TechMiso

A recently discovered flaw with Windows shortcut LNK files is being exploited by installing malicious software which is then used to gain administrator level access by esoterically installing a rootkit.

Microsoft has already warned users, in the Microsoft Security Advisory (2286198), that hackers are exploiting an unpatched Windows vulnerability within the Windows Shell component where Windows incorrectly parses shortcuts. Since the warning, Microsoft has reconfirmed what researchers discovered this exploitation to be an issue with shortcut (.LNK) files. The vulnerability is apt to allow malicious code to be executed most likely through removable drives. When executed, the malware includes a Trojan horse which can implement attack code that downloads a rootkit and then remain undetected while running.

Several version of Windows are affected by the Shortcut flaw including Windows 7 and the now-unsupported Windows XP SP2 (Service Pack 2 – As of July 13, 2010 Microsoft no longer provides security updates or support for Windows XP SP2). Researchers have noticed that the related Shortcut flaw malware is mostly from an infected USB drive.

There is a strong chance anti-virus software would not have caught this malware, mainly because it is a 0day but also because it is becoming exceedingly difficult to adequately detect rootkit installations. There is strong evidence suggesting the attackers will take advantage of this vulnerability to spread malware through Windows XP SP2 installations since Microsoft is opting not to offer a patch for that version of the operating system. A lot of SP2 installs are floating around the internets, for some reason completing ignoring the fact that Microsoft released XP SP3 well over 18 months ago.

Earlier this week Apple released OS X 10.6.4, an update largely aimed at fixing security vulnerabilities rather than adding new features. Sophos, an anti-virus vendor, did some digging and noticed Apple esoterically included an update to the built-in anti-malware protection to protect against a backdoor which may allow malicious attackers to obtain remote control over devices running OS X:

Although there is no mention of it that we could find in Apple’s release notes for Mac OS X 10.6.4, or the accompanying security bulletin, Apple has updated XProtect.plist – the rudimentary file that contains elementary signatures of a handful of Mac threats – to detect what they call HellRTS.

HellRTS, which Sophos products have been detecting as OSX/Pinhead-B since April, has been distributed by malicious hackers disguised as iPhoto, the photo application which ships on modern Mac computers.

Will Apple’s lack of transparency perpetuate the myth that OS X is not immune to viruses and other malware? A lot of Mac users, especially newer ones migrating from Windows to OS X, tend to believe the Mac is a more secure environment and free from the threat of malware – a thought that could not be further from the truth. When Apple quietly issues an update to the built-in OS X malware protection one has to wonder why the silence.

It is worth noting that Sophos has a business stake in this market – by Apple communicating a malware threat to their operating system, Sophos, and other anti-virus vendors, would ostensibly see an increase in sales as a result of such an admission. Is that what Apple really wants to do?

Sophos would be a direct beneficiary of Apple stating OS X is vulnerable to these threats, although their annoyance is only worth being taken with a grain of salt. However, Mac users should most definitely be made aware of the potential threats to their operating system so they can choose to take the necessary protection measures they decide are worthwhile.

Two weeks in a row we are seeing the spread of salacious malware on Facebook. Steer clear of Facebook’s “Distracting Beach Babes.”

Gramah Cluley makes a curious point on his award winning security blog regarding the timing of malware:

I’m beginning to wonder if the cybercriminals deliberately launch these campaigns on the weekends, imagining that anti-virus researchers and Facebook’s own security team might be snoozing.