Rootkit.TmpHider

brucine · July 31, 2010, 4:46am

It should have been done from the beginning: it now is a huge unreadable mess.

hullboy · July 31, 2010, 7:32am

Microsoft to release LNK patch on Monday Microsoft has announced that it will be distributing an out of band update on Monday August 2nd at 10:00 PDT (18:00 UK Time); this will address the LNK vulnerability that was recently discovered, exploited and been used in attacks. The advisory for the vulnerability explains that it involves the incorrect parsing of icons in shortcut files and can be exploited locally with USB flash drives or remotely through network shares and WebDAV.
Microsoft says that it has completed testing of the fix for the issue which affects Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008 and Windows 7. A previously released “Fix It” from Microsoft prevented the display of icons for the shortcut files which made the Windows desktop quite confusing. Third party manufacturers also provided antivirus tools which attempted to fix the issue but which had their own problems.

Microsoft also confirms that the company has seen an increase in attempts to exploit the vulnerability and that releasing the update out of band “is the best thing to do to help protect our customers”. The update will be distributed through the automatic update mechanism of Windows.

SiberLynx · July 31, 2010, 8:29am

Sure it is a mess, & there are many (well… to be fair - just several) threads dedicated to the problem
The only thing all we can say: dear users, please “search” & read the forum

This forum is not easy to read even for advanced uses

… at the same time we cannot DEMAND (deliberately written in all capital letters & bold … bad style ) splitting & merging cases by volunteers moderators here
repeating (EricJH will not like this, heheh! … Hi Eric! ) my point posted in one of the threads regarding the issue is:
despite I am very sick of MS handling cases like this - I would not ever install neither any 3rd party “workarounds” nor MS ugly “workaround”
… eventually you will suffer because of this, when MS will issue “the real one”

Cheers!

MrBrian · August 12, 2010, 9:03am

brucine post:37:

There are two ways to stop the malware (xp pro, cis v3, proactive, firewall custom, defense+ paranoid).

…

Another way is quite as uncomfortable, at least temporarily, as it won’t ask any “normal” thing anymore once the learning process is achieved.
It is enough to set image execution in defense+ to agressive.
In these last conditions, left or right clicking the suckme me thing clearly warns you that rundll32 or explorer wants to execute dll.dll, and even before the end of the learning process, you have no reason to allow a dll with such a dubious name.
Note that either right or left clicking the dll.dll file of the poc doesn’t report anything (and of course, whatever left click is intercepted by the system, complaining it does not know how to open a dll file).

I can confirm this in my testing as well. I set ‘Files To Check’ to * so that DLLs with any extension are dealt with. Checking DLLs doesn’t result in “prompt fatigue” when using CIS as an anti-executable, as detailed at https://forums.comodo.com/defense-sandbox-help-cis/using-comodo-internet-security-as-an-antiexecutable-t60303.0.html.

Comment from egemen - https://forums.comodo.com/leak-testingattacksvulnerability-research/serious-security-flaws-please-respond-t38737.0.html;msg280592#msg280592:

You mean loading a DLL into memory? CIS is not supposed to or even designed to detect if you load a DLL into the process space of an application normally(without hooking or memory injection) except for rundll32.exe(Even this is going to change in the future versions).
By setting image execution control to aggressive and adding *.dll to execution list, you can receive alerts for DLLs but this is not really recommended/intended to be used and we will discontinue this ability in the future versions.

To the developers: please reconsider your position on “discontinuing this ability in the future versions.”

brucine · August 13, 2010, 11:28am

For some reasons, i am not able to answer to the thread you link, but i am not sure to get your point.

First, of course, most people do not run XP under a low privileged account, precisely because they don’t want to be bothered when they modify or install whatsoever.

Next, one of course cannot agree for disabling defense+ for setting purposes: if doing so, the network cable should be unplugged.

But your approach somehow makes the assumption that threats should always come from online malware penetration.

One curious thing enough is that a lot of people want to use CIS against some potentially very dangerous behaviors, including online gaming, instant messenging, and p2p networks.

In this last event, people don’t usually download the pictures of their grand-mother, but not legit media or software materials.
They then deliberately install the said files and, speaking of software, most often to the default Program Files location: i see no instance where the said location should be made as trusted, and as a matter of consequence, no way to make of defense+ a “quiet” software for the only benefiit of less alerts.

MrBrian · August 13, 2010, 11:49pm

I answered in that thread.

burebista · August 19, 2010, 7:41pm

Oh boy, never-ending story. 40 Windows apps contain critical bug

The vector is slightly different between applications, but the end result is an attacker-supplied .dll being loaded after the user opens a 'safe' file type from a network share [either on the local network or the Internet] ........... "It is possible to force a user to open a file from the share, either through their Web browser or by abusing other applications, for example, Office documents with embedded content.

brucine · August 19, 2010, 8:23pm

A major threat (like “was” the .lnk story itself) for corporate users outside of vpn.

But (i know it is enabled by default in some windows versions, including xp pro), why should an individual user allow networks shares, definitely a major security risk even before the emergence of the related flaw?