Looks fresh and nasty.

You should take into consideration that [b]virus infects Operation System in unusual way through vulnerability in processing lnk-files (without usage of autorun.inf file)[/b]. So [b]you just have to open infected USB storage device using Microsoft Explorer[/b] or any other file manager which can display icons (for i.e. Total Commander) [b]to infect your Operating System and allow execution of the malware[/b].
Note that [b]both drivers are signed with digital signature of Realtek Semiconductor Corp[/b].
So those bold quotes worries me. It is digitally signed :o and infects OS through a vulnerability (they don't say what OS though). I'm very curious how CIS handle it.

Me too. Still, I’m not sure how the malicious drivers can be digitally signed by Realtek.

If someone can explain that to me I’d really appreciate it.

On wilders they released a detailed pdf about this rootkit.

[attachment deleted by admin]

Kind of curious about this one. ??? Can I please get a response about how it could be digitally signed?

The subject is documented

What seems relevant today is not the digital signature (one must be nuts to run the infected executables if left the choice to) but the way to keep an infected usb device to autorun lnk files, seeming to be a large windows security hole.

Source: Trojan spreads via new Windows hole - The H Security: News and Features

Trojan spreads via new Windows hole

The trojan carries a valid, digital signature from “Realtek”. Anti-virus specialists report that a new trojan is spreading via USB flash drives, apparently exploiting a previously unknown hole in Windows. According to analyses by Belarusian AV vendor VirusBlokAda, a copy of the trojan managed to infect a fully patched Windows 7 system (32-bit) without having to resort to such common auto-start tools as autorun.inf when a Flash drive carrying the trojan was plugged in. Instead of spreading through auto-start, the malware exploits a flaw in the code for processing short-cuts (.lnk files): Once the relevant icon is displayed in Windows Explorer, malicious code is launched without any further user interaction.

The trojan exploits this to install two drivers with rootkit functions designed to hide its subsequent activities within the system. Interestingly, both drivers are signed with a code-signing key by vendor RealTek and can, therefore, be installed on a system without triggering an alert. Only recently, AV vendor F-Secure pointed out that the amount of signed malware for Windows is increasing. In some cases, digital keys have even been stolen from developers.

An investigation by malware analyst Frank Boldewin has shown that this is not just any old trojan designed to harvest passwords from unsuspecting users. It appears that the malware specifically targets process control systems and their visualisation components. The trojan is, therefore, unlikely to spread on a large scale.

During his investigation, Boldewin came across some database queries the trojan made that point towards the WinCC SCADA system by Siemens. As Boldewin explained in an email to The H’s associates at heise Security, a “normal” malware programmer wouldn’t have managed to do that. Boldewin continued “As this Siemens SCADA system is used by many governments and industrial enterprises worldwide, we must assume that the attackers’ intention was industrial espionage or even espionage in the government area”. Frank Boldewin is the author of the feature article “Episode 2: The image of death” in our “CSI:Internet” series.

Microsoft has been informed about the vulnerability, but appears to have problems with reproducing it. Andreas Marx of AV-Test says that every .lnk file is linked to the ID of the newly infected USB Flash drive. This means that the sample trojans found so far can’t simply be started on an arbitrary Windows system – the malware will only start in the OllyDbg debugger after some modifications to the code.


Three part analysis from Kaspersky: one, two, three.

Very interesting analysis by Aleks the Kaspersky guy.

Great thread guys, short, sweet, polite, brimming with pertinent info. :-TU


That there is malware that are digitally signed (and for sure the problem will worsen in the future) is a very serious problem and will affect all security products. It is a weakness of each security suites that will surely benefit those involved …
I think in terms of Comodo, due Defense + module it is possible to warn the installation of these rootkits (even if it is digitally signed), problem being that the user will be notified that a program wich is digitally signed has malicious behavior and the user must decide… This will primarily affect those who did not know much about computer security.

I’m curious to how it will be prevented by Comodo spreading of these viruses digitally sign.

Again, the rootkits installs itself through tmp files, considered as executables:
defense+ does not by default protect lnk or tmp, i am therefore very dubious about your assertion that defense+ would intercept the rootkit.

In default mode Defense + will not detect these rootkits, but there are the features that these extensions to be added to Image Execution Control Settings (Files to check). But as I said, there will alert the user to answer and certainly these alerts will be quite many.

What would be interesting to find out is how will be prevented by Comodo in default mode the spreading of viruses digitally sign?

Greetings all,

Well… have fun! :smiley:

I will not search & post the old & very old links here … where I was talking about dig signing insanity - Do that please if you want

At first (loooong ago) Melih agreed with me that the procedure is not perfect at all…

… later I was expressing my (softly speaking) surprise about the thread “please include this & that” as trusted & signed into the list … weird stuff really

… then it was a discussion about wrongly integrated sandbox … & further in conjunction with signatures / math & vulnerabilities of those again;

… then it was another post regarding the matter, where I was mainly told “move over” … I’m fine with that , don’t worry

So, basically - Yes - we all will have fun now ;D … many things like this to come (trust me) in addition to what Chris posted recently


As far as i am concerned, i have no sandbox (cis v3) and no trusted vendors (excepting Comodo, no way to delete).

I agree that wanting to trust everything, including games and p2p software is quite foolishness.

Answering myself to what i wrote before, i installed yesterday a new firefox plugin: the tmp files are intercepted by defense+, but i also wrote yesterday tmp and lnk files in executable files to protect, i thus don’t remember if it is the default behaviour.

But that does not explicitly mean it would be enough to intercept rootkit.tmphider and similar malware to come.

