Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

Unpatched shortcut vuln exploited by mainstream malware
the register ^

Posted on 07/23/2010 4:04:04 AM PDT by Gomez

Virus writers have begun using the unpatched shortcut flaw in Windows first exploited by the Stuxnet worm, which targets power plant control systems, to create malware that infects the general population of vulnerable Windows machines.

Slovakian security firm Eset reports the appearance of two malware strains that exploit security vulnerabilities in the way Windows handles .lnk (shortcut) files, first used by Stuxnet to swipe information from Windows-based SCADA systems from Siemens.

The Chymine-A Trojan uses the same security hole to install a keystroke logger while the Autorun-VB-RP worm has been updated to use the shortcut vulnerability as an infection method. The original hackers developed a technique to embed malicious code in shortcut files in such a way that this code is run when an icon is viewed, an approach now followed by less skilled VXers.

Stuxnet featured rootlet functionality and digitally signed malware, techniques that mark it out as highly sophisticated. The latest malware to use the shortcut vulnerability is, by contrast, much more basic.

"The new malware we're seeing is far less sophisticated, and suggests bottom feeders seizing on techniques developed by others," writes Pierre-Marc Bureau, a senior researcher at Eset, in a blog post.

The shortcut vulnerability is likely to become a mainstay of malware distribution techniques, Bureau warns.

"This new development follows a typical path of evolution in malware.  Often there are only days between the initial release of information regarding a critical vulnerability, and the discovery of its exploitation being executed in the wild by malware authors.  It is safe to assume that more malware operators will start using this exploit code in order to infect host systems and increase their revenues," he concludes.

Trend Micro warns that the hole can be exploited by a wide variety of techniques including network shares, malicious websites and booby-trapped Office documents, as well as USB drive infection, the technique associated with the Stuxnet worm.

"File formats that support embedded shortcuts (eg Microsoft Office documents) can now be used to spread exploits as well," writes Trend Micro threat researcher David Sancho. "This means that users who download and open such files could find themselves the latest victim of this vulnerability. It has also been reported that this attack could be used in drive-by attack scenarios, further increasing risks."

Microsoft has issued temporary workarounds and security advice to customers as a stop-gap measure while its security researchers work on developing a fix. The vulnerability involves a security hole in core Windows functionality, so developing and testing a patch by the next scheduled Patch Tuesday, 10 August, will be tricky but not out of the question. Redmond's security team will have had a month by this point to go through a process that more typically takes two months or longer.


TOPICS: Computers/Internet
KEYWORDS: malware; microsofttax; stuxnet

1 posted on 07/23/2010 4:04:06 AM PDT by Gomez
[ Post Reply | Private Reply | View Replies]

To: ShadowAce

ping


2 posted on 07/23/2010 4:05:18 AM PDT by Gomez (killer of threads)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Gomez

So why are power plant control systems using Windows? That would seem like a perfect application for Linux, you wouldn’t even need a GUI.


3 posted on 07/23/2010 4:25:37 AM PDT by proxy_user
[ Post Reply | Private Reply | To 1 | View Replies]

To: Gomez
Microsoft has issued temporary workarounds and security advice to customers as a stop-gap measure while its security researchers work on developing a fix.

*nix, The permanent workaround.
4 posted on 07/23/2010 4:26:36 AM PDT by ct_libertarian (Movie with a story or another Hollywood Marxist sermon? Find out at http://www.HollywoodSTFU.com)
[ Post Reply | Private Reply | To 1 | View Replies]

To: proxy_user

I think Virginia Power uses Linux, not sure tho..


5 posted on 07/23/2010 5:11:42 AM PDT by herewego ( Got .45?)
[ Post Reply | Private Reply | To 3 | View Replies]

To: Gomez
Virus writers...

Summary execution is too good for them.

6 posted on 07/23/2010 5:50:15 AM PDT by JimRed (To water the Tree of Liberty is to excise a cancer before it kills us. TERM LIMITS, NOW AND FOREVER!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Gomez; rdb3; Calvinist_Dark_Lord; GodGunsandGuts; CyberCowboy777; Salo; Bobsat; JosephW; ...

7 posted on 07/23/2010 5:52:02 AM PDT by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 1 | View Replies]

To: proxy_user

A lot of power plant control systems are about like a lot of industrial control and monitoring s/w: they have a lot of graphical information sdo the operators can see at a glance fron across the room whether the system is operating w/in parameters.


8 posted on 07/23/2010 6:01:15 AM PDT by NVDave
[ Post Reply | Private Reply | To 3 | View Replies]

To: proxy_user
So why are power plant control systems using Windows? That would seem like a perfect application for Linux, you wouldn’t even need a GUI.

Because Windows is used for just about everything else and has open sourced the code to control systems manufacturers so the can sell more Windows. Also, 95% of the power plant workers understand and recognize Windows.

It's all about marketing.

9 posted on 07/23/2010 6:17:14 AM PDT by raybbr (Someone who invades another country is NOT an immigrant - illegal or otherwise.)
[ Post Reply | Private Reply | To 3 | View Replies]

To: raybbr

I remember a while back when switching from UNIX to Windows caused some serious problems for air traffic control.


10 posted on 07/23/2010 7:28:01 AM PDT by antiRepublicrat
[ Post Reply | Private Reply | To 9 | View Replies]

To: raybbr; proxy_user; Gomez; ShadowAce
> Because Windows is used for just about everything else and has open sourced the code to control systems manufacturers so the can sell more Windows.

Microsoft has not "open-sourced the code" of Windows to anyone, anywhere. Windows is proprietary. Open source means it is not only publicly readable, but also, anyone may modify it.

I think you must mean, "made the code available under Non-Disclosure Agreement (NDA)". Yes?

The distinction is huge, and profound. Proprietary code, under NDA, is the opposite of open source.

11 posted on 07/23/2010 1:14:11 PM PDT by dayglored (Listen, strange women lying in ponds distributing swords is no basis for a system of government!)
[ Post Reply | Private Reply | To 9 | View Replies]

To: dayglored

Microsoft turns over all Win7 and server source code to Russia's new KGB ^

12 posted on 07/23/2010 1:25:03 PM PDT by raybbr (Someone who invades another country is NOT an immigrant - illegal or otherwise.)
[ Post Reply | Private Reply | To 11 | View Replies]

To: JimRed
For the first offense, cut off their thumbs
13 posted on 07/23/2010 4:43:56 PM PDT by beef (Who Killed Kennewick Man?)
[ Post Reply | Private Reply | To 6 | View Replies]

To: raybbr
Geez. Please read carefully.

What Microsoft did for the Russian secret service was make the Windows source code available under a special NDA. Read the article you linked to, don't just post the headline.

Look up the term "open source" (generally an adjective, sometimes used as a noun), and specifically the verb usage "open source" (to make a body of software available as open source).

Open source software — software whose source code is published and made available to the public, enabling anyone to copy, modify and redistribute the source code without paying royalties or fees. (Wikipedia)
Maybe instead of "has open sourced the code", you meant to say, "has made the source code available under NDA", which would be correct.

In no way whatsoever has Microsoft ever made the body of code known as "Windows" available as "open source", nor do they have any intention of ever doing so. They have made the source code available under NDA to various governments and agencies, including the Red Chinese and the Russians. They have made tiny portions of it publicly readable for the sake of encouraging compatible use of Windows APIs, but not for modification.

14 posted on 07/23/2010 5:32:40 PM PDT by dayglored (Listen, strange women lying in ponds distributing swords is no basis for a system of government!)
[ Post Reply | Private Reply | To 12 | View Replies]

To: dayglored
Maybe instead of "has open sourced the code", you meant to say, "has made the source code available under NDA", which would be correct.

Yeah, that IS what I meant. Sorry for using the wrong terminology.

In any case, MS "made the source code available" so companies could interface with Windows for industrial control. That, coupled with the average user that is used to seeing Windows, is why the GUI is needed and line commands will never replace Windows as an interface with PLC's and the Unix computers that run machines.

15 posted on 07/23/2010 7:30:20 PM PDT by raybbr (Someone who invades another country is NOT an immigrant - illegal or otherwise.)
[ Post Reply | Private Reply | To 14 | View Replies]

To: raybbr
Ah, glad we cleared that up. :)

> In any case, MS "made the source code available" so companies could interface with Windows for industrial control.

Do you have any links or other references, to explain that better? I'm not aware of Microsoft making Windows source code available to industrial control companies. They may have done so, and if so I'd be interested to know more -- I designed industrial control computers in the 1980's and still have some interest in them, even though I've moved on since then.

Thanks in advance for the references...

16 posted on 07/23/2010 8:16:10 PM PDT by dayglored (Listen, strange women lying in ponds distributing swords is no basis for a system of government!)
[ Post Reply | Private Reply | To 15 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson