Archive

Archive for May, 2009

Window Shortcut – LNK File Format

LNK Format

Figure 01 – LNK Top Level File Structure

A computer shortcut (shortcut) is a small file containing a target URI or the name of a target program file that the shortcut represents. [wiki]

Microsoft Windows uses .lnk as the filename extension for shortcuts to local files, and .URL for shortcuts to remote files, like web pages.

Thanks to Jesse Hager for creating the specification document. Please refer this link http://www.wotsit.org/list.asp?al=L and search ‘LNK’ download good reference.

As observed, LNK trojan downloaders takes advantage of Command line string to perform malicious activity.

**Update**

0day on malformed Windows Shell Link (.LNK) Binary referred as CVE-2010-2568 and Microsoft Security Advisory (2286198)

LNK binary file format reference:

LNK_The_Windows_Shortcut_File_Format

MS-SHLLINK

OS X users, please patch!

If you haven’t patch yet, then please do.

update

How do I know if I’m patched?

Click “About This Mac” and it should display Mac OS X version 10.5.7. You can do the same if you are using Safari by clicking “About Safari”,  this should display Safari 4 (beta).

Why it is important to patch?

There are critical vulnerabilities that could allow malicious user (hacker, malware)  to snoop and steal your information in background.  Let me sight examples from vulnerabilities that has captured media attention (so, it means many attackers are aware of this).

Safari RSS

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.6, Mac OS X Server v10.5.6

Solution: The critical issue has been addressed in Security Update 2009-001 for Mac users and Safari 3.2.2 for Windows.

Impact: Accessing a maliciously crafted feed: URL may lead to arbitrary code execution.

Attacker can easily craft URL and execute javascript – and this could expose your personal and sensitive information.

feeds

Disk Images

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.6, Mac OS X Server v10.5 through v10.5.6

Solution: The critical issue has been addressed in Security Update 2009-002

Impact: Mounting a maliciously crafted disk image may lead to an unexpected application termination or arbitrary code execution.

This is very critical the fact that browser like Safari has enabled “Open safe files after downloading” by default. You can turn off  this option in Safari by following the instructions below:

1. Open Safari

2. Open “Preferences” under the “Safari” menu

3. Click on the “General” tab

4. Un-check the “Open ‘safe’ files after downloading” box

5. Close Safari’s preferences

safari_unsafe

MacCinema slight modification

A slightly modified variant of MacCinema was spotted in “MacPlay.dmg”.  Once you execute it, it will still display MacCinema installer. However, few modification was found in preinstall & preupgrade scripts as shown in Figure 01.

helloworldObviously, attackers are trying to maximize these threats.  The obfuscated data will extract another script, which we already seen it from previous variant.

davidblaine

This Trojan has been in-the-wild for months now and as it continuously proliferates in the internet, new Macintosh users are often found falling into its tricks.

Stay away from this threat!

Apple profiles “Twitter”

Apple profiles series of companies that uses Mac and one of them is Twitter – profile title “Twitter. Triumph of humanity“.

It’s nice story although when you think of the recent series of successful attacks (Mikeyy worm and exposure of Twitter Admin Panel), you’ll