ANTI-MALWARE.info | The Reference in Independent Anti-Malware Advice and Information
Subscribe | Log in

Blog

New website and the start of my world tour

You possibly already found out by now that I refurbished my personal website otherwise you weren’t reading this.
I really hope you like the new look of this site which took us several weeks to come up with. It was really necessary after a long period of silence I think.

With this new look I’m also starting my world tour where I sometimes will attend some conferences and sometimes will speak at these events.

Just finished with our G Data’s press tour in the Benelux I’m ready for the next events:

  • BruCon Conference: Brussels, Belgium (attending)
  • Virus Bulletin Conference: Vancouver, Canada (speaking together with Righard Zwienenberg(Norman) about internal attacks and problems in the cloud)
  • Infosecurity NL: Utrecht, The Netherlands (attending)
  • AAVAR Conference: Bali (speaking together with David Harley(Eset) and Lysa Myers(Westcoast Labs) about product evaluation and malware simulation)
  • G Data Japan Press Tour: Tokyo (speaking)

And this is just the beginning … more trips are planned even during the writing of this piece.

One trip could be very interesting but it’s still undecided if I will participate …. but stay tuned as I could meet some VIPS of the world.  ;-)

Could the DLL-hijacking problem be underestimated?

This is a small copy of the official G Data Blog
Find the full and official version at www.gdatasoftware.com

Last week, HD Moore released details about a serious DLL problem under Windows. HD Moore is known as developer of the Metasploit application.

After a week, Microsoft released more information, discussing bad practices in DLL loading that could lead to remote exploitation, which is the main source of this problem. They have recently released tools which can help mitigating the risk. But the real and possibly best solution is for developers to patch their applications to follow best practices.

There is little that can be done by those of us in the security community, or Microsoft for that matter, as many applications are designed to take advantage of this flaw and it could take many weeks or months for application developers to release better designed programs and encourage users to update to these new versions. Some of the programs will be updated automatically, some of them won’t. The patches Microsoft is offering do work, but it could make several programs unusable and prevent them from backward compatibility.

(more…)

The Microsoft LNK / USB worm / rootkit ‘issue’ will kill WIN XP SP2 and WIN2000 earlier…

Just recently, reports were released about a new kind of malware propagating through removable drives. The said malware exploits a newly-discovered vulnerability in shortcut files, which allows random code to be executed on the user’s system. Microsoft has officially acknowledged the vulnerability and released a security advisory.

The malware some of the AV industry detects as Win32/Stuxnet, unfortunately, is a worm (and rootkit) of a slightly different colour. It can propagate making use of a 0-day vulnerability described here and also listed by CVE as CVE-2010-2568.
The biggest problem is that Windows (specifically, the Windows Shell) can be tricked into executing malicious code presented in a specially-crafted shortcut (.LNK) file linking, in turn, to a malicious DLL (Dynamic Link Library).

The problem is in the way that Windows Shell fails to parse the shortcut correctly when it loads the icon, it isn’t necessary to click the icon for the malicious code to be executed! The code will be executed without any action on the part of the user once that folder is opened to access whatever legitimate files are on the device.

(more…)