Windows Shortcut(.lnk) Vulnerability

A component of Microsoft Windows, Windows shell is vulnerable to remote code execution via a shortcut file. A shortcut is a link to a file or program, represented by an icon. If you double-click a shortcut, the file or program opens. The shortcut is a mechanism often used to keep frequently used files in a single, easily accessed location, such as a folder or the desktop. Shortcuts are implemented as files with the LNK extension. This .lnk exploit will works in Windows XP, Vista and Windows 7.

An attacker could exploit this vulnerability by introducing removable drives or via setting up remote network share for the targeted users. When users opens the removable drive or browse the share, windows shell will attempt to load the icon of the shortcut file and the malicious binary may be invoked.

A remote attacker, who successfully exploit this vulnerability may execute arbitrary code on system with the privileges of currently logged-in user. this could be dangerous if you are running your system with administrative privileges.

Some of the antivirus vendors has pushed the detection of malicious shorkcut links in their products.

It is suggested to perform certain actions to avoid this vulnerability till the time microsoft will come up with a solution. Workarounds are as follows:

• Disable AutoRun functionality for all drives
  Microsoft
  http://support.microsoft.com/kb/967715
• Disable the displaying of icons for shortcuts
• Disable the WebClient service
• Microsoft
  http://www.microsoft.com/technet/security/advisory/2286198.mspx

To read more, follow:

CERT-In
http://www.cert-in.org.in/vulnerability/civn-2010-169.htm

Microsoft
http://www.microsoft.com/technet/security/advisory/2286198.mspx

Trendmicro
http://blog.trendmicro.com/usb-worm-exploits-windows-shortcut-vulnerability/

ISC
http://isc.incidents.org/diary.html?storyid=9181

nj0y !!!

#@v3 $@f3 br0w$!n9 !!!

Fake Spam page: "Ten Things Girls Should Never Say to Guys"

Today, I found another interesting post on my wall, which caught my attention. This is again related to fake and spam pages on Facebook which is posted earlier in my blog past months. This page claims around 313K fans to lure users. This is also doing the same task, automatically posting at your wall and suggesting others as you like this page, which you haven't done, this application page does it for you. Along with all these weird activities, it will serve you with Adwares and Spywares. If you want to know more about it, please scroll down.

Have a look to this page. This is a fake spam page, using the quote "Ten Things Girls Should Never Say to Guys" for enticing naive users to perform certain clicks. This is not much dangerous as compare to earlier ones, which used to install Backdoors and Trojans, but yes, it installs Adware, which could be also a Spyware.

As for my analysis, this time I decided instead of clicking on "Like" button, I'll click somewhere else where they are telling me to click. So i did and landed up to this page:
This page ask me to prove I'm human, not a bot. But actually it doesn't make any sense. I noticed it is random, only one out of two is functioning. If BLUE one is functioning and if u clicked RED first, u'll find, it works. but if RED one is functioning and u clicked BLUE followed by RED, it doesn't make any sense.
In both of the cases, it will take you to another page, which looks like age confirmation page, look like something at your right. Which I believe a fake confirmation. This is used to trick naive users. See the next page and u'll come to know why they are asking you to confirm.

Here comes the real story, this page will tell you to download two sophisticated Adwares which may be spywares named:

"Create a cartoon image of yourself for your Facebook profile"
and
"Get free Smileys for AIM and other IM programs".
If you click on these links, you will land on two different application download pages, which respectively are like this,

These two applications are meant for the special purpose for what they are claiming. Upon clicking, these pages will serve you two different nice applications. I personally suspected , Apart from their usual business, they are doing something unusual. So I decided to upload these binaries to virustotal for verification, and the results were eye opening. These binaries which I recently downloaded are not a plain applications, they are Adwares and possibly Spywares.
Virustotal analysis is shown below:

• http://www.virustotal.com/analisis/9d265d2d4c6aba901627d82
  a9e355076d9f7b512d0d9da81f016b2c54c81a440-1279272598
  
  
• http://www.virustotal.com/analisis/b48522cc6679d127a75281
  4c62f779e90cf4bcac19c32dbd881a20b3fc17747b-1279273569
  

Once these Adware/Spyware installed on your system, this programs can collect various types of personal information, such as Internet surfing habits and sites that have been visited and could also allow remote attacker to access your computer. This all will be done without your consent, because you have already allowed them to run on your system.

Along with these activities, you will find something on your wall, which look like this:
This will be posted on your wall which shows that you like this page and suggesting others to like the same, which is very much weird. and you actually haven't done.

After putting all these efforts, I was not able to know what are those 10 things which girls should never say to boys, isn't it funny.

Here, I suggest you friends there not to like or allowing access to your profile, who are using FB and blindly clicking on the pages to like without thinking what these pages are doing. Whenever you find any pages which tell you to like first then shows you the content, this is enough to sense something fishy is there. So please beware of these pages.

Similar things I posted earlier in my blog, kindly refer to gain more knowledge about these fake pages. Kindly let me know if you observe anything unusual, over internet obviously.

H@v3 $@f3 Br0w$!n9 !!!

nj0y !!!

Remote Control Facebook

Hey, after few days of busy schedule, i got something interesting and important to share. Earlier also i have experienced these kind of malicious activities over facebook.


Here is one example of same. Initially it lure users by saying "99% of people can’t watch this video for more than 25 seconds".

When you click the link, you will land on another page that offers to show you a video, but before watching the video either you need to copy and paste some code into the browser address bar or to some friends wall or at your status like that, this depends upon the guy who made this malicious page.

In most of the cases people doesn't paste this JavaScript onto their address bar, but if you did, you are taken to a page which automatically tells all your friends that you like the app, and it posts that link to your status. Nearly 600k “friends” that liked it makes it too effective.
A video action captured by AGV Researcher Roger Thompson is posted here:
http://www.youtube.com/watch?v=pFCmN-eSlt0

Payload was not cleared to him when he carried analysis, and this page/application has been deactivated/deleted by Facebook.

To read more, follow:
http://thompson.blog.avg.com/2010/07/remote-control-facebook.html
http://www.f-secure.com/weblog/archives/00001982.html
http://www.allfacebook.com/2010/05/facebook-appears-back-down-on-landing-tab-limitations/
http://www.allfacebook.com/2010/05/facebook-limits-landing-tabs-to-authenticated-pages/

H@v3 $@f3 Br0w$!n9 !!!

nj0y !!!