And I attached the wrong link :-) http://community.ca.com/blogs/securityadvisor/archive/2010/07/17/catching-up-with-win32-stuxnet-a.aspx
On 20 July 2010 15:32, James Rankin <[email protected]> wrote: > You have to craft them with the code inside them first to make them execute > when viewed. There are some good write-ups about it on the internet. > > > http://community.ca.com/blogs/securityadvisor/archive/2009/05/27/windows-shortcut-lnk-another-misused-file-format.aspx > > On 20 July 2010 15:16, Ken Schaefer <[email protected]> wrote: > >> IE favourites are .lnk files (you can open them in edit.com). Just >> viewing your Favourites folder in Explorer doesn’t cause a bunch of IE pages >> to open. Or does the .lnk file need to point to an exe (or .com / .bat / >> .pif etc?) >> >> >> >> Cheers >> >> Ken >> >> >> >> *From:* James Rankin [mailto:[email protected]] >> *Sent:* Tuesday, 20 July 2010 10:02 PM >> >> *To:* NT System Admin Issues >> *Subject:* Re: Signed malware on folder view using shortcut LNK files >> >> >> >> As far as I was aware, just displaying the icon of the .lnk file in your >> file browser of choice launches the code. No interaction is required besides >> this. >> >> On 20 July 2010 14:33, Ken Schaefer <[email protected]> wrote: >> >> Isn’t the issue that Windows automatically loads the lnk file? (e.g. off >> a USB thumb drive?) >> >> >> >> Just connecting to an FTP site using an FTP program isn’t going to do >> anything. If there’s an .lnk file there, and you download it, and then you >> double-click on it, then “yes” you might infect yourself. >> >> >> >> Cheers >> >> Ken >> >> >> >> *From:* Steven M. Caesare [mailto:[email protected]] >> *Sent:* Tuesday, 20 July 2010 9:18 PM >> >> >> *To:* NT System Admin Issues >> *Subject:* RE: Signed malware on folder view using shortcut LNK files >> >> >> >> .lnk is the infection vector for the local system. Any file copy >> methodology merely facilitates this infection vector, so yes to all of the >> above. In addition: >> >> >> >> Local HDD’s >> >> File shares >> >> USB drives >> >> Wes site Trojan droppers >> >> USB MASS storage consumer devices (digital cameras, MP3 players, etc… >> anything that can be mounted) >> >> Malware infected legit S/W installers >> >> Floppy in discs >> >> Email >> >> IM file xfers >> >> Contents of infected .zip files >> >> Removable optical media >> >> Etc… >> >> >> >> -sc >> >> >> >> >> >> >> >> *From:* James Rankin [mailto:[email protected]] >> *Sent:* Tuesday, July 20, 2010 8:13 AM >> *To:* NT System Admin Issues >> *Subject:* Re: Signed malware on folder view using shortcut LNK files >> >> >> >> Am I right in thinking FTP sites, torrent sites and maybe even download >> sites like RapidShare are vulnerable to this .lnk file problem? >> >> On 20 July 2010 00:37, Carl Houseman <[email protected]> wrote: >> >> The process of scanning .lnk files for icons to display results in >> execution >> of code that is embedded in the specially crafted .lnk file. Some >> developer >> at MS responsible for that icon-fetching code (if still employed there) is >> likely not having a good week. >> >> That's why this is such a serious malware, simply viewing the folder in >> Explorer will infect. The only mitigating factor is, direct folder access >> to the .lnk file is needed. An E-mail attachment would have to be saved >> and >> then the containing folder viewed. A web site would have to coerce a user >> to save it locally and then open the folder. But as with the autorun >> problem, a picture frame or pre-loaded flash drive with one of these .lnk >> files could make a lot of trouble. >> >> Carl >> >> >> -----Original Message----- >> From: Mike Gill [mailto:[email protected]] >> Sent: Monday, July 19, 2010 6:18 PM >> To: NT System Admin Issues >> Subject: RE: Signed malware on folder view using shortcut LNK files >> >> Windows 7 doesn't support autorun on flash drives. When he gets to the >> part >> where he's not running AV, he doesn't indicate that he's actually clicking >> on anything, yet the malware runs. He sort of implies that it's happening >> automatically when he mentions the video is slowed to allow us to view >> what >> happens. How is the malware getting executed? >> >> -- >> Mike Gill >> >> -----Original Message----- >> From: James Hill [mailto:[email protected]] >> Sent: Sunday, July 18, 2010 5:43 PM >> To: NT System Admin Issues >> Subject: RE: Signed malware on folder view using shortcut LNK files >> >> It really is a nasty one. It doesn't need admin privs either. Until >> Microsoft patch it if your AV doesn't catch it you're pretty much screwed. >> Disabling shortcuts is obviously not an option for most. >> >> Nice vid of it in action >> http://www.youtube.com/watch?v=1UxN7WJFTVg&feature=player_embedded >> >> Interesting timing considering XP SP2 is now unsupported. >> >> >> >> >> >> >> >> >> >> >> -- >> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into >> the machine wrong figures, will the right answers come out?' I am not able >> rightly to apprehend the kind of confusion of ideas that could provoke such >> a question." >> >> >> >> >> >> >> >> >> >> > > > -- > "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into > the machine wrong figures, will the right answers come out?' I am not able > rightly to apprehend the kind of confusion of ideas that could provoke such > a question." > > -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
