|
JSCLMEDAVE
Administrator
USA
4816 Posts
Status: offline |
 Posted - 07/23/2010 : 3:44:34 PM
|
Doug Spindler of Pacific IT Professionals posted a really good write up on the the latest Microsoft Zero Day Exploit...
Thanks Doug!
Black Hat and Defcon are a few weeks away, but there's a Windows
vulnerability that I'm just getting news of Windows 0-day vulnerability that should be of interest to all of you. This 0-day exploit has been out there for at least 10 years and may go all the way back to NT. It turns out there is a subtle error in the way Windows shell (which displays icons, Start Bars, menus, shortcuts, etc.) parses the icons of ,LNK files or shortcuts.
A researcher in Belarus found in the wild code that makes use of this exploit and is targeting Siemens SCADA (supervisory control and data acquisition) systems. While most of you do not have SCADA systems, you are indirectly affected as these systems are used to control the power grids, oil production, nuclear power plants, wastewater treatment, fabrication and many other industrial processes.
Siemens programmers made it very easy for the malware creators to install a root kit take control of the SCADA systems as, (you ready for this) they only used one hard coded password for all customers. In Vista Microsoft did something that was supposed to make it more difficult for malware creators to install altered drivers, they required driver signing. (Remember all those Apple ads making fun of Windows for requiring approval before continuing?) Along those same lines Microsoft required driver signing, something I'm sure you've no doubt complained about with Vista and Windows 7. Well that was a good thing as it prevents non-signed drivers (sys) files
from being installed.
This would have prevented this root kit from being installed had it not been for the fact the drivers were signed. (This is the James Bond part.) Turns out these malware writers are not dumb. They used signed drivers using a stolen PRIVATE key from RealTek. (Ooops) Once this was discovered Microsoft and RealTek contacted Verisign (signer of RealTek's certificates) and revoked them immediately. Microsoft has added one or more certifications to Microsoft's Certificate Revocation List, (CRL). If you've done Windows Update in the past week or so you should find a new CRL file
has been installed.
THIS IS WHY YOU WANT KEEP ALL OF YOU MACHINES PATCHED AND UPTO DATE. YOU ALWAYS WANT LATEST UP TO DATE CRL FILE.
But wait there's more - Someone recently found almost the same exploit using a cert from JMicron Technology Group. But a ESET researcher realized that JMicron and RealTek are both is the same building complex in Hsinchu, Taiwan. It was now been found that both companies private keys have been used to sign malware carrying an exploit. Coincidence?
This is a true zero-day exploit. (For more info Metasploit.) The
cyber-criminals know how to use this exploit and are. (Microsoft's security report is acknowledging this exploit.)
But wait I have ever more for you.
This exploit is being propagated by USB thumb drives, in a way reminiscent to the early Mac floppy disk viruses which spread the virus just by inserting the floppy disk. Well these guys have found they can do the same with the USB thumb drives even if autorun is disabled. You can't see the files because the files are masked and will not be presented to Windows Shell. (You would be able to see the code with a disk sector editor as Sam and I showed you last meeting.) Just the act of displaying the icon of the USB key executes the malicious code and spreads the malware. This malware
(worm) is spreading on the order of 9,000 machines per day or over a quarter of a million machines per month.
Microsoft has also acknowledges the spread/infection of the malware can happen by displaying .LNK files, but also in Office documents. That's ANY Office document including Outlook. So receiving infected email containing one of these can compromise your system. And they also acknowledge websites can do it too. You can now have a malicious website that will display and leverage the vulnerability in the shell. It might be ALL browsers, (don't' know yet) but IE has been confirmed by Microsoft. We will know more in the weeks to come.
For now there is NOT a fix. Microsoft has posted a Fix it which makes some changes to the registry and shows some manual changes that can be made. The problem is the "FIX" will no longer display you icons and instead will display a generic white rectangles leaving you iconless. There are some registry changes and other "fixes" that can be applied, but nothing that's a real fix.
What OSs are affected, looks like every version of Windows going back to NT, but Microsoft is not saying they are only commenting on supported versions, XP-SP3 and newer. (Remember Windows XP-SP2 is no longer a supported product same with Windows 2000 and older.)
I'll try to keep you posted as I get more information. If you have any additional information or corrections please post for all to read on Pac IT Pros news site.
www.pacitnews.org
I will close in saying have a nice weekend.
Doug
|
Tim-
"Will the woman who left her 9 kids at Wrigley field please come and claim them? - they're beating the Cubs 5-0"
|
|
Microsoft Zero Day Exploit
Very good info. Thanks Tim.
