that a mere programmer developed this malware !
This seems very well thought up ! But hey… maybe it’s just my paranoia kickin’ in !!
so guys , to sum up , are we protected from that ? ???
as far as I can see if that’s temp file got executed and it drops this rootkit , sandbox will catch it , however , since this is a vulnerability , only those who got a hand on this malware can tell whether it does protect or not …
I wouldn’t count on the sandbox catching this. The rootkit is reported to have a valid digital signature from Realtek. Therefore on default settings CIS will let it run, access the Internet etc.
so all what we need to do is to remove it from the list of trusted vendors ?
I have myself no trusted vendors list, and i am (like everybody) vulnerable to the POC for default cis settings and even for default defense+ paranoid mode.
The only cis setting seeming able to intercept it at the time speaking is setting defense+ image execution to agressive.
But try but yourself, please follow this thread: