First and foremost: if you want to cut to the chase, just download the torrent. If you want the full story, please read on….
Background
Way back when I worked at Symantec, my friend Nick wrote a blog that caused a little bit of trouble for us: Attack of the Facebook Snatchers. I was blog editor at the time, and I went through the usual sign off process and, eventually, published it. Facebook was none too happy, but we fought for it and, in the end, we got to leave the blog up in its original form.
IT security and data protection firm Sophos has today released a free tool to protect against a Windows zero-day vulnerability that is being actively exploited to infect computers.
The Sophos Windows Shortcut Exploit Protection Tool protects against a high profile vulnerability that allows malicious hackers to exploit a bug in the way that all versions of Windows handles .LNK shortcut files. If Windows just displays the icon of an exploited shortcut file, malicious code can be executed – without requiring any interaction by the user.
But Sophos’s free tool, available for download from www.sophos.com/shortcut, intercepts shortcut files that contain the exploit, warning of the executable code that was attempting to run. That means it will stop malicious threats which use the vulnerability if they are on non-local disks, such as a USB stick.
A newly-discovered hole allows man-in-the-middle-style exploits, when one Wi-Fi user captures data from others and injects malicious traffic into the network.
Hackers have developed malware that spreads via USB sticks using a previously unknown security weakness involving Windows’ handling of shortcut files.
Malware targeting the security weakness in the handling of ‘lnk shortcut files has been spotted in the wild by Belarus-based security firm VirusBlokAda. The malware uses rootkit-style functionality to mask its presence on infected systems. These rootlet drivers come digitally signed by legitimate software developer Realtek Semiconductor, a further mark of the sophistication of the attack.
In an advisory, VirusBlokAda says it has seen numerous incidents of the Trojan spy payloads dropped by the malware since adding detection for the malign code last month.
Even fully patched Windows 7 systems are vulnerable to attack in cases where a user views files on an infected USB drive using Windows Explorer, security blogger Brian Krebs reports. Instead of using Windows Autoplay the spread the malware takes advantage in security weaknesses involving shortcut files. Malicious shortcuts on the USB are reportedly capable of auto-executing if users open an infected storage device on Windows Explorer. Normally users would have to click on the link for anything to happen.
Independent researcher Frank Boldewin has uncovered evidence that the malware is targeting SCADA control systems, used to control industrial machinery in power plants and factories, and specifically Siemens WinCC SCADA systems.
“Looks like this malware was made for espionage,” Boldewin writes.
Firms faced with a spate of Windows autorun worms have responded by disabling outrun, but this advice may no longer be enough with the appearance of a new attack vector, Finnish security firm F-Secure warns. “Our initial analysis of the samples appears to indicate that the shortcuts somehow take advantage of the way in which Windows handles Control Panel shortcut files,” it adds.
The Metasploit Project is proud to announce the release of the Metasploit Framework version 3.4.1. As always, you can get it from our downloads page, for Windows, Linux or as an OS-independent tarball. This release sees the first official non-Windows Meterpreter payload, in PHP as discussed last month (http://blog.metasploit.com/2010/06/meterpreter-for-pwned-home-pages.html).
Rest assured that more is in store for Meterpreter on other platforms. A new extension called Railgun is now integrated into Meterpreter courtesy of Patrick HVE, giving you scriptable access to Windows APIs and an unprecedented amount of control over post-exploitation. For those of you wishing to contribute to the framework, a new file called HACKING has been introduced that lays out a few guidelines for making it easier.
This release has 16 new exploits, 22 new auxiliary modules and 11 new Meterpreter scripts for your pwning enjoyment. For more in-depth information about this release, see the 3.4.1 release notes at
REMnux: A Linux Distribution for Reverse-Engineering Malware
REMnux is a lightweight Linux distribution for assisting malware analysts in reverse-engineering malicious software. The distribution is based on Ubuntu and is maintained by Lenny Zeltser.
About REMnux
REMnux is designed for running services that are useful to emulate within an isolated laboratory environment when performing behavioral malware analysis. As part of this process, the analyst typically infects another laboratory system with the malware sample and directs potentially-malicious connections to the REMnux system that’s listening on the appropriate ports. REMnux is also useful for analyzing web-based malware, such as malicious JavaScript, Java programs, and Flash files. It also has tools for analyzing malicious documents, such as Microsoft Office and Adobe PDF files, and utilities for reversing malware through memory forensics. In these cases, malware may be loaded onto REMnux and analyzed directly on the REMnux system without requiring other systems to be present in the lab. You can learn about malware analysis techniques that make use of the tools installed and pre-configured on REMnux by taking my course on Reverse-Engineering Malware (REM) at SANS Institute.
What REMnux Is Not
REMnux isn’t a fancy distribution that was built from scratch… In simple terms, it’s a virtual machine that runs Ubuntu and has various useful malware tools set up on it. REMnux does not aim to include all malware analysis tools in existence. Many of these tools are designed to work on Windows, and investigators prefer to use Windows systems for running such tools. If you are interested in running Windows analysis tools on a Linux platform, take a look at the Zero Wine project. If you are looking for a more full-featured Linux distribution focused on forensic analysis, take a look at SANS Investigative Forensic Toolkit (SIFT) Workstation.