Altough like every security suite Comodo is not rootkit-aimed, it would be nice to have some feedback from Comodo representatives telling us if defense+ intercepts rootkit.tmphider or not.

PoC available (please PM User for details)

LE: Yep, PoC works but only if I click Properties for that lnk file from Windows Explorer. If I open stick with Filezilla it works again without doing anything else. No alert from CIS.
I don’t have any other file explorers installed so only Windows Explorer and Filezilla tested.
XP SP3 all updates, CIS Proactive, D+ and FW in Safe Mode, AV Stateful, Sandbox Enabled/Disabled.

Live link to Poc removed, please don’t post these live on the public boards.
Either post in Malware Research Group or use PM.

[attachment deleted by admin]

Good & correct choice in a first place !
but even if you just disable comodo’s “sandbox” it mainly will not help

p.s. as far as I remember that was a very old & similar MS flaw / vulnerability - as soon as user hover over the link you have a tool-tip - that is actually a code being executed - and here you go! - you could have a malware just by hovering over the link… this one is different but has the resemblance :wink:

Do you get any alert if you add the extension *.lnk to Image Execution Control Settings?

Removed Poc link from Quote also

I’m at home now and testing on Seven x64 and Windows Explorer. Now I must double-click that shortcut to see that message in debugger. Only browsing the stick or right-click-Propertied does nothing.

The exploit uses a different Windows executable if you double click it instead of just browsing to it:

  1. When just browsing to it, the shortcut exploit appears to call “explorer.exe” to load “dll.dll”

  2. When manually double clicking the shortcut file, the exploit appears to call “rundll32.exe” to load “dll.dll”

More information and screenshots here (under “GeSWall 2.9 Professional”):

As linked, I’ve so far tested SRP, Faronics Anti-Executable 2, COMODO Internet Security 4.1.150349.920, Online Armor Premium Personal Firewall v4.0.0.45, Malware Defender 2.7.1, Sandboxie 3.46, DefenseWall 3.04, GeSWall 2.9 Professional, Returnil System Safe 2011 RC (anti-executable component), AppGuard 1.4.7.

I’m trying to think of more applications to test. This is a good example of a ZERO-DAY malware/exploit. As you can see, many programs fail against it. All HIPS programs tested so far (including CIS) fail against it in default configuration (even Malware Defender). In saying that, each HIPS program can be configured easily to block the exploit - you just need to configure the HIPS to monitor DLL file loading (which means that it will pop-up a lot haha).

Microsoft confirms USB trojan hole In a security advisory, Microsoft confirms the security flaw in the code for processing short-cuts (.lnk files), which can be exploited to infect Windows systems simply when a USB stick is opened. A few days ago, it was discovered that a worm is apparently already exploiting this hole to spy on computers.

All Windows versions still supported since Windows XP are affected. The flaw occurs when the Windows shell tries to read an .lnk file’s icon. In the process, the shell does not sufficiently check a parameter, allowing attackers to execute arbitrary code – for instance, when the user opens a USB stick in Explorer. However, Microsoft’s Security Response Center (MSRC) writes that the hole can also be exploited remotely via WebDAV and network shares.

A patch for the hole is not yet available, nor has Microsoft said when one will be made available. For the time being, workarounds provide the only protection. Microsoft’s security team recommends switching off the display of icons for .lnk files by changing the registry value HKEY_CLASSES_ROOT\lnkfile\shellex\IconHandler.

But first, you should backup your current settings. Furthermore, the Web Client service can be switched off to prevent attacks via WebDAV.

The currently known attacks are highly professional. Among other things, they contain a rootkit which embeds itself in the system as a digitally signed Realtek driver and spies on controllers of large, distributed systems (SCADA, Supervisory Control and Data Acquisition). Security experts speculate that the attacks may be organised by as yet unidentified secret services.

The good thing is that the attacks are apparently still quite targeted, so that the malicious software has not gone into wide circulation. But now that the problem is known, others can be expected to jump on the bandwagon and exploit the flaw to install bot network clients and spyware. In other words, you should batten down the hatches on your Windows systems quickly. And hope that Microsoft will provide a quick fix soon.

Exploit demonstrates critical Windows .lnk vulnerability A proof of concept exploit for the unpatched vulnerability in the code for processing short-cuts (.lnk files) has been circulating since yesterday (Sunday). Source code for the exploit also appears to be in circulation. As soon as the Windows shell attempts to load the icon from the specially crafted .lnk file, the exploit sends the message "SUCKM3 FROM EXPLORER.EXE MOTH4F UCKA #[at]!" to the Windows debugger to demonstrate the success of the exploit.

Attackers could use this vulnerability to execute arbitrary code without requiring a user to execute a suspicious-looking .exe file. The malicious code could also be executed via WebDAV or via a shared network drive – it does not need to be located on a local drive.

Publication of the exploit increases the pressure on Microsoft to fix the security vulnerability, which was first disclosed a week ago. Reportedly, all versions of Windows since XP that are still supported by Microsoft are affected. Attacks to date have had all the hallmarks of sophisticated industrial espionage, but criminals are likely to be setting up much larger scale attacks aimed at a less select group of victims.

To protect against the attack, Microsoft is advising users to disable icon display for .lnk files by changing the registry value HKEY_CLASSES_ROOT\lnkfile\shellex\IconHandler. Users should backup their previous settings before making the change. Additionally, it’s possible to disable the web client service in order to prevent attacks via WebDAV.

I tested it in CIS v5 and it seems to block it just fine, when I double click it, it shows an error and it sandboxes an process. I can’t tell you more but V5 seems fine against it.