Subscribe to Virus Experts – We Make Your Digital Life Secured RSS FeedSubscribe to Virus Experts – We Make Your Digital Life SecuredComments FEED

Browse > Home /

More malware exploiting Windows shortcut vulnerability

July 26, 2010 by admin  
Filed under Security News

Leave a Comment

It probably won’t come as a surprise to anyone, but more evidence has come to light that cybercriminals are actively exploiting the Windows shortcut vulnerability (also known as CVE-2010-2568).

 

Like the earlier Stuxnet attack, more examples of specially crafted shortcut (.LNK) files that point to malicious code and trick Windows into executing it without user interaction have been analysed in our labs.

 

Overnight Sophos saw two malware samples that were being spread by the .LNK vulnerability. Customers of Sophos products were already protected as we detect the .LNK shortcuts generically as Exp/Cplink-A or Troj/Cplink – however, here is more information on the specific malware:

 

Troj/Chymin-A:
Also known as Chymine, this keylogging Trojan horse is designed to steal information from infected computers.

 

Troj/Chymin-A may be downloaded by exploited Windows Shortcut (.LNK) files.

 

W32/Dulkis-A:
W32/Dulkis-A is the more interesting of the two examples of malware we saw related to the exploit overnight, as it drops .LNK shortcut files that exploit the vulnerability to removable drives such as USB sticks. Sophos products detect these .LNK files as Exp/Cplink-A.

 

W32/Dulkis-A is a Windows worm, written in obfuscated Visual Basic, which copies itself to any attached removable storage device using the files 9.tmp (detected as Mal/TDSSPack-Z), xxx.dll (detected as W32/Dulkis-A) and <randomname>.tmp (detected as Troj/Nebule-Gen).

 

 

Read More…

 

Tags: , , , , , , , ,

How to Maximize the Malware Protection of Your Removable Drives (Manually)

September 27, 2009 by admin  
Filed under Protection Tools

Leave a Comment

Removable drives are one of the most common infection vectors for malware today. Worms propagate via these vectors to proliferate their payload and ultimately, infect more users.

 

Users need to perform some countermeasures to secure their systems. One way of doing this is to protect removable drives against worms using the Autorun feature.

 

One popular way of protecting removable drives is by creating a folder or file and renaming it as AUTORUN.INF. It could enable the malware to automatically run on the system even without the users executing it. By creating this file beforehand, ideally, worms would not be able to run in this way.

 

However, this method is not perfect. Worms can delete the existing AUTORUN.INF file or folder, and then replace it with a malicious version. This would negate any protection placed by the user on the said file. However, by using file permissions to restrict changes, the AUTORUN.INF file can be protected more effectively.

 

Note: Make sure that your external drive is formatted using NTFS, as this procedure uses a specific feature of NTFS. If your removable drive is formatted using either FAT or FAT32, back up any data on the said drive first and reformat using NTFS. This may require Windows Vista or Windows 7.

 

  • Create a new folder in the root directory of the removable disk and rename it as “AUTORUN.INF.”
  • Create four more folders in the same location and named it as “recycle,” “recycler,” “recycled,” and “setup” respectively.

Note: The folders recycle, recycler, recycled and setup are optional but it is recommended for users to create these as malware often use these names/titles.

 

  • Open a command prompt (cmd.exe) and go to the root directory of your removable drive.

 

  • Set the folder attributes using the following DOS command:

attrib autorun.inf /s /d –a +s +r


attribthumbnail How to Maximize the Malware Protection of Your Removable Drives (Manually)
Figure 1. Setting the folder attributes


  • Set the privilege level of the folder using the following DOS command:

cacls autorun.inf /c /d administrators


caclsthumbnail How to Maximize the Malware Protection of Your Removable Drives (Manually)
Figure 2. Setting the privilege level of the folder


  • Select ‘Y’ and press enter when the message, “Are you sure (Y/N)?” is prompted.


  • To test it, try to delete, modify, rename, copy, or open the created folder. If you cannot perform any of these functions, then the procedure is successful.


delete.cpgif How to Maximize the Malware Protection of Your Removable Drives (Manually)
Figure 3. When the user deletes the created folder, the system displays this message prompt.


In addition to the above procedure, users may also choose to use hardware means of protection. Certain removable drives have an external switch that prevents the device from being written to. This would prevent malware from making any modifications to the drive, including the AUTORUN.INF file. However, as this may prove to be somewhat inconvenient, it is still a good idea to use the procedure shown above.



by Christian Potencia (Threat Response Engineer) at trendmicro.com


Tags: , , , ,