Welcome to the APBWeb.
Results 1 to 5 of 5
  1. #1
    Resident Smart Ass's Avatar
    Resident Smart Ass is offline I ASK THE QUESTIONS AROUND HERE
    Verified LEO
    Join Date
    06-05-06
    Location
    Once a New Yawker, Always a New Yawker
    Posts
    5,456
    Rep Power
    1532848

    COMPUTER VIRUS ALERT!!!

    RECEIVED THIS FROM OUR IT PEOPLE TODAY!

    Until further notice please refrain from using ANY DATA HOLDING USB Data Sticks, MMC/SD cards with ECPO assigned computers –

    If the SD/MMC cards are only used with Digital Cameras they ARE OK (with pics only) no data files.

    For Home Users – READ BELOW

    Microsoft Windows Shortcut 'LNK' Files Automatic File Execution Vulnerability

    Threat Landscape
    Threat Explorer
    Tools & Downloads
    Removal Tools
    Virus Definitions & Security Updates
    Submit Virus Samples
    Resources
    Blogs
    White Paper Listing
    Glossary
    Risk

    High
    Date Discovered

    July 15, 2010
    Description

    Microsoft Windows is prone to a vulnerability that may allow a file to automatically run because the software fails to handle 'LNK' files properly. An attacker may exploit this issue to execute arbitrary code. The attacker must entice a victim into viewing a specially crafted shortcut. NOTE: This issue is being exploited in the wild as malware W32.Temphid. This issue affects Microsoft Windows XP, Windows Vista, Windows 7, Windows Server 2003, and Windows Server 2008.
    Technologies Affected

    • <LI class=MsoNormal>Microsoft Windows 7 Home Premium <LI class=MsoNormal>Microsoft Windows 7 Professional <LI class=MsoNormal>Microsoft Windows 7 Starter <LI class=MsoNormal>Microsoft Windows 7 Ultimate <LI class=MsoNormal>Microsoft Windows 7 for 32-bit Systems <LI class=MsoNormal>Microsoft Windows 7 for x64-based Systems <LI class=MsoNormal>Microsoft Windows Server 2003 Datacenter x64 Edition SP2 <LI class=MsoNormal>Microsoft Windows Server 2003 Enterprise x64 Edition SP2 <LI class=MsoNormal>Microsoft Windows Server 2003 Itanium SP2 <LI class=MsoNormal>Microsoft Windows Server 2003 SP2 <LI class=MsoNormal>Microsoft Windows Server 2003 Standard Edition SP2 <LI class=MsoNormal>Microsoft Windows Server 2003 Web Edition SP2 <LI class=MsoNormal>Microsoft Windows Server 2003 x64 SP2 <LI class=MsoNormal>Microsoft Windows Server 2008 Datacenter Edition SP2 <LI class=MsoNormal>Microsoft Windows Server 2008 Enterprise Edition SP2 <LI class=MsoNormal>Microsoft Windows Server 2008 Standard Edition SP2 <LI class=MsoNormal>Microsoft Windows Server 2008 for 32-bit Systems SP2 <LI class=MsoNormal>Microsoft Windows Server 2008 for Itanium-based Systems SP2 <LI class=MsoNormal>Microsoft Windows Server 2008 for x64-based Systems SP2 <LI class=MsoNormal>Microsoft Windows Vista Business 64-bit edition SP1 <LI class=MsoNormal>Microsoft Windows Vista Business 64-bit edition SP2 <LI class=MsoNormal>Microsoft Windows Vista Business SP1 <LI class=MsoNormal>Microsoft Windows Vista Business SP2 <LI class=MsoNormal>Microsoft Windows Vista Enterprise 64-bit edition SP1 <LI class=MsoNormal>Microsoft Windows Vista Enterprise 64-bit edition SP2 <LI class=MsoNormal>Microsoft Windows Vista Enterprise SP1 <LI class=MsoNormal>Microsoft Windows Vista Enterprise SP2 <LI class=MsoNormal>Microsoft Windows Vista Home Basic 64-bit edition SP1 <LI class=MsoNormal>Microsoft Windows Vista Home Basic 64-bit edition SP2 <LI class=MsoNormal>Microsoft Windows Vista Home Basic SP1 <LI class=MsoNormal>Microsoft Windows Vista Home Basic SP2 <LI class=MsoNormal>Microsoft Windows Vista Home Premium 64-bit edition SP1 <LI class=MsoNormal>Microsoft Windows Vista Home Premium 64-bit edition SP2 <LI class=MsoNormal>Microsoft Windows Vista Home Premium SP1 <LI class=MsoNormal>Microsoft Windows Vista Home Premium SP2 <LI class=MsoNormal>Microsoft Windows Vista SP1 <LI class=MsoNormal>Microsoft Windows Vista SP2 <LI class=MsoNormal>Microsoft Windows Vista Ultimate 64-bit edition SP1 <LI class=MsoNormal>Microsoft Windows Vista Ultimate 64-bit edition SP2 <LI class=MsoNormal>Microsoft Windows Vista Ultimate SP1 <LI class=MsoNormal>Microsoft Windows Vista Ultimate SP2 <LI class=MsoNormal>Microsoft Windows Vista x64 Edition SP1 <LI class=MsoNormal>Microsoft Windows Vista x64 Edition SP2 <LI class=MsoNormal>Microsoft Windows XP <LI class=MsoNormal>Microsoft Windows XP 64-bit Edition <LI class=MsoNormal>Microsoft Windows XP 64-bit Edition SP1 <LI class=MsoNormal>Microsoft Windows XP 64-bit Edition Version 2003 <LI class=MsoNormal>Microsoft Windows XP 64-bit Edition Version 2003 SP1 <LI class=MsoNormal>Microsoft Windows XP Embedded <LI class=MsoNormal>Microsoft Windows XP Embedded SP1 <LI class=MsoNormal>Microsoft Windows XP Embedded SP2 <LI class=MsoNormal>Microsoft Windows XP Embedded SP2 Feature Pack 2007 <LI class=MsoNormal>Microsoft Windows XP Embedded SP3 <LI class=MsoNormal>Microsoft Windows XP Embedded Update Rollup 1.0 <LI class=MsoNormal>Microsoft Windows XP Gold <LI class=MsoNormal>Microsoft Windows XP Home <LI class=MsoNormal>Microsoft Windows XP Home SP1 <LI class=MsoNormal>Microsoft Windows XP Home SP2 <LI class=MsoNormal>Microsoft Windows XP Home SP3 <LI class=MsoNormal>Microsoft Windows XP Media Center Edition <LI class=MsoNormal>Microsoft Windows XP Media Center Edition SP1 <LI class=MsoNormal>Microsoft Windows XP Media Center Edition SP2 <LI class=MsoNormal>Microsoft Windows XP Media Center Edition SP3 <LI class=MsoNormal>Microsoft Windows XP Professional <LI class=MsoNormal>Microsoft Windows XP Professional SP1 <LI class=MsoNormal>Microsoft Windows XP Professional SP2 <LI class=MsoNormal>Microsoft Windows XP Professional SP3 <LI class=MsoNormal>Microsoft Windows XP Professional x64 Edition <LI class=MsoNormal>Microsoft Windows XP Professional x64 Edition SP2 <LI class=MsoNormal>Microsoft Windows XP Professional x64 Edition SP3 <LI class=MsoNormal>Microsoft Windows XP Tablet PC Edition <LI class=MsoNormal>Microsoft Windows XP Tablet PC Edition SP1 <LI class=MsoNormal>Microsoft Windows XP Tablet PC Edition SP2
    • Microsoft Windows XP Tablet PC Edition SP3
    Recommendations

    Block external access at the network boundary, unless external parties require service.

    If global access isn't needed, filter access to the affected computer at the network boundary. Restricting access to only trusted computers and networks might greatly reduce the likelihood of successful exploits
    Deploy network intrusion detection systems to monitor network traffic for malicious activity.

    Deploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This may indicate exploit attempts or activity that results from successful exploits.
    Do not accept or execute files from untrusted or unknown sources.

    To reduce the likelihood of successful exploits, never handle files that originate from unfamiliar or untrusted sources.
    Do not follow links provided by unknown or untrusted sources.

    To reduce the likelihood of successful exploits, never visit sites of questionable integrity or follow links provided by unfamiliar or untrusted sources.
    When possible, limit the privileges granted to users to the least amount required.

    To reduce the impact of latent vulnerabilities, limit user privileges to the least amount possible. This can reduce the likelihood of privileged functions being executed.
    Limit access to sensitive data and removable media.

    Users should exercise caution when attaching media provided by an unknown or untrusted source.
    Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com.
    References

    Credits

    VirusBlokAda

    Copyright (c) 2010 Symantec Corporation

    Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com.
    Don't you just hate it when someone's balls are hidden so well, they can't seem to find it themselves ~ RSA

    You can't avoid gossip & rude words from
    people. You can't please everybody. But remember, they wouldn't bother if you meant nothing.


