Threat Level: green Handler on Duty: Remco Verhoef

SANS ISC: Vulnerability in Windows "LNK" files? - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Vulnerability in Windows "LNK" files?

We've received plenty of information over the past couple days about this alleged vulnerability in Windows's "lnk" file, and it's use against "SCADA" networks.

http://www.theregister.co.uk/2010/07/16/windows_shortcut_trojan/

http://krebsonsecurity.com/2010/07/experts-warn-of-new-windows-shortcut-flaw/

We tend to be cautious when we see these type of things announced by a security company (yes, I work for a Security company -- Sourcefire) and it just so happens that they are the only ones that sell a fix for it.  (BTW -- This is called "Research" and "Marketing" and there is nothing wrong with it.)  

This has happened recently with a couple of those "OSX" Virii/Trojan type of malware that is allegedly out there, we never see it in the wild, and we never get a copy of it, and only (Anti-Virus-vendor-that-sells-OSX-Anti-Virus-name-here) has a fix for it, or a copy of it.

We are DEFINITELY NOT saying that this company doesn't have a fix for it, and we are DEFINITELY NOT saying that the malware doesn't exist.  We haven't seen a copy of it (and we'd like to, thanks).

Apparently this malware does not use the autorun or autoplay feature.  Since, allegedly, it's a vulnerability in the LNK file, I would assume, that when you plug in a USB device, and you use Windows Explorer to browse the USB drive, it triggers that way.  Again, we haven't seen the code, and I am just guessing to take that for what it's worth.  I'll update this again if someone sends in the malware to us.

please?

-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler

 

Joel

454 Posts
ISC Handler
Don't know if it'll help, but I saw this on F-Secure's blog a couple days ago.

http://www.f-secure.com/weblog/archives/00001986.html

http://www.f-secure.com/weblog/archives/00001987.html

Anonymous
Don't know if it'll help, but I saw this on F-Secure's blog a couple days ago.

http://www.f-secure.com/weblog/archives/00001986.html

http://www.f-secure.com/weblog/archives/00001987.html

Anonymous
Symantec has definitions
http://www.symantec.com/security_response/writeup.jsp?docid=2010-071400-3123-99
Anonymous
Does anyone have an md5 for this, that they wouldn't mind sharing?
Anonymous
Jamal, the f-secure item above (http://www.f-secure.com/weblog/archives/00001986.html) points to a analysis by VirusBlokAda. It points at VirusTotal which has hashes.
Anonymous
Microsoft have released an advisory for this:

* Microsoft Security Advisory (2286198)
- Title: Vulnerability in Windows Shell Could Allow
Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/2286198.mspx
- Revision Note: V1.0 (July 16, 2010) Advisory published.

W60

14 Posts
Microsoft have released an advisory for this:

* Microsoft Security Advisory (2286198)
- Title: Vulnerability in Windows Shell Could Allow
Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/2286198.mspx
- Revision Note: V1.0 (July 16, 2010) Advisory published.

W60

14 Posts
MS suggests disabling the WebClient service. Wonder what applications that breaks?
Michael

32 Posts
Michael, this is good news. According to http://support.microsoft.com/kb/832161 ,
'Note You can disable the WebClient service as long as you do not have to modify or write files on Web Distributed Authoring and Versioning (WebDAV) servers.'

For a few years now, I have routinely disabled this service on every Windows PC I use since I learned that it speeds up browsing/using network shares.
Michael
3 Posts
I released a new version of my tool Ariad to mitigate this .LNK exploitation.
blog.didierstevens.com/2010/07/18/mitigating-lnk-exploitation-with-ariad/

As Ariad is a system driver and works in the Kernel, be sure to test this first on machines you can trash.
DidierStevens

338 Posts
ISC Handler
I'm curious about how long this exploit has been known about, and the timing of it becoming public. I suspect that it's been known about for at least a while, and just now released to the public because security updates for Windows XP SP 2 have been discontinued.
DidierStevens
4 Posts
Update: besides Windows XP SP2, Ariad works on Windows 2000 too. I tested on Windows 2000 Professional SP4 with Update Rollup 1 installed.
This rollup is required as it installs support for minifilters.
DidierStevens

338 Posts
ISC Handler
I've created a little shell extension fixing this issue. It inserts itself in front of the shell link icon handler, and calls the original one only when it's safe.

Should work on XP+, downloadable x86 and AMD64 builds.

Get binaries (and source) on http://code.google.com/p/linkiconshim/
DidierStevens
2 Posts
MS Advisory 2286198 has been updated to ver 1.2

Block the download of LNK and PIF files from the Internet

Blocking the download of LNK and PIF files on the Internet Gateway provides protection against remote exploitation of these attacks. Note that the files can be transferred over WebDAV, so any blocking solution should take this protocol into account
Michael

32 Posts
I do not know if this problem is tied to the LNK problem but something managed to get on my machine and change all of the group policy. Now the documents and settings file is called a "junction" type file and was set as a system file so it became hidden. It also became unaccessable.

Any comments would be apprecieated if this relates to the LNK problem.
Michael
1 Posts
i have something similar, to this described virus, but it is way more advanced than this and i believe it infects the bios. it totally takes over linux and vista. it changes permissions and edits the registry like nothing i have ever seen. it rewrites the registry and points keys to text documents that contain the real keys. it puts user in a sort of virtual world, and it allows someone else to access your pc using interactive. it also communicates with the virus that spawned it as i accidentally discovered. it uses programming software built into your os to build and modify itself and other things. it also takes over administrative tools. it operates in the root, and nothing not even anti-rootkits detect it. i have 4 machines down from it right now and i have been fighting it for 5 to 6 weeks now and it is still winning. someone please help it is driving me nuts and i am starting to become obsessed over it.i spend all my waking hours when not at work fighting and learning from it. when i am at work all i do is think about it and what i could do next. it seems to be spreading quickly.
i have seen it on every system i look at and nobody is doing or even realizing it is there. if you want to find it look at environment variable if the bottom system box buttons like new, edit, and delete are grayed out and you scroll down in the box you will see USERNAME SYSTEM
Michael
1 Posts
not a vulnerability of the file per-se, but related. 3+ years later....

a .lnk file used to call cmd.exe and feed it a .exe that is named .pdf

http://techhelplist.com/index.php/spam-list/543-fw-account-statements-multi-malware-attachments
techhelplist.com

9 Posts

Sign Up for Free or Log In to start participating in the conversation!