Things starts to look ugly: Siemens: German customer hit by industrial worm.
Hmm, I’ve done the test at least 20 or 30 times over though haha (I’ve tested over 10 different security products against this exploit). After removing the “_” to enable the shortcut file, the exploit executes spontaneously (no clicking is required). Did you do the test in a freshly installed Windows?
I don’t know what you mean by “fresh installation”: no, i did not install xp out of scratch this morning, the last re-installation (changing the install harddisk) must be some 6 months old but, as i said, has nothing speficic outside of some disabled services and buit-in softwares.
Making the experiment again (image execution set to normal, if agressive, everything is definitely intercepted), both of us are right and wrong: curiously enough, the test fails the first time it is made opening a session, but then passes every next time.
I haven’t tested at the time being if launching the session, but waiting sometime for all the drivers and services to be loaded would anyhow change this situation.
Tests are best done when nothing else is installed. This is a Windows “exploit”, and therefore we should (initially) be testing it against Windows. With a freshly installed (with no third party programs installed and everything in default out-of-the-box settings) Windows XP, I was able to easily reproduce the exploit.
Didier Stevens has also been able to reproduce the exploit with the same set of POC files:
In fact, like me, he’s also confirmed that SRP blocks it:
.lnk vulnerability: Microsoft fix causes icon chaos Earlier today (Wednesday), Microsoft started offering a fix-it button on its support page that allows users to enable (or disable) a workaround which protects their systems from the effects of the unpatched vulnerability in the code for processing short-cuts (.lnk files) in all versions of Windows. Once the workaround is installed, Windows ignores program short-cut icons, which turns navigating the start menu, desktop and task bar into something of a guessing game. Previously, users who wanted to protect their systems had to manually change a registry value, which requires at least a basic level of computer skills.http://img80.imageshack.us/img80/5109/iconfixf5980fb2b257469e.png
Guessing game: implementing Microsoft’s workaround for the .lnk flaw soon causes confusion. Various proposed solutions to close the hole while preserving the short-cut icons have since been circulated. For instance, the LinkIconShim shell extension latches on in front of the .lnk handler to intercept potentially suspicious icon short-cuts to the control panel. However, installing the extension on one of our test systems produced an error message saying that the DLL couldn’t be registered. The Ariad filter software by Didier Stevens is also said to prevent .lnk files from executing malicious code on 32-bit Windows systems. However, the author explicitly points out that this software is still in beta state, and that it’s not suitable for production use.
As Stevens writes in his blog, in corporate environments, software restriction policies can reduce the attack surface to some degree. Such policies can ensure that program code can only be executed from specific hard disks – if the malicious code is located on a removable storage medium or on a network volume, it can be blocked. However, if a ZIP archive with infected files is unpacked on the system disk after it has been downloaded, the policies won’t work.
While the Internet Storm Center (ISC) had increased the threat warning for the .lnk hole from green to yellow yesterday (Tuesday), they have now lowered it back to green level. The ISC commented that the purpose of increasing the threat level, which was to increase people’s awareness of this vulnerability, has been achieved and that the level may be increased again if a major attack is observed.
SRP, in the state where it is used today, is a lousy idea as it only involves removable media and network shares: one could of course not use it to block whatever installation from the C: partition.
Why not ariad…the day when it will be advised to be used on a production computer: until this stage, it is useless.
Note that, from today, avira intercepts both suckme.lnk and dll.dll, and i suppose that most av also do.
I didn’t have the time to check if deleting the files, as suggested by avira, would be enough for blocking the dbgview report.
Sorry, but I don’t think you understand how SRP works (either that, or I’ve completely mis-interpreted what you’ve written). Have a read here:
http://www.mechbgon.com/srp/
SRP/AppLocker is NOT a lousy idea, especially if it’s already built into your system - it’s free, doesn’t cause conflicts, doesn’t cause any slow-downs, doesn’t require you to make a decision, and it’s incredibly effective. I’ve not come across any real-world malware that can bypass it.
Anyway, back on topic haha.
Well should we start ditching are computers? It looks like cis ain’t as bullet proof as once thought according to members far more enlightened than me! Maybe it can be configured to stop such attacks myself though I intend to spend more time in the pub.
.lnk vulnerability in Windows: Attack wave approaches The critical vulnerability in the code for processing short-cuts (.lnk files) in all versions of Windows remains unpatched, attracting a growing number of exploits. At least two further malicious programs are now targeting the vulnerability, and the number of undetected cases is likely to be much higher. While the first .lnk trojan, Stuxnet, appeared to be the result of professional industrial espionage, new worms are not as selective in terms of their targets.Security firm ESET has observed the Win32/TrojanDownloader.Chymine.A malware in the wild. This malware contacts a server in the US and downloads the Win32/Spy.Agent.NSO key logger from there. The Win32/Autorun.VB.RP worm is now also said to have discovered the .lnk hole as a suitable means for propagation. The worm even actively produces further compromised .lnk files so it can spread faster.
