The Glider

Microsoft have updated their security advisory 'Vulnerability in Windows Shell Could Allow Remote Code Execution' 2286198 to describe further attack vectors for this vulnerability. The vulnerability can be exploited using .LNK files on removable drives, via WebDav and network shares, using .PIF files as well as .LNK, and documents that can have embedded shortcuts within them. The original discussion on this vulnerability is here isc.sans.edu/diary.html?storyid=9181



The ISC has previously raised the infocon isc.sans.edu/diary.html?storyid=9190 with regards to this issue, and will continue to monitor for any changes. Please let us know via our contact us page or by commenting below if you have any new information on the issue, have been affected by this vulnerability being exploited, or have a copy of malware taking advantage of it.
Cheers,

Adrien de Beaupr

EWA-Canada.com (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

More information at http://www.mozilla.com/en-US/firefox/3.6.7/releasenotes.
-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

According to the arguments presented by Handler Lenny when the Infocon level was increased, we believe that the purpose of increasing the awareness on this vulnerability has been fulfilled, so we are falling back to green level. This does not imply that the threat is over.
If we see a major attack arise using this vulnerability, we will let you know and if it is bad enough we will raise infocon again.
Update: There is an interesting article from Didier Stevens about how to mitigate LNK exploitation with software restriction policies. Read it at http://blog.didierstevens.com/2010/07/20/mitigating-lnk-exploitation-with-srp/.
-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander| http://manuel.santander.name| msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

We decided to raise the Infocon level to Yellow to increase awareness of the recent LNK vulnerabilityand to help preempt a major issue resulting from its exploitation. Although we have not observed the vulnerability exploited beyond the original targeted attacks, we believe wide-scale exploitation is only a matter of time. The proof-of-concept exploit is publicly available, and the issue is not easy to fix until Microsoft issues a patch. Furthermore, anti-virus tools' ability to detect generic versions of the exploit have not been very effective so far.
Although the original attack used the LNK vulnerability to infect systems from a USB key, the exploit can also launch malicious programs over SMB file shares. In one scenario, attackers that have access to some systems in the enterprise can use the vulnerability to infect other internal systems.
We discussed the LNK vulnerabilityin a diary a few days ago. That note pointed toMicrosoft's advisorythat described the bug Windows Shell Could Allow Remote Code Execution, which affects most versions of Windows operating systems. Microsoft's workarounds for the issue include:

Disable the displaying of icons for shortcuts. This involves deleting a value from the registry, and is not the easiest thing to do in some enterprise settings. Group Policy-friendly options include the use of Registry Client-Side Extensions, the regini.exe utility and the creation of a custom .adm file: seeDistributing Registry Changes for details.
Disable the WebClient service. This will breakWebDAV and any services that depend on it.

Another approach to mitigate the possible LNK attack involves the use ofDidier Stevens' toolAriad. Note that the tool is beta-software operating in the OS kernel, so it's probably not a good match for enterprise-wide roll-out.
Additional recommendations for making the environment resilient to an attack that exploits the LNK vulnerability include:

Disable auto-run of USB key contents. This would address one of the exploit vectors. For instructions, see Microsoft KB967715.
Lock down SMB shares in the enterprise, limiting who has the ability to write to the shares.

Sadly, enterprises that are likely to ever disable auto-run and lock down SMB file shares, probably have done this already back whenthe Conficker worm began spreading. Another challenge is that Windows 2000 and Windows XP Service Pack 2 are vulnerable, yet Microsoft no longer provides security patches for these OS.As the result, we believe most environments will be exposed until Microsoft releases a patch. We're raising the Infocon level in the hope that increased vigilance will increase enterprises' ability to detect and respond the attacks that may use the LNK vulnerability.
Update:Several readers recommended focusing on preventing unauthorized code from running by using approaches such as application whitelisting. For instance, Richard andErno mentioned AppLocker, which is an enterprise software control feature built into Windows 7. Erno wrote, My solution is standard user accounts and Software Restriction Policy or AppLocker in Group Policy. You can block execution of any files on removable drives or network drives, or actually pretty much anywhere except system folders. In my networks I only allow execution from Windows and Program Files. Remember to apply the software restriction policy for all executable files, including libraries (dlls). By the way, this is the kind of approach Jason Fossen and I explore in the new course we are about to debut, called Combating Malware in the Enterprise.
Do you have recommendations for addressing the LNK issue?Let us know.
-- Lenny
Lenny Zeltser - Security Consulting

Lenny teaches how toanalyzeand combat at SANS Institute. You canfind him on Twitter.


(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

For all those who like truecrypt, version 7.0 is out there. Some of the new features are:

Hardware-accelerated AES
Now it is possible to configure TrueCrypt container on a USB flash drive to mount the drive automatically whenever you insert the USB flash drive into the USB port. This is cool.
Partition/device-hosted volumes can now be created on drives that use a sector size of 4096, 2048, or 1024 bytes (Windows, Linux).
Favorite Volumes Organizer this means that now you can organize your mounted device upon logon to system as read only or removable medium
The Favorites menu now contains a list of your non-system favorite volumes. When you select a volume from the list, you are asked for its password (and/or keyfiles) (unless it is cached) and if it is correct, the volume is mounted. (Windows)



More information at Truecrypt website.

-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander| http://manuel.santander.name| msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Apple is reporting new version of iTunes (9.2.1), which address CVE-2010-1777: A buffer overflow exists in the handling of itpc: URLs, which might lead to application termination or arbitrary code execution.
More information at http://support.apple.com/kb/HT4263.
This affects version 9 of iTunes, and only on the Windows platform.
-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander| http://manuel.santander.name| msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

More of the LNKvulnerability. Additional fromour first report from Handler Joel and Infocon raising from Handler Lenny, there is now a Metasploit module that implements the exploit with the WebDAV method.
-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander| http://manuel.santander.name| msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

We observed anincrease on UDP connections that use UDP port 5060. This port is typically used for VoIP connections using the SIP protocol. The activity is indicative of attempts to locate weakly-configured IP PBX system, probably tobrute-force SIP passwords. Once the attacker has access to the account, they may use it to make or resell unauthorized calls. The attacker may also use the access to conduct a voice phishing (vishing) campaign.

We observed a similar up-tick a few months ago. At the time, the activity was attributed to SIP brute-forcing that probablyoriginated from systems running in Amazon's EC2 cloud.
As described on the Digium blog, publicly-accessible SIP systems areseeing large numbers of brute-force attacks. Systems with weak SIP credentials will be compromised, similarly to how email accounts can be compromised by guessing the credentials The significant difference is that when someone takes over a SIP platform to make outbound calls, there is usually a direct monetary cost, which gets peoples attention very quickly.
One way to review your SIP exposure is to use the freeSIPVicious toolkit. Interestingly, SIPVicious now includes a tool forcrashing unauthorized SIPVicious scans.
A few security recommendations for those using the popular Asterisk IP PBX tool:

Automatically Block Failed SIP Peer Registrations
Seven Steps to Better SIP Security with Asterisk

Thanks toAdam Fathauer and Thomas B. Rcker for sharing the details of some of the malicious acrivities with us! Also, thanks to ISC handler Donals Smith for his insights on this topic.
-- Lenny
Lenny Zeltser - Security Consulting

Lenny teaches how toanalyzeandcombatat SANS Institute. You canfind him on Twitter. (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

If you don't like command mode to interact with metasploit, I have good news for you: there is a new Java GUI. Don't forget to install Java to execute it. More information at http://pauldotcom.com/2010/07/metasploit-new-gui.html.
-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander| http://manuel.santander.name| msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.