    FOLLOW RSA ON TWITTER (IF YOU'RE GOING TO FOLLOW ME, PLEASE SEND ME A MESSAGE ON HERE WITH YOUR O/R USERNAME AND TWEET USERNAME SO I'LL KNOW WHO I'M ACCEPTING OTHERWISE YOU WILL NOT BE ACCEPTED!)
    https://twitter.com/RESIDENTSMARTAS



    A PINT OF SWEAT SAVES A GALLON OF BLOOD ~ PATTON



  2. #2
    Resident Smart Ass's Avatar
    Resident Smart Ass is offline I ASK THE QUESTIONS AROUND HERE
    Verified LEO
    Join Date
    06-05-06
    Location
    Once a New Yawker, Always a New Yawker
    Posts
    5,456
    Rep Power
    1532848
    Published on NetworkWorld.com Community (http://www.networkworld.com/community)
    Highly Dangerous Zero-day Windows Trojan Targets Espionage

    By Ms. Smith

    Created Jul 19 2010 - 12:29pm

    [1]There is a new vicious rootkit-level malware infection targeting critical infrastructure and aimed at corporate or government espionage. It often enters the enterprise through USB sticks. Finnish security company F-Secure advised [2] that the current malware is very dangerous and poses, "a risk of virus epidemic at the current moment." F-Secure further warns [3] that this is an espionage attack using LNK (*.LNK) shortcut files. All Windows operating systems are vulnerable, even Windows 7, though F-Secure says it has added detection modules for these rootkits to its own anti-malware products. Problem is, once it added the detection module, it started discovering infections all over the world, and the hole that the virus exploits remains unfixed. Because this is a rootkit infection, the virus bypasses security mechanisms [4]. From regular Joes to enterprises, this spy rootkit is in the wild and spreading infection.
    Like hackers sniffing out sweets and set loose in a candy store, the very dangerous threat may prove too juicy of a target not to be widely exploited. The data stealing malware in the wild is meant to infiltrate systems, weaponized software aimed at critical infrastructure systems, perhaps with the magnitude of destruction that security researchers have warned is coming for years.
    VirusBlokAda [2], an anti-virus company based in Belarus, discovered the malicious software that piggybacks on USB storage devices and exploits the way Windows processes shortcut files. Although its mainly being distributed by USB drives, it can also be transferred over shared networks when a user browses affected shortcuts in removable media or WebDAV share. It doesn't require administrative privilege to run. In an enterprise environment, users often execute files from network shares as standard operations and many organizations rely on SharePoint.
    Sophos senior technology consultant Graham Cluley said [5], "This waltzes around autorun disable. Simply viewing the icon will run the malware." Windows Explorer executes the malicious file, a rootkit and a dropper, even if the location of the shortcut is simply browsed to, allowing the process to execute as if retrieving an icon. The malware hides itself immediately after the system has been infected by using drivers digitally signed by Realtek Semiconductor Corporation.
    Microsoft released a security advisory [6], publicly addressing this Windows Shell vulnerability. It's a serious enough threat that Microsoft urges [7] anyone who believes to have been affected "to contact the national law enforcement agency in their country." Microsoft Malware Protection Center wrote [8], "Specifically, it takes advantage of specially-crafted shortcut files (also known as .lnk files) placed on USB drives to automatically execute malware as soon as the .lnk file is read by the operating system. In other words, simply browsing to the removable media drive using an application that displays shortcut icons (like Windows Explorer) runs the malware without any additional user interaction. We anticipate other malware authors taking advantage of this technique."
    Microsoft has offered suggested workarounds. Though some security experts believe that the workarounds, which require disabling certain services [9], may cause an enterprise a lot of trouble, particularly for SharePoint users.
    Independent researcher Frank Boldewin discovered that the malware targets SCADA control systems used to control industrial machinery in power plants and factories, and specifically Siemens WinCC SCADA systems. Boldewin wrote [10], "Looks like this malware was made for espionage."
    Why would someone want to infiltrate a SCADA system? According to Wesley McGrew [11], "There may be money in it. Maybe you take over a SCADA system and you hold it hostage for money."
    According to Krebs on Security [12], Jerry Bryant, a group manager of response communications at Microsoft stated that "When we have completed our investigations we will take appropriate action to protect users and the Internet ecosystem."
    Although right now the attacks seem targeted, the attempt to infect new machines has increased. MMPC blogged [8], "In addition to these attack attempts, about 13% of the detections weve witnessed appear to be email exchange or downloads of sample files from hacker sites. Some of these detections have been picked up in packages that supposedly contain game cheats (judging by the name of the file)."
    While security researchers are making educated guesses that this trojan was made for espionage, worms that use USB propagation vector may be best suited to attack isolated or air-gapped systems. If you recall, the DoD found this out [13] in late 2008 before banning thumb drives, CDs, flash media cards, and all other removable data storage devices to prevent a worm assault from spreading any further in its network.
    Although NSA spokeswoman Judith Emmel, denied [14] there is any monitoring activities on utility companies [15] and called on the public to trust the NSAs adherence to the law, will this new vicious malware aimed at utilities and factories and power plants issue broader allowances for NSA's Perfect Citizen?
    MMPC writes [8], "We have multiple signatures that detect this threat for customers using Microsoft Security Essentials, Microsoft Forefront Client Security, Windows Live OneCare, the Forefront Threat Management Gateway, and the Windows Live Safety Platform. In addition to using antimalware technology, MSRC has released an advisory [6] with work-around details."
    Additional Guidance..

