TDL4 – Top Bot

TDSS variants

 

The malware detected by Kaspersky Anti-Virus as TDSS is the most sophisticated threat today. TDSS uses a range of methods to evade signature, heuristic, and proactive detection, and uses encryption to facilitate communication between its bots and the botnet command and control center. TDSS also has a powerful rootkit component, which allows it to conceal the presence of any other types of malware in the system.

 

Its creator calls this program TDL. Since it first appeared in 2008, malware writers have been perfecting their creation little by little. By 2010, the latest version was TDL-3, which was discussed in depth in an article published in August 2010.

 

The creators of TDSS did not sell their program until the end of 2010. In December, when analyzing a TDSS sample, we discovered something odd: a TDL-3 encrypted disk contained modules of another malicious program, SHIZ.

 

TDL-3 encrypted disk with SHIZ modules

 

At that time, a new affiliate program specializing in search engine redirects had just emerged on the Internet; it belonged to the creators of SHIZ, but used TDL-3.

 

The changes that had been made to the TDL-3 configuration and the emergence of a new affiliate marketing program point to the sale of TDL-3 source code to cybercriminals who had previously been engaged in the development of SHIZ malware.

 

Why did the creators of TDL decide to sell source code of the third version of their program? The fact is that by this time, TDL-4 had already come out. The cybercriminals most likely considered the changes in version 4 to be significant enough that they wouldn’t have to worry about competition from those who bought TDL-3.

 

In late 2010, Vyacheslav Rusakov wrote a piece on the latest version of the TDSS rootkit focusing on how it works within the operating system. This article will take a closer look at how TDL-4 communicates with the network and uploads data to the botnet, which numbered over 4.5 million infected computers at the time of writing.

 

Yet another affiliate program

 

The way in which the new version of TDL works hasn’t changed so much as how it is spread – via affiliates. As before, affiliate programs offer a TDL distribution client that checks the version of the operating system on a victim machine and then downloads TDL-4 to the computer.

 

Affiliates spreading TDL

 

Affiliates receive between $20 to $200 for every 1,000 installations of TDL, depending on the location of the victim computer. Affiliates can use any installation method they choose. Most often, TDL is planted on adult content sites, bootleg websites, and video and file storage services.

 

The changes in TDL-4 affected practically all components of the malware and its activity on the web to some extent or other. The malware writers extended the program functionality, changed the algorithm used to encrypt the communication protocol between bots and the botnet command and control servers, and attempted to ensure they had access to infected computers even in cases where the botnet control centers are shut down. The owners of TDL are essentially trying to create an ‘indestructible’ botnet that is protected against attacks, competitors, and antivirus companies.

 

The ‘indestructible’ botnet

 

Encrypted network connections

 

One of the key changes in TDL-4 compared to previous versions is an updated algorithm encrypting the protocol used for communication between infected computers and botnet command and control servers. The cybercriminals replaced RC4 with their own encryption algorithm using XOR swaps and operations. The domain names to which connections are made and the bsh parameter from the cfg.ini file are used as encryption keys.

 

Readers may recall that one of the distinguishing features of malware from the TDSS family is a configuration file containing descriptions of the key parameters used by various modules to maintain activity logs and communications with command and control servers.

 

Example of configuration file content

 

Compared to version 3, there are only negligible changes to the format of the configuration file. The main addition is the bsh parameter, an identifier which identifies the copy of the malware, and which is provided by the command and control sever the first time the bot connects. This identifier acts as one of the encryption keys for subsequent connections to the command and control server.

 

Part of the code modified to work with the TDL-4 protocol.

 

Upon protocol initialization, a swap table is created for the bot’s outgoing HTTP requests. This table is activated with two keys: the domain name of the botnet command and control server, and the bsh parameter. The source request is encrypted and then converted to base64. Random strings in base64 are prepended and appended to the received message. Once ready, the request is sent to the server using HTTPS.

 

The new protocol encryption algorithm for communications between the botnet control center and infected machines ensures that the botnet will run smoothly, while protecting infected computers from network traffic analysis, and blocking attempts of other cybercriminals to take control of the botnet.

 

An antivirus of its own

Just like Sinowal, TDL-4 is a bootkit, which means that it infects the MBR in order to launch itself, thus ensuring that malicious code will run prior to operating system start. This is a classic method used by downloaders which ensures a longer malware lifecycle and makes it less visible to most security programs.

 

TDL nimbly hides both itself and the malicious programs that it downloads from antivirus products. To prevent other malicious programs not associated with TDL from attracting the attention of users of the infected machine, TDL-4 can now delete them. Not all of them, of course, just the most common.

 

TDSS module code which searches the system registry for other malicious programs

 

TDSS contains code to remove approximately 20 malicious programs, including Gbot, ZeuS, Clishmic, Optima, etc. TDSS scans the registry, searches for specific file names, blacklists the addresses of the command and control centers of other botnets and prevents victim machines from contacting them.

 

This ‘antivirus’ actually helps TDSS; on the one hand, it fights cybercrime competition, while on the other hand it protects TDSS and associated malware against undesirable interactions that could be caused by other malware on the infected machine.

 

Which malicious programs does TDL-4 itself download? Since the beginning of this year, the botnet has installed nearly 30 additional malicious programs, including fake antivirus programs, adware, and the Pushdo spambot.

 

TDSS downloads

 

Notably, TDL-4 doesn’t delete itself following installation of other malware, and can at any time use the r.dll module to delete malware it has downloaded.

 

Botnet access to the Kad network

 

One of the most outstanding new features of TDL-4 is the kad.dll module, which allows the TDSS botnet to access the Kad network. So what do the cybercriminals want with a publicly accessible file exchange network?

 

We have known about botnets controlled via P2P for some time now, although until now, these were closed protocol connections created by the cybercriminals themselves. In contrast, TDSS uses a public P2P network in order to transmit commands to all infected computers in the botnet. The initial steps of how TDSS makes use of Kad are given below:

1. The cybercriminals make a file called ktzerules accessible on the Kad network. The file is encrypted and contains a list of commands for TDSS.
2. Computers infected with TDSS receive the command to download and install the kad.dll module.
3. Once installed, kad.dll downloads the file nodes.dat, which contains the publicly accessible list of IP addresses of Kad network servers and clients.
4. The kad.dll module then sends a request to the Kad network to search for the ktzerules file.
5. Once the ktzerules files has been downloaded and encrypted, kad.dll runs the commands which ktzerules contains.

 

Encrypted kad.dill updates found on the Kad network

 

Below is a list of commands from an encrypted ktzerules file.

 

• SearchCfg – search Kad for a new ktzerules file
• LoadExe – download and run the executable file
• ConfigWrite – write to cfg.ini
• Search – search Kad for a file
• Publish – publish a file on Kad
• Knock – upload a new nodes.dat file to the C&C which contains a list of Kad server and clients IP addresses, including those infected with TDSS.

 

The most interesting command is Knock. This command allows the cybercriminals to create their own Kad P2P, the clients of which are exclusively TDSS-infected computers.

 

How publicly accessible and closed KAD networks overlap

 

Essentially, the TDSS botnet kad.dll module is more or less the same as cmd.dll in terms of control function. By running nodes.dat files containing a list of IP addresses of Kad clients in addition to ktzerlrules, which contains a command to download a new nodes.dat file from cybercriminal servers, the owners of the botnet can both include their infected computers in the publicly accessible Kad network and remove them from the network. The publicly accessible Kad network contains no more than 10 TDSS infected computers. This makes replacing the ktzerules file as inefficient as possible, which prevents other cybercriminals from taking control over the botnet. The total number of TDSS infected computers on the closed network number tens of thousands.

 

Kad.dll code responsible for sending commands from the TDL-4 cybercriminals

 

Furthermore, access to Kad makes it possible for the cybercriminals to download any files to botnet machines and make them accessible to the P2P users. This includes adult content files and stolen data bases.

 

The key threat that such a botnet poses is that even when its command and control centers are shut down, the botnet owners will not lose control over infected machines. However, the system does face two major obstacles:

1. By using the publicly accessible Kad network, the cybercriminals still run the risk of fake botnet commands.
2. When developing the kad.dll module for maintaining communication with the Kad network, code with a GPL license was used — this means that the authors are in violation of a licensing agreement.

 

Extended functionality

 

In addition to its known adware function, TDL-4 has added some new modules to its arsenal. This article has already touched on the ‘antivirus’ function and the P2P module. The owners of TDSS have also added several other modules to their malware, and now offer services such as anonymous network access via infected machines and 64-bit support.

 

The proxy server module

 

A file called Socks.dll has been added to TDSS’s svchost.exe; it is used to establish a proxy server on an infected computer. This module facilitates the anonymous viewing of Internet resources via infected machines.

 

Having control over such a large number of computers with this function, the cybercriminals have started offering anonymous Internet access as a service, at a cost of roughly $100 per month. For the sake of convenience, the cybercriminals have also developed a Firefox add-on that makes it easy to toggle between proxy servers within the browser.

 

Firefox add-on for anonymous Internet use via the TDSS botnet

64-bit support

 

The appearance of a 64-bit malicious driver in TDSS was another innovation in malware in 2010. In order to support operations with 64-bit systems in user mode, TDL-4 contains a module called cmd64.dll, a version of cmd.dll for 64-bit systems. However, due to the limitations of working with 64-bit programs, cmd64.dll code only provides communication with the botnet command and control servers.

 

List of botnet command and control center commands

Working with search engines

 

The cmd.dll module (see for details) remains almost completely unchanged. This module facilitates communication with the botnet command and control servers and substitutes search results, i.e. fraudulently manipulates advertising systems and search engines. The newest innovation in the list of commands for TDSS is the SetName command, which assigns a number to each infected computer. For search engines and banner networks, TDSS uses the same fake click and traffic technologies as similar malicious programs. However, TDSS has the longest list of search engines for which it substitutes search results.

 

List of search engines supported by TDSS

Botnet command and control servers

When running, TDSS uses several sources to obtain lists of command and control server addresses. The default list is taken from cmd.dll; if these addresses are inaccessible, then TDSS gets a list from cfg.ini. If for some reason no command and control server listed is accessible, then a list is created from an encrypted file called bckfg.tmp, which the bot receives from the command and control server on first connection. Since the beginning of the year, around 60 command and control centers have been identified across the globe.

 

