DarkFiber Consulting – IT Managed Services

Microsoft Windows .LNK Vulnerability

August 6th, 2010 . by DarkFiber Consulting

DarkFiber Consulting is aware of a vulnerability affecting Microsoft Windows. This vulnerability is due to the failure of Microsoft Windows to properly obtain icons for .LNK files. Microsoft uses .LNK files, commonly referred to as “shortcuts,” as references to files or applications.

By convincing a user to display a specially crafted .LNK file, an attacker may be able to execute arbitrary code that would give the attacker the privileges of the user. Viewing the location of an .LNK file with Windows Explorer is sufficient to trigger the vulnerability. By default, Microsoft Windows has AutoRun/AutoPlay features enabled. These features can cause Windows to automatically open Windows Explorer when a removable drive is connected, thus opening the location of the .LNK and triggering the vulnerability. Other applications that display file icons can be used as an attack vector for this vulnerability as well. Depending on the operating system and AutoRun/AutoPlay configuration, exploitation can occur without any interaction from the user. This vulnerability can also be exploited remotely through a malicious website, or through a malicious file or WebDAV share.

Microsoft has released Microsoft Security Advisory 2286198 in response to this issue. Users are
encouraged to review the advisory and consider implementing the workarounds
listed to reduce the threat of known attack vectors. Please note that
implementing these workarounds may affect functionality. The workarounds include

  • disabling the display of icons for shortcuts
  • disabling the WebClient service
  • blocking the download of .LNK and .PIF files from the internet

Microsoft has released a tool, Microsoft Fix it 50486, to assist users in disabling .LNK and .PIF file functionality. Users and administrators are encouraged to review Microsoft Knowledgebase article 2286198 and use the tool or the interactive method provided in the article to disable .LNK and .PIF functionality until a security update is provided by the vendor.

Update: Microsoft has issued a Security Bulletin Advance Notification indicating that it will be releasing an out-of-band security bulletin to address this vulnerability. Release of the security bulletin is scheduled for August 2, 2010.

In addition to implementing the workarounds listed in Microsoft Security Advisory 2286198, DarkFiber Consulting encourages users and administrators to consider implementing the following best practice security measures to help further reduce the risks of this and other vulnerabilities:

  • Disable AutoRun as described in Microsoft Support article 967715.
  • Implement the principle of least privilege as defined in the Microsoft TechNet Library.
  • Maintain up-to-date antivirus software.

Additional information can be found in the DarkFiber Consulting Vulnerability Note VU#940193.

DarkFiber Consulting will provide additional information as it becomes available.

U.S. Federal Reserve Fraudulent Email Scam

November 13th, 2008 . by DarkFiber Consulting

DarkFiber Consulting is aware of public reports of a fraudulent email scam circulating via messages that falsely appear to be from the U.S. Federal Reserve. These email messages contain information about a phishing scam and links for users to follow to obtain additional information about the scam. If a user follows the links, they will be redirected to a malicious website where a PDF exploit is used to install malicious code on the affected system.

DarkFiber Consulting encourages users to do the following to help mitigate the risks:

New Storm Worm Activity Spreading

July 29th, 2008 . by DarkFiber Consulting

DarkFiber Consulting is aware of public reports of a new Storm Worm Campaign. The latest campaign is centered around messages related to the Federal Bureau of Investigation and Facebook. This Trojan horse virus is spread via an unsolicited email message that contains a link to a malicious website. This website contains a link, that when clicked, may run the executable file “fbi_facebook.exe” to infect the user’s system with malicious code.

Reports, including a posting by Sophos, indicate the following email subject lines are being used. Please note that subject lines can change at any time.

  • F.B.I. may strike Facebook
  • F.B.I. watching us
  • The FBI’s plan to “profile” Facebook
  • The FBI has a new way of tracking Facebook
  • F.B.I. are spying on your Facebook profiles
  • F.B.I. busts alleged Facebook
  • Get Facebook’s F.B.I. Files
  • Facebook’s F.B.I. ties
  • F.B.I. watching you

DarkFiber Consulting encourages users and administrators to take the following preventative measures to help mitigate the security risks:

New Storm Worm Variant Spreading

July 14th, 2008 . by DarkFiber Consulting

DarkFiber Consulting has received reports of new Storm Worm activity. The latest activity uses messages that refer to the conflict in the Middle East. This Trojan is spread via unsolicited email messages that contain a link to a malicious website. The website is noted as having the following malicious characteristics which may be used to infect the user’s system with malicious code.

  • A video that, when opened, may run the executable file “iran_occupation.exe.”
  • A banner add that, when clicked, may run the executable file “form.exe.”
  • A hidden iframe linked to “ind.php.”

Reports, including a posting by Sophos, indicate that the following subject lines are being used. Please note that subject lines can change at any time.

  • 20000 US soldiers in Iran
  • Iran USA conflict developed into war
  • More than 10000 Iranians were murdered
  • Negotiations between USA and Iran ended in War
  • Occupation of Iran
  • Plans for Iran attack began
  • The Iran’s Leader Mahmoud Ahmadinejad declared Jihad to USA
  • The World War III has already begun
  • The begining of The World War III
  • The military operation in Iran has begun
  • The secret war against Iran
  • Third War in Iran
  • Third World War has begun
  • US Army crossed Iran’s borders
  • US Army invaded Iran
  • US army is about 20 kilometers from Tegeran
  • US soldiers occupied Iran
  • USA attacked Iran
  • USA declares war on Iran
  • USA occupeid Iran
  • USA unleashed war on Iran
  • War between USA&Iran
  • War with Iran is the reality now
  • Washington prefers to shoot first

DarkFiber Consulting encourages users and administrators to take the following preventative measures to help mitigate the security risks: