Microsoft readies emergency patch for Shortcut zero-day flaw
August 5, 2010 by admin
Filed under Security News
Updated Good news from Microsoft. It has announced that it plans to release an emergency out-of-band update to patch a critical Windows security vulnerability that is being actively exploited by malware.
The so-called Shortcut exploit is being exploited by specially crafted shortcut (.LNK) files that point to malicious code and trick Windows into executing it without user interaction.
Malware exploiting the vulnerability have included Stuxnet, Chymin and Dulkis, Zbot, and – most recently – Sality.
“In the past few days, we’ve seen an increase in attempts to exploit the vulnerability. We firmly believe that releasing the update out of band is the best thing to do to help protect our customers,” Christopher Budd, Senior Security Response Communications Manager at Microsoft, wrote on the MSRC blog.
Microsoft normally publishes its security patches on the second Tuesday of each month, but this one is scheduled to be released today (Monday, August 2 2010) at 10am PST (1800 BST).
Whenever Microsoft releases an out-of-band patch it’s a big deal – they clearly think it’s an important enough issue to break their regular cycle and you should pay attention too. We would recommend that computer users apply the patch as soon as possible.
As Microsoft is issuing a permanent patch for the shortcut vulnerability, we would recommend that users uninstall the Sophos Windows Shortcut Exploit Protection Tool before applying the Microsoft fix.
SophosLabs – What is Fake Anti-Virus?
August 1, 2010 by admin
Filed under Security Channel
Free Windows Shortcut Exploit Protection Tool From SOPHOS
July 27, 2010 by admin
Filed under Protection Tools
What is the Windows Shortcut Exploit?
The Windows Shortcut Exploit, also known as CPLINK, is a zero-day vulnerability in all versions of Windows that allows a Windows shortcut link, known as an .lnk file, to run a malicious DLL file. The dangerous shortcut links can also be embedded on a website or hidden within documents.
Shortcut zero-day attack code goes public
July 20, 2010 by admin
Filed under Security News
If you’ve been following Chet Wisniewski’s blog over the last few days you will already know about the serious zero-day vulnerability that has been found in versions of Windows.
Since confirmed by Microsoft, there exists a vulnerability in versions of Windows which allows a maliciously-crafted Windows shortcut file (.lnk) run a malicious DLL file, simply by being viewed on a USB stick.
Furthermore, the attack can be initiated automatically by viewing an affected USB storage device via Windows Explorer, even with AutoRun and AutoPlay are disabled. The Microsoft Security Response Center (MSRC) says that the security hole can also be remotely exploited via WebDAV and network shares.
You can watch the following YouTube video where Chet shows the attack in action:
(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)
In this case, the DLL executed carries a rootkit – helping hide the infection from prying eyes.
What is of particular concern, of course, is that other malicious hackers might try to exploit the vulnerability – as it would certainly be a useful tool in any malware’s arsenal. The chances of that occurring has increased over the weekend, as a hacker called Ivanlef0u published proof-of-concept code onto the internet.
In the past we’ve seen worms (Conficker is perhaps the most famous example) spread successfully via USB devices, which prompted many firms to disable AutoPlay.
There is a real risk that more malware will take advantage of the zero-day exploit now the code is “out there”, taking things to a whole new level.
So far, Microsoft has not made a patch available for the problem and has given no timeline as to when a proper fix will be available. However, I’m sure they are feverishly working on a security update for this critical vulnerability.
Sophos detects the malware we’ve seen so far using the exploit as W32/Stuxnet-B and Troj/Cplink-A.
Google ‘malware’ sponsored advert delivers fake anti-virus
July 15, 2010 by admin
Filed under Security News
“Be careful what you ask for – you might get it.”
That’s the thought running through my head today after I searched for the word “malware” on Google.
As you’ll see in the following short YouTube video I made, a sponsored link right at the top of the Google search results points to a fake anti-virus website posing as a legitimate security company:
(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)
If you download the fake anti-virus program promoted on the website you risk infection by malware identified by Sophos as Troj/FakeAV-AOV.
Contract_05_07_2010.zip – all you’ll contract is a malware infection
July 8, 2010 by admin
Filed under Security News
SophosLabs is seeing another widespread malicious spam attack being sent to email addresses around the world. The emails, which have a malware-infected attachment called Contract_05_07_2010.zip, pretend to be a legal contract – however, opening the contents of the file could infect your Windows computer.
A typical email reads:
Subject: Permit for retirement
Message body:
Good day,
We have prepared a contract and added the paragraphs that you wanted to see in it.
Our lawyers made alterations on the last page. If you agree with all the provisions we are ready to make the payment on Friday for the first consignment.
We are enclosing the file with the prepared contract.
If necessary, we can send it by fax.
Looking forward to your decision.
"<name>Attached file: Contract_05_07_2010.zip
Guest blog: Adobe, make my day. Disable JavaScript by default
July 5, 2010 by admin
Filed under Security News
Users around the world will be pleased to learn that Adobe has managed to release an accelerated security update for Adobe Reader and Acrobat (APSB10-15) before the planned release date (13th July). The latest version of Adobe Acrobat and Reader for Windows is now 9.3.3.
The security update includes fixes for 17 vulnerabilities, which means that the guys from Adobe PSIRT have been working very hard in the last month or so.
From the malware protection point of view the most important vulnerability patched with the latest update is CVE-2010-1297 which has been actively exploited since its discovery on June 5th.
Although the vulnerability affected Adobe Flash, the main vehicle for delivering malicious payloads were PDF files. A booby-trapped PDF file would contain a Flash animation which would trigger the vulnerability, JavaScript code which would be used to create memory layout to allow the exploit to successfully launch shellcode and ultimately, an encrypted executable payload which would deliver the final functionality. This exploit is more complex than the usual exploits we have become used to in the last few years and it may mark a new trend in the direction of writing exploits and shellcode.
The common thread in most, if not all, Adobe exploits is the requirement for JavaScript as exploits will work correctly only if JavaScript is enabled. This is why we recommend all users disable JavaScript in Adobe Acrobat and Reader.
90 Second Security Roundup (Video)
June 22, 2010 by admin
Filed under Security Channel
Sophos iPhone app – free download now available
June 14, 2010 by admin
Filed under Security News
Sophos has launched its first application for the Apple iPhone – designed to give you a better view of the security threats that are out there, with live hourly updates direct from SophosLabs.
The app, which also runs on the iPod Touch and the iPad, allows you to access Sophos information when you’re on the move or away from your desk, and includes the following supa-dupa features:
Threat Spotlight Experts from our labs detail some of the most interesting threats that they have analysed in the last week, explaining who is at risk, details of the attack and how to avoid becoming a victim.
Latest threats A dynamic list of the latest top ten threats analysed by the experts in SophosLabs, providing detailed information on their prevalence and a helpful link to further details on the Sophos website.
Stats Sexy graphs to bamboozle your boss with – showing in technicolour pie charts the latest stats for top email attachment malware attacks, spam and web-based threats.
Maps Now this is funky. Your iPhone will show you a world map, allowing you to view not just the latest email, spam and web attacks – but where they have been spotted around the world. You can even zoom in on particular countries, and view the subject lines of spams being sent around the globe.
Info Links to our blogs, our latest threat report, and loads of other good stuff.
So, what are you waiting for? Grab it from the Apple App Store now, or search for “Sophos” in the iTunes App Store.
We’re very interested in getting feedback as to what you think of this Sophos app. So please do leave us a rating and a review on iTunes, as it will help us decide if we should develop it further.
Also, if you have the time, why not quickly fill in the following survey to tell us what you’d like to see next from the Sophos Security Threat Monitor app?
Bad tidings as Greeting_Card.zip spam spreads malware
June 2, 2010 by admin
Filed under Security News
SophosLabs are intercepting a major new malicious spam campaign which is disguising itself as a greeting card from “someone who cares about you”.
The messages, which have been sent to email addresses around the globe, typically read similar to the following:
Good afternoon,
You have just received a postcard Greeting from someone who cares about you..Please find zip file with your Greeting Card attached to this mail!
Thank you for using www.Greetings.com services !!!
Please take this opportunity to let your friends hear about us by sending them a postcard from our collection !
The messages come complete with an attached ZIP file (Greeting_Card.zip) which contains a malicious payload, designed to infect Windows computers.