Control server address	Server address at the beginning of February	Server address at the  beginning of March	Percentage of  mentions in C&C lists
01n02n4cx00.cc	noip	noip	0,05%
01n02n4cx00.com	91.212.226.5	noip	0,43%
01n20n4cx00.com	91.212.226.5	91.193.194.9	0,21%
0imh17agcla.com	77.79.13.28	91.207.192.22	0,80%
10n02n4cx00.com	194.28.113.20	194.28.113.20	0,22%
1il1il1il.com	91.212.158.72	91.212.158.72	6,89%
1l1i16b0.com	91.193.194.11	91.193.194.11	0,43%
34jh7alm94.asia	205.209.148.232	noip	0,03%
4gat16ag100.com	noip	noip	2,07%
4tag16ag100.com	178.17.164.129	91.216.122.250	6,69%
68b6b6b6.com	noip	noip	0,03%
69b69b6b96b.com	91.212.158.75	noip	6,89%
7gaur15eb71.com	195.234.124.66	195.234.124.66	6,85%
7uagr15eb71.com	noip	noip	2,07%
86b6b6b6.com	193.27.232.75	193.27.232.75	0,14%
86b6b96b.com	noip	noip	0,24%
9669b6b96b.com	193.27.232.75	193.27.232.75	0,22%
cap01tchaa.com	noip	noip	2,19%
cap0itchaa.com	noip	noip	0,58%
countri1l.com	91.212.226.6	91.212.158.72	6,89%
dg6a51ja813.com	91.216.122.250	93.114.40.221	6,85%
gd6a15ja813.com	91.212.226.5	91.212.226.5	2,07%
i0m71gmak01.com	noip	noip	0,80%
ikaturi11.com	91.212.158.75	noip	6,89%
jna0-0akq8x.com	77.79.13.28	77.79.13.28	0,80%
ka18i7gah10.com	93.114.40.221	93.114.40.221	6,85%
kai817hag10.com	noip	noip	2,07%
kangojim1.com	noip	noip	0,14%
kangojjm1.com	noip	noip	0,24%
kur1k0nona.com	68.168.212.21	68.168.212.21	2,19%
l04undreyk.com	noip	noip	0,58%
li1i16b0.com	noip	noip	0,05%
lj1i16b0.com	noip	noip	0,05%
lkaturi71.com	noip	noip	0,14%
lkaturl11.com	193.27.232.72	193.27.232.72	0,22%
lkaturl71.com	91.212.226.6	91.212.158.72	7,13%
lo4undreyk.com	68.168.212.18	93.114.40.221	2,19%
n16fa53.com	91.193.194.9	noip	0,05%
neywrika.in	noip	noip	0,14%
nichtadden.in	noip	noip	0,02%
nl6fa53.com	noip	noip	0,03%
nyewrika.in	noip	noip	0,03%
rukkeianno.com	noip	noip	0,08%
rukkeianno.in	noip	noip	0,08%
rukkieanno.in	noip	noip	0,03%
sh01cilewk.com	91.212.158.75	noip	2,19%
sho1cilewk.com	noip	noip	0,58%
u101mnay2k.com	noip	noip	2,19%
u101mnuy2k.com	noip	noip	0,58%
xx87lhfda88.com	91.193.194.8	noip	0,21%
zna61udha01.com	195.234.124.66	195.234.124.66	6,85%
zna81udha01.com	noip	noip	2,07%
zz87ihfda88.com	noip	noip	0,43%
zz87jhfda88.com	205.209.148.232	205.209.148.233	0,05%
zz87lhfda88.com	noip	noip	0,22%

 

A careful examination of this list reveals that the IP addresses of command and control centers are constantly changing, while some command and control centers are phased out altogether. These changes are due to the use of proxy servers, which hide the true location of the command and control centers.

 

Command and control server statistics

 

Despite the steps taken by cybercriminals to protect the command and control centers, knowing the protocol TDL-4 uses to communicate with servers makes it possible to create specially crafted requests and obtain statistics on the number of infected computers. Kaspersky Lab’s analysis of the data identified three different MySQL databases located in Moldova, Lithuania, and the USA, all of which supported used proxy servers to support the botnet.

 

According to these databases, in just the first three months of 2011 alone, TDL-4 infected 4,524,488 computers around the world.

 

Distribution of TDL-4 infected computers by country

 

Nearly one-third of all infected computers are in the United States. Going on the prices quoted by affiliate programs, this number of infected computers in the US is worth $250,000, a sum which presumably made its way to the creators of TDSS. Remarkably, there are no Russian users in the statistics. This may be explained by the fact that affiliate marketing programs do not offer payment for infecting computers located in Russia.

 

To be continued…

 

This heading of this last section has become traditional in our articles on TDSS. In this case, we have reason to believe that TDSS will continue to evolve. The fact that TDL-4 code shows active development — a rootkit for 64-bit systems, the malware running prior to operating system start launches, the use of exploits from Stuxnet’s arsenal, P2P technology, its own ‘antivirus’ and a lot more — place TDSS firmly in the ranks of the most technologically sophisticated, and most complex to analyze, malware. The botnet, with more than 4.5 million infected computers, is used by cybercriminals to manipulate adware and search engines, provide anonymous Internet access, and acts as a launch pad for other malware.

 

TDSS and the botnet that unites all the computers it infects will continue to cause problems for users and IT security professionals alike. The decentralized, server-less botnet is practically indestructible, as the Kido epidemic showed.

