ugh since when did this .lnk start needing an .exe ?
Printable View
ugh since when did this .lnk start needing an .exe ?
Most attacks first use an application or OS vulnerability to gain access to the machine....then upload the exe and\or other crap....thats my understanding anyway.
I have seen alot of infections lately where machines are becoming infected through the browsers because of plugins....acrobat reader and flash and all the other shite.....
MLF
Agree somewhat, but from the "Poc's" i've seen played with over the time of this thread it's just been via .js etc
the person visits the site with the <script> </ script> tags and the site then places a "Desktop Shortcut" ie somesite.Lnk onto the desktop. The victim then double clicks loads up the browser and then .js throws the malware onto the machine once the script has run behind the scene's.
any1 got an example of a malformed .Lnk pulling an .exe once loaded??? I would be very keen to take a look. :)
sorry if i'm making little or no sense, had a few to drink and only planed to reply to an e-mail but spotted a new reply and figured heeey why not. ;)
you don't need to double click the .lnk, simply viewing it executes the code crafted in it.
I think the stuxnet/Win32, the one that targeted the power plants not the less elegant version that is flying around, uploads a system driver called jmidebs.sys and some .exes. The other clunkier strain probably has some payload of .exes. You can probably find the binaries floating around some security researcher's blog >.<
OK, did you mean this is as in "Over the network" log ins? Or physically sitting? There's a bit of a difference there, because The "Guest Account" on Windows may not allow that, but what I was saying about clicking cancel and it working, you don't really need an account at all. And over a Network, who'd allow log ins for the Nobody account? The reason user Nobody can do anything is that it's how you start all the forks and things for Apache. You need to allow that account to write to SOME things, otherwise it wouldn't work right.
Also, I think you're missing the fun that can be had by doing this:
chsh nobody /bin/rm
"chsh" doesn't actually require that the Shell you change for a user, be an actual Shell. That's how those admins write those little interfaces where everything when a user logs in, shows up in one of those custom menus. They couldn't do that if it HAD to be an actual shell. So technically, you could change the nobody account to have a command for a log in shell, and on top of that.... Between Linux and BSD, I know user nobody doesn't get to have actual log ins on MY machines. And in BSD I think it's by default user nobody can't log in.
This stuff is just as easy to change as "Turn of Automatic Log in" would be in Windows so it's not like it's any more of an issue. Besides, I've never seen someone actually use the nobody account to try much of anything since it doesn't have access to much. And of course you COULD put that thing in a Sandbox or a Jail.
Sophos have a free tool that is supposed to temporarily fix this issue?
http://www.sophos.com/security/topic/shortcut.html
WARNING:
I have yet to personally test this, so take the usual precautions;)
From the Internet Storm Center:
CheersQuote:
Update 1: This tool currently only protects against LNK files and does not protect against PIF based exploits. It also does not protect against LNK files or targets stored on the local disk. Thanks to ISC reader Gerrit for the additional information.
Looks like MS is issuing an out of band patch. Though they aren't saying specifically what vulnerability it addresses.
http://threatpost.com/en_us/blogs/mi...ws-flaw-073110
Quote:
Microsoft will issue an out-of-band patch on Monday for a critical vulnerability in all of the current versions of Windows. The company didn't identify which flaw it will be patching, but the description of the vulnerability is a close match to the LNK flaw that attackers have been exploiting for several weeks now, most notably with the Stuxnet Malware.