July 27th, 2010, 04:39 AM
ugh since when did this .lnk start needing an .exe ?
July 27th, 2010, 02:09 PM
Most attacks first use an application or OS vulnerability to gain access to the machine....then upload the exe and\or other crap....thats my understanding anyway.
I have seen alot of infections lately where machines are becoming infected through the browsers because of plugins....acrobat reader and flash and all the other shite.....
How people treat you is their karma- how you react is yours-Wayne Dyer
July 27th, 2010, 03:12 PM
Agree somewhat, but from the "Poc's" i've seen played with over the time of this thread it's just been via .js etc
the person visits the site with the <script> </ script> tags and the site then places a "Desktop Shortcut" ie somesite.Lnk onto the desktop. The victim then double clicks loads up the browser and then .js throws the malware onto the machine once the script has run behind the scene's.
any1 got an example of a malformed .Lnk pulling an .exe once loaded??? I would be very keen to take a look.
sorry if i'm making little or no sense, had a few to drink and only planed to reply to an e-mail but spotted a new reply and figured heeey why not.
July 27th, 2010, 03:47 PM
you don't need to double click the .lnk, simply viewing it executes the code crafted in it.
Originally Posted by HYBR|D
I think the stuxnet/Win32, the one that targeted the power plants not the less elegant version that is flying around, uploads a system driver called jmidebs.sys and some .exes. The other clunkier strain probably has some payload of .exes. You can probably find the binaries floating around some security researcher's blog >.<
Originally Posted by HYBR|D
July 27th, 2010, 05:43 PM
OK, did you mean this is as in "Over the network" log ins? Or physically sitting? There's a bit of a difference there, because The "Guest Account" on Windows may not allow that, but what I was saying about clicking cancel and it working, you don't really need an account at all. And over a Network, who'd allow log ins for the Nobody account? The reason user Nobody can do anything is that it's how you start all the forks and things for Apache. You need to allow that account to write to SOME things, otherwise it wouldn't work right.
Originally Posted by The-Spec
Also, I think you're missing the fun that can be had by doing this:
chsh nobody /bin/rm
"chsh" doesn't actually require that the Shell you change for a user, be an actual Shell. That's how those admins write those little interfaces where everything when a user logs in, shows up in one of those custom menus. They couldn't do that if it HAD to be an actual shell. So technically, you could change the nobody account to have a command for a log in shell, and on top of that.... Between Linux and BSD, I know user nobody doesn't get to have actual log ins on MY machines. And in BSD I think it's by default user nobody can't log in.
This stuff is just as easy to change as "Turn of Automatic Log in" would be in Windows so it's not like it's any more of an issue. Besides, I've never seen someone actually use the nobody account to try much of anything since it doesn't have access to much. And of course you COULD put that thing in a Sandbox or a Jail.
July 28th, 2010, 08:35 PM
Sophos have a free tool that is supposed to temporarily fix this issue?
I have yet to personally test this, so take the usual precautions
July 28th, 2010, 08:42 PM
From the Internet Storm Center:
Originally Posted by nihil
: This tool currently only protects against LNK files and does not protect against PIF based exploits. It also does not protect against LNK files or targets stored on the local disk. Thanks to ISC reader Gerrit for the additional information.
July 31st, 2010, 05:09 PM
Looks like MS is issuing an out of band patch. Though they aren't saying specifically what vulnerability it addresses.
Microsoft will issue an out-of-band patch on Monday for a critical vulnerability in all of the current versions of Windows. The company didn't identify which flaw it will be patching, but the description of the vulnerability is a close match to the LNK flaw that attackers have been exploiting for several weeks now, most notably with the Stuxnet Malware.
\"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"
By s3nate in forum Operating Systems
Last Post: July 20th, 2004, 10:32 AM
By Cybr1d in forum Miscellaneous Security Discussions
Last Post: June 10th, 2004, 12:09 AM
By DeadAddict in forum Other Tutorials Forum
Last Post: November 18th, 2003, 12:20 PM
By TheFiend in forum Miscellaneous Security Discussions
Last Post: June 14th, 2003, 11:08 PM
By qwerty_smith in forum Microsoft Security Discussions
Last Post: February 5th, 2003, 08:41 PM