 

Source:  Securelist.com

New Windows zero-day flaw bypasses UAC

A new zero-day exploit in Microsoft Windows was disclosed today. The exploit allows an application to elevate privilege to “system,” and in Vista and Windows 7 also bypass User Account Control (UAC). The flaw was posted briefly on a programming education site and has since been removed.

 

 

The exploit takes advantage of a bug in win32k.sys, which is part of the Windows kernel. The flaw is related to the way in which a certain registry key is interpreted and enables an attacker to impersonate the system account, which has nearly unlimited access to all components of the Windows system. The registry key in question is under the full control of non-privileged users.

 

The flaw appears to affect all versions of Windows back to at least Windows XP, including the latest Windows 2008 R2 and Windows 7 systems. On its own, this bug does not allow remote code execution (RCE), but does enable non-administrator accounts to execute code as if they were an administrator.

 

There is one mitigation I discovered while researching this exploit. Unfortunately it is somewhat complicated. To prevent the flaw from being exploited you can perform the following actions:

1. As an Administrator open Regedit and browse to HKEY_USERS\[SID of each user account]\EUDC
2. Right-click EUDC and choose permissions
3. Choose the user whose account you are modifying and select Advanced
4. Select Add and then type in the user’s name and click OK
5. Click the Deny checkbox for Delete and Create Subkey
6. Click all the OKs and Apply buttons to exit

 

 

The registry keys being changed by this mitigation should not impact a user’s ability to use the system, but changing permissions related to Windows code page settings may cause problems with multilingual installations. In my testing it appears problem-free, but I have only had an hour or two to test. Use at your discretion.

 

The good news? For this to be exploited, malicious code that uses the exploit needs to be introduced. This means your email, web, and anti-virus filters can prevent malicious payloads from being downloaded. Keep an eye on the Naked Security blog for more information as we learn more about this flaw.

 

Update: Sophos detects the proof of concept as Troj/EUDPoC-A. Stay tuned for further details as they become available.

 

I’ve also created this video showing how it works and what you can do.

 

 

 

by Chester Wisniewski @ nakedsecurity.sophos.com

Internet Explorer users warned of new zero-day attacks

 

Microsoft has warned users of all supported versions of the Internet Explorer browser that an unpatched vulnerability exists in the product that is being actively exploited by malicious hackers in targeted attacks.

 

The zero-day vulnerability, described in aMicrosoft’s security advisory, allows cybercriminals to execute code on remote users’ computers without their permission.

 

In other words, simply clicking on a link in an email could take you to a webpage which would silently install malicious code (such as a backdoor Trojan horse) onto your computer. In short, you could be one click away from having a hacker access your computer or comandeer it into being part of a botnet.

 

Sophos is adding detection of the malicious webapges as Mal/20103962-A, and the Trojan horse that we have seen being downloaded as Troj/GIFDldr-A.

 

According to Microsoft’s advisory, Data Execution Prevention (DEP) – which is enabled by default in Internet Explorer 8 on Windows XP SP3, Windows Vista SP1, Windows Vista SP2, and Windows 7 – helps to protect against the attacks.

 

All eyes will now be on Microsoft to see how quickly they can issue a fix for this vulnerability – it would certainly be impressive if they managed to roll-out a patch in time for next Tuesday’s “Patch Tuesday”, but that may be a little optimistic.

 

By Graham Cluley @ nakedsecurity.sophos.com

 

Adobe races to patch zero-day vulnerability in Flash Player

Adobe has issued a security advisory about an as-yet unpatched vulnerability in its popular Flash Player software, affecting users of Windows, Mac, Linux, Solaris and even Google Android.

 

The critical security hole could allow an attacker to take control of your computer and run malicious code.

 

The firm also confirmed that the vulnerability also affects Adobe Reader 9.3.4 for Windows, Mac and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Mac. The reason that Acrobat and Reader are also affected is because the programs support Flash content inside PDF files

 

The new warnings follow closely after news last week of another vulnerability in Reader and Acrobat that was being exploited by malware authors.

 

Adobe has announced that an update for Flash Player tackling the latest vulnerability is expected to be available during the week of September 27, and an update for Acrobat and Reader will be available the following week.

 

Last month, Sophos blogger Chet Wisniewski interviewed Brad Arkin, Adobe’s Senior Director of Product Security and Privacy, about the firm’s security strategy and their upcoming sandboxing technology.

 

You can also download the interview directly in MP3 format.

 

 

Read More…

 

Critical patches for Windows and Flash Player

If you’re a user of Windows or Flash (and I would imagine that covers the vast majority of you) then it’s time to roll out the latest critical security patches, as Microsoft and Adobe have released updates to their software.

 

First up is Microsoft, who have released a bumper bundle of fixes as part of their regular “Patch Tuesday” cycle, issuing 14 bulletins to remedy 34 security holes in Windows, Internet Explorer, Microsoft Office, Silverlight, Microsoft XML Core Services and Server Message Block.

 

Eight of the bulletins have been Microsoft’s highest severity rating of “critical”, with the rest being labelled “important”.

 

The good news, as Chet Wisniewski explains, is that we haven’t yet seen any malware spreading by exploiting these vulnerabilities – but that may only be a matter of time.

 

Separately, Microsoft has also issued an advisory about a zero-day vulnerability, which could allow untrusted code to run on a user’s machine by exploiting a weakness in the Windows Service Isolation feature.

 

Meanwhile, another platform commonly targeted by malicious hackers has been updated to defend against security vulnerabilities.

 

Adobe has identified critical vulnerabilities in Adobe Flash Player version 10.1.53.64 and earlier, and urged users to update their installations of Flash and Adobe Air.

 

If you’re not sure which version of the Adobe Flash Player you have installed, visit the About Flash Player page. Remember that if you use more than one browser on your computer you should check the version number on each.

 

Read More…

 

 

 

Apple Security Breach Gives Complete Access to Your iPhone

 

 

 

Right now, if you visit a web page and load a simple PDF file, you may give total control of your iPhone, iPod touch, or iPad to a hacker. The security bug affects all devices running iOS 3.1.2 and higher.

 

Update: Initially we thought that this exploit only effected iOS4 devices, but it turns out all iPhones, iPod Touches and iPads running 3.1.2 and higher are susceptible.

 

The vulnerability is easily exploitable. In fact, the latest one-click, no-computer-required Jailbreak solution for iOS 4 devices uses this same method to break Apple’s own security (although in a completely benign way for the user).

 

How it works

It just requires the user to visit a web address using Safari. The web site can automatically load a simple PDF document, which contains a font that hides a special program. When your iOS device tries to display the PDF file, that font causes something called stack overflow, a technical condition that allows the secret ninja code inside the font to gain complete control of your device.

 

The result is that, without any user intervention whatsoever, that program can do whatever it wants inside your iPhone, iPod touch or iPad. Anything you can imagine: Delete files, transmit files, install programs running on the background that can monitor your actions… anything can be done.

 

This is not the first time that something similar has happened. At the beginning of the iPhone’s life there was a problem with TIFF files that also caused the same security breach. Apple patched the bug after a while, but back then there were very few iPhones compared to the current installed base. Apple says that there are 100 million iPhones, iPod touches, and iPads in the world. Obviously, malicious hackers are racing to get a slice of that market.

 

How can you avoid it?

Right now, the easiest way to avoid this problem is by not going to any PDF links directly and not loading any PDF from any non-trusted source.

 

You can also jailbreak your iPhone and install a program that will ask for authorization every time your browser encounters a PDF (just look for “PDF loading warner” in Cydia).

 

While this doesn’t solve the security problem at all, at least it will remind you every single time.

 

 

Source :  http://gizmodo.com

JailbreakMe: Security warning for iPhone and iPad owners

A website that has made it simple for iPhone and iPad users to jailbreak their devices may not just be a headache for Apple, but also a portent for future malicious attacks.

 

Owners of Apple gadgets who visit the JailbreakMe website in Safari have found that all they need to jailbreak their device is slide a button to give permission, opening up the possibility of installing apps that have not been approved by the official AppStore.

 

Previously, jailbreaking has required users to connect their device to a computer before they can start to tamper with the set-up of their iPhone or iPad and gain access to the Cydia underground app store.

 

 

The drive-by jailbreak is possible because the website exploits a vulnerability in the way that the mobile edition of Safari (the default browser used in the iOS operating system) handles PDF files – specifically its handling of fonts.

 

As a number of YouTube videos have demonstrated, it’s a pretty slick process:

 

What concerns me, and others in the security community, however, is that if simply visiting a website with your iPhone can cause it to be jailbroken – just imagine what else could hackers do by exploiting this vulnerability? Cybercriminals would be able to create booby-trapped webpages that could – if visited by an unsuspecting iPhone, iPod Touch or iPad owner – run code on visiting devices without the user’s permission.

 

Read More…

 

 

Microsoft readies emergency patch for Shortcut zero-day flaw

Updated Good news from Microsoft. It has announced that it plans to release an emergency out-of-band update to patch a critical Windows security vulnerability that is being actively exploited by malware.

 

The so-called Shortcut exploit is being exploited by specially crafted shortcut (.LNK) files that point to malicious code and trick Windows into executing it without user interaction.

 

Malware exploiting the vulnerability have included Stuxnet, Chymin and Dulkis, Zbot, and – most recently – Sality.

 

“In the past few days, we’ve seen an increase in attempts to exploit the vulnerability. We firmly believe that releasing the update out of band is the best thing to do to help protect our customers,” Christopher Budd, Senior Security Response Communications Manager at Microsoft, wrote on the MSRC blog.

 

Microsoft normally publishes its security patches on the second Tuesday of each month, but this one is scheduled to be released today (Monday, August 2 2010) at 10am PST (1800 BST).

 

Whenever Microsoft releases an out-of-band patch it’s a big deal – they clearly think it’s an important enough issue to break their regular cycle and you should pay attention too. We would recommend that computer users apply the patch as soon as possible.

 

As Microsoft is issuing a permanent patch for the shortcut vulnerability, we would recommend that users uninstall the Sophos Windows Shortcut Exploit Protection Tool before applying the Microsoft fix.

 

 

Read More…

 

 

Free Windows Shortcut Exploit Protection Tool From SOPHOS

More malware exploiting Windows shortcut vulnerability

It probably won’t come as a surprise to anyone, but more evidence has come to light that cybercriminals are actively exploiting the Windows shortcut vulnerability (also known as CVE-2010-2568).

 

Like the earlier Stuxnet attack, more examples of specially crafted shortcut (.LNK) files that point to malicious code and trick Windows into executing it without user interaction have been analysed in our labs.

 

Overnight Sophos saw two malware samples that were being spread by the .LNK vulnerability. Customers of Sophos products were already protected as we detect the .LNK shortcuts generically as Exp/Cplink-A or Troj/Cplink – however, here is more information on the specific malware:

 

Troj/Chymin-A:
Also known as Chymine, this keylogging Trojan horse is designed to steal information from infected computers.

 

Troj/Chymin-A may be downloaded by exploited Windows Shortcut (.LNK) files.

 

W32/Dulkis-A:
W32/Dulkis-A is the more interesting of the two examples of malware we saw related to the exploit overnight, as it drops .LNK shortcut files that exploit the vulnerability to removable drives such as USB sticks. Sophos products detect these .LNK files as Exp/Cplink-A.

 

W32/Dulkis-A is a Windows worm, written in obfuscated Visual Basic, which copies itself to any attached removable storage device using the files 9.tmp (detected as Mal/TDSSPack-Z), xxx.dll (detected as W32/Dulkis-A) and <randomname>.tmp (detected as Troj/Nebule-Gen).

 

 

Read More…

 

Next Page »