Best Virus Removal

AFP – Hackers at an infamous DefCon gathering are proving that old-fashioned smooth talk rivals slick software skills when it comes to pulling off attacks on computer networks.

Shortcut exploits have made the news in malware circles this month. After Stuxnet first used them, it wasn’t long before other malware started exploiting the zero-day vulnerability – Sality is among their numbers.

The authors of the Sality family added a new executable component, which we detect as Troj/Sallink-A, that enumerates network resources, dropping two files where it can. The first of these is a DLL file, detected as Troj/Salload-D, the other a LNK shortcut file, detected as Exp/Cplink-A. Simply browsing to the folder containing the LNK file will automatically execute the DLL file – that’s the nature of the CVE-2010-2568 vulnerability.

Different variants of Troj/Sallink-A format their payload in slightly different ways. Most drop the DLL using a filename consisting of random letters and numbers (usually ‘a’ to ‘f’, and ‘0′ to ‘9′), with earlier variants using <random>.dll and later ones using ~<random>.tmp or w<random>.tmp. For the shortcut file, earlier variants used the simple <random>.lnk, while later variants moved to using a wide variety of click-enticing names – for a full list, see the “More Information” tab of Troj/Sallink-A, but filenames include “My Photos.lnk”, “Gallery photos.lnk”, “XXX.lnk”, “Britney Spears XXX.lnk”, “Barrett Jackson nude photos.lnk”, and “Miss America Porno.lnk”.

I’m not quite sure why they’ve gone out of their way to give these the sort of filename that get people to click them, since the whole point of this vulnerability is that you don’t have to click the shortcut – in fact I’d say most of these names are far more likely to arouse suspicion on a network. But then, that’s what you get if you just steal a list of names from other malware – most of the names are recognisable as having been used by the Bagle family of malware more than 4 years ago.

For good measure, Troj/Sallink-A also tries to drop the LNK file to all subdirectories of the network share, maximising the chance that someone will browse there and trigger the DLL-executing exploit. When run, the DLL tries to contact a remote URL, and to drop a file to %lt;temp>\<random>.exe – this is the main Sality component, which goes on to infect files, and to spread to all available drives (including USBs) and network shares. We detect this component as Mal/Sality-D.

In fact before the authors had even sent out the first dll-dropping exe or exe-dropping dll, we detected all of these files as Mal/Sality-D – we’re now using the names Troj/Sallink-A and Troj/Salload-D to help differentiate components of the chain, but we’ve always protected against them all.

It’s a bit surprising to see a malware family that concentrates on a rather old-school file infection keeping on top of new vulnerabilities, but clearly someone in their gang is reading the news – earlier in the month they sent exploited PDF spam, so (ab)using exploited LNK files is an obvious next step. It’s a shame the authors don’t spend more time on the actual virus itself, since it still has a nasty habit of corrupting files during infection.

Even once Microsoft releases a patch for the vulnerability, history has shown that lots of people won’t apply it with any due expediency, so it’s a safe bet that we’ll see more malware exploiting this in the future. We’ll continue to update our main shortcut exploit page as we get more information, and you might also want to download our Windows Shortcut Exploit Protection Tool to help keep you safe until the vulnerability has been patched.

Reuters – Two security experts said on Friday they released a tool for attacking smartphones that use Google Inc’s Android operating system to persuade manufacturers to fix a bug that lets hackers read a victim’s email and text messages.

I have to admit that I am not a huge fan of Las Vegas, but, when the reason to visit is as good as attending Blackhat and Defcon I instantly forget the heat, endless rows of slot machines, big crowds, kitschy hotels, bars and everything that makes Vegas, Vegas. I have missed the last two Blackats but I am glad that I am back and that not many things changed. Despite the huge number of delegates, Blackhat briefings were organised like a well oiled machine so every kudos goes to the crew. I am glad that Blackhat, despite the name, became a conference which equally addresses and promotes the offensive and the defensive side of the computer security.

Though some sessions I attended were a bit of a hit and miss, mostly because of the less than ideal presentation skills of the presenters, not the technical content of the sessions I can say that I thoroughly enjoyed seeing the enthusiasm which exuded from every single presenter who gave their best to show their work.

The highlight of the day one was the presentation by Barnaby Jack which successfully showed that ATMs are just computers, like any other and that by learning about their functionality it is possible to remotely compromise their operation. This can become quite a serious problem, especially if the attackers find an easy way to modify software running on the system. Big crowds attending the session had every right to be impressed by the show. Several good videos of Barnaby Jackpotting ATMs on the stage have been posted on Youtube.

I was particularly interested to attend sessions concerning malware analysis and reverse engineering techniques, and see if we can get new ideas and tools to use in Sophoslabs. Some interesting tools, such as Berkley University BitBlaze are already available and some others such as excellent VMM based debugger Virt-ICE are in relatively early stages of development showing good potential for future usage for malware analysis.

For me, another interesting area was the increased attention to smartphone platforms, primarily Android based devices and iPhones. We often discuss the protection techniques for smartphones and question the need to develop an anti-malware software for them and conclude that there are relatively few threats to warrant fully functional anti-malware protection, especially in a corporate, managed environment.

Kevin Mahaffey and John Hering from Lookout security have conducted an interesting research into functionality of all free applications available through Android Market and Apple App Store and found out a significant number of applications, developed by few developers which are developed with a clear intention to steal data available on the device and send the data to a central server managed by the developers. Malware? Maybe. Spyware? Certainly. Unfortunately, both Google and Apple are currently in the stage of threat denial and do not provide documented programming interfaces which would allow security vendors to create reliable protection for the platforms. Let us hope they are right and that they will be able to make sure that all applications published through their respective Application stores will always be free from malicious intent. I am a bit of skeptic on that front, but that may just be me.

On the corporate front, it is obvious that Microsoft is making a better job of handling vulnerabilities discovered in Windows, despite the recently discovered feature/bug in Windows handling of shorcuts to control panel extensions couple of weeks ago. Great news is that Adobe has decided to jump on the bandwagon and coordinate the incident response with Microsoft. Members of MAPP, including SophosLabs should be pleased to learn that technical information about issues in Adobe software will be distributed to all members through the channel already used to distribute information related to vulnerabilities in Microsoft’s products.

I am off now to the positive madness of Defcon and will make sure to let you know about the sessions I particularly enjoyed.

Risk Level: Very Low. Type: Trojan.