The full scope of the problem is yet unknown. What is known is the at all versions of Windows from XP onwards are affected. A few days ago, Microsoft added that specially crafted short-cuts for executing malicious code can also be embedded in Office documents. Furthermore, .lnk files are not the only file type affected: According to Microsoft’s updated advisory, PIFs (Program Information Files) are also vulnerable. Core Security said it had` found a way of exploiting the hole via emails, although the security firm hasn’t provided any details.
Even the German Federal Office for Security in Information Technology (BSI) has issued a warning (German language link): until the hole has been patched users are to follow the steps for the work around described in Microsoft’s security advisory. Microsoft’s fix-it is indeed the easiest way to protect a system from impending attacks. However, it does cause a loss of convenience, as Windows will only display standard icons for all short-cuts once the fix-it has been applied.
Incidentally, Microsoft has removed the official documentation for the .lnk file format (“[MS-SHLLINK]: Shell Link (.lnk) Binary File Format”) from its server without comment. Critics sneer that this was done to remove the description of the format’s security measures on page 48
It requires a lot of investigation on programs you want to start using. Iirc you stated in the past you were testing new program in a vm first…etc… Time for such diligent enquiries may not be on everybody’s side… 88) 
Anyway, back on topic haha.Copy that. :-TU
Sorry for off topic again, but I feel that you are mis-leading those who may be keen to use SRP as a form of defence (either that, or I am mis-interpreting your statements). If I am mis-interpreting, please correct me as I blabber on below haha.
In fact, this isn’t off topic at all, since SRP is a very good way of blocking the exploit/vulnerability discussed in this very thread.
Regardless, using SRP does NOT require a lot of investigation on programs you want to start using. In my opinion (and sorry if it comes across a bit harsh), by even writing this, you also show that you don’t understand how SRP works or how to set it up (for the home computer). SRP (and AppLocker) work (best) by a white-listing approach. Now it may sound like you need to investigate each program you want to white-list, but that is not the case. Simply white-listing according to Path rules will work perfectly for ~99% of users out there. Why? Well, it’s simply because ~99% of all programs out there execute from C:\Program Files and C:\Windows. So all you need to do is white-list those 2 paths and you’re set.
In you statements, you mentioned that I test new programs in a VM. I don’t quite understand why you mentioned that “such diligence” is required and implied disadvantage? What are the alternatives for testing new (dodgy) programs? Well, you can simply test it on your REAL system or use a rollback program (like Rollback Rx or CTM), and risk getting infected (yes, CTM and Rollback Rx are still bypassed by certain rootkits out there). And even using technology like Comodo’s Sandbox, Sandboxie, Shadow Defender, Returnil etc, you can’t test programs that require a reboot. With a VM, you can.
Perhaps you are talking about actually testing and analysing new programs? If so, what does SRP have to do with this?
Anyway, those who are fortunate enough to have a Pro version (or above) of Windows should at least try using SRP/AppLocker, if just to mitigate the serious exploit discussed in this thread.
Hi burebista,
Below I will practically quote what I wrote in another place.
Mainly I would not use any 3rd party “workarounds” …there are few others already
====== here we go
Well, 1st - many if not all security are “effected & affected”, we may say
That is a system flaw
We have such & similar flaws being alive for 17 years (!!!) as you know
The “workaround” by MS is an ugly one indeed , softly speaking 
But I personally would prefer to wait for a real patch my “Little & Soft”, rather than installing any 3rd party … workaround(s) (again & anyway)
since you (we) may have different problems regarding applied 3rd party patches & their un-installation , especially when you have the “auto-” set for MS updates.
I don’t - I have “Notification Only”, but many users preferring the auto-
====== end of here we go
In addition you have to consider few other things :
-
some security are very quickly blacklisting specific already found “digital signatures fraud(s)” anyway;
-
in addition to the above … as usual …MS patches in many cases are ruining set permissions. I found 3 of those already after 2 latest big updates. Usual stuff - your Software stop working all of a sudden ???
So, in combination applying anything that MS will “fix” later may cause huge problems
We are better off just waiting and do not panic (Hi Ewen! )
Cheers!
Yeah, on XP x32 SP3 all updates that Sophos tool fails.
But I just saw a very nice surprise from CIS. ;D
hehe!
well, as I said I would never use those 3rd party workarounds
… another funny thing is that … hmmm 88) most likely dll.dll is residing in the right place according to its name ;D
Cheers!
Nope, I’ve put it in C root and I saw those messages in DbgView.
That is temporary path where I extracted PoC archive. I gave it a suggestive name. ;D
Sure! who had doubts that you are creative ;D what other folder’s name that could possibly be?
Cheers!
Another, easy, possibly more elegant protection, for the time being.
Bad
I am not sure, Bad Frogger, that your moderator status entitles you to do what no one ever should do:
crossposting.
It would be better if I Merged all the related threads into a huge unreadable mess?
Bad