I went through the steps of disabling shortcut icons on my own machine to see what the impact would be. The result is literally not pretty since it obscures the icons for running programs and programs pinned to the taskbar. I dare say it would be difficult for most users to work this way, at least on Windows 7. [image: taskbar.PNG]
It's not quite as bad on XP because the taskbar buttons for running programs do show a recognizable icon. [image: taskbar.PNG] On Sun, Jul 18, 2010 at 8:42 PM, James Hill <[email protected]>wrote: > It really is a nasty one. It doesn't need admin privs either. Until > Microsoft patch it if your AV doesn't catch it you're pretty much screwed. > Disabling shortcuts is obviously not an option for most. > > Nice vid of it in action > http://www.youtube.com/watch?v=1UxN7WJFTVg&feature=player_embedded > > Interesting timing considering XP SP2 is now unsupported. > > > > -----Original Message----- > From: Ben Scott [mailto:[email protected]] > Sent: Sunday, 18 July 2010 2:43 AM > To: NT System Admin Issues > Subject: Signed malware on folder view using shortcut LNK files > > MS Advisory 2286198 > NVE CVE-2010-2568 > > Reports are surfacing of malicious software compromises with .LNK > (shortcut) files as the initial vector. All current versions of Windows. > > Apparently, a crafted LNK file can cause Windowsto load and run an > arbitrary file as soon as the system attempts to render the icon on screen. > So all you need to do is *browse to the folder* and the malware launches. > That's right, simply *looking* at a directory is enough. > > One report states this is not a buffer overflow or something like that. I > don't know if that means it's a design flaw in the LNK format, or > technically-valid code that does something dumb, or what. > > It apparently effects file browsers other than Windows Explorer -- Total > Commander was mentioned. I guess that means the bug is in a shell library. > > One report indicates that the payload which is executed by the LNK file > does not have to be an obvious executable -- it shows the malware > executables with names like "~wtr4141.tmp". > > Microsoft has acknowledged the LNK vulnerability in their Advisory > 2286198. NVE ID is CVE-2010-2568. Too early for a real fix. As a > workaround, Microsoft says that disabling the display of icons for > shortcuts will block exploitation. I'm not sure that's viable, as > many users won't be able to use their computers without the pretty icon > pictures. As a mitigation, Microsoft suggests disabling the WebClient > service, as a malicious LNK could reference software on the web using > WebDAV. (And block SMB at the firewall, but I assume everyone is already > doing that.) > > The identified malware payload is also interesting because it's signed > using a valid software-signing certificate. Proof by example of what many > security researchers have been saying for years: Code signing is *not* a > great defense against malware, despite Microsoft's claims. > > Even better, one source reports that the certificate is expired, but > "Authenticode" apparently has a mechanism where an expired and/or revoked > certificate can still approve software signed with that certificate. > > The identified payload seems to target a "Siemens SIMATIC WinCC Database", > which is apparently some kind of industrial automation package. Reportedly, > the software uses a SQL database backend, and hardcodes the authentication > password, so every single customer using that Siemens software is using the > same password. > > As the kids say these says, "epic fail" all around. > > While the currently identified payload is obviously highly targeted, now > that the LNK vulnerability is known to exist, it seems reasonable to expect > other attackers will soon figure it out and start exploiting it. > > Sources: > > http://isc.sans.edu/diary.html?n&storyid=9181 > > http://www.microsoft.com/technet/security/advisory/2286198.mspx > > http://www.f-secure.com/weblog/archives/00001986.html > > http://www.f-secure.com/weblog/archives/00001987.html > > > http://krebsonsecurity.com/2010/07/experts-warn-of-new-windows-shortcut-flaw/ > > http://it.slashdot.org/comments.pl?sid=1721020&cid=32920758 > > http://www.f-secure.com/weblog/archives/new_rootkit_en.pdf > > -- Ben > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ < > http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
<<taskbar.PNG>>
<<taskbar.PNG>>