    By Custom Computers on Mon, 07/19/2010 - 2:25pm.

    Though Microsoft now states users of their security products are protected with adequate signatures.
    Further understanding of the issue can be found through Chet's blog at Sophos who provides more detail and a video.
    LINK: Windows zero-day attack works on all Windows systems | Chester Wisniewski&#39;s Blog


    secure your company

    By shoe (not verified) on Mon, 07/19/2010 - 4:05pm.

    For years I've said, a company should expoxy the USB ports, remove floppy drives (remember those), remove any removal media devices (CD, DVD, drives) from any computer that doesn't need it for the business.
    Don't you just hate it when someone's balls are hidden so well, they can't seem to find it themselves ~ RSA

    You can't avoid gossip & rude words from
    people. You can't please everybody. But remember, they wouldn't bother if you meant nothing.


    FOLLOW RSA ON TWITTER (IF YOU'RE GOING TO FOLLOW ME, PLEASE SEND ME A MESSAGE ON HERE WITH YOUR O/R USERNAME AND TWEET USERNAME SO I'LL KNOW WHO I'M ACCEPTING OTHERWISE YOU WILL NOT BE ACCEPTED!)
    https://twitter.com/RESIDENTSMARTAS



    A PINT OF SWEAT SAVES A GALLON OF BLOOD ~ PATTON



  3. #3
    TXCharlie's Avatar
    TXCharlie is offline Former & Future Reserve Officer
    Join Date
    12-29-05
    Location
    Dallas Area
    Posts
    5,528
    Rep Power
    3224965
    A year or so ago, there was an outbreak of viruses contained in those little electronic "picture frames" from China, as well as some no-name MP3 players that had USB interfaces. Apparently someone in the factory or the distribution chain sabotaged a few batches with a virus that would auto-run when the device was plugged in.

    (\__/)
    (='.'=) This is Bunny. Copy and paste Bunny into your
    (")_(") signature to help him gain world domination.

  4. #4
    Odd's Avatar
    Odd
    Odd is offline Cosmonaut Trainer
    Supporting Member Lvl 3
    Join Date
    10-08-08
    Posts
    2,056
    Rep Power
    2508664
    Turns out this one is a major frakin deal. See that little badge icon up to the left of http://apbweb?

    Just loading a site and having that image rendered is enough to get you infected through that favicon. And now you know what a favicon is, so that's kinda cool.

    Since Microsoft stopped support for Window 2000 and Win XP prior to Service Pack 3 earlier this month this is potentially a threat to all sorts of machines. I can't imagine MS won't break their own policy and throw out one more patch over this since it's such an easy infection vector. That is the policy to date though. Even if they do the responsible thing in the upcoming weeks we're all (WinNT-Win7....this means you) vulnerable right now.

    Microsoft does have a "Fix it" in place. It's ugly, but for the time being may be the smarter choice :
    Microsoft Security Advisory: Vulnerability in Windows Shell could allow remote code execution Or you could use Oracle's Virtualbox virtual machine manager (free), install Ubuntu 10 and have fun nerding out while going anywhere without worry until MS plugs this Horizon sized hole. You'd still be vulnerable to USB drives, email, etc network stuff, but you could surf without worry.

    Thanks RSA for pointing this out. I wondered if this was really all this important since we hear about malware all the time and usually it doesn't amount to much - this one is an exception. Exception, not armageddon. It's really easy to exploit and expanding rapidly.

    Hey TXC - hear about those Dell motherboards infected with malware? Bad week to be a big target.

    We PC users even got an alert from the Department of Homeland Security's US-CERT about Energizer battery chargers a couple months back.

    Make you want to buy a Macbook yet?

    Me either. I want one of those Energizer Bunnies to go with my Cue Cat.

    For all the cautionary advice...I'm not changing much. The favicon bit will keep me from exploring new sites just now, and it's summer anyway so baby oil twister is a better choice than exploring new websites. Go outside and play hard may be the best way I can advise to combat this computer worm - though stop in and check out O/R!

  5. #5
    Odd's Avatar
    Odd
    Odd is offline Cosmonaut Trainer
    Supporting Member Lvl 3
    Join Date
    10-08-08
    Posts
    2,056
    Rep Power
    2508664
    Microsoft has issued an out of cycle patch for this security hole. <- Link to USA Today writeup for details.

    Run your Windows Update to get it - does nag you for a reboot, and requires the reboot before you're safe.

 

 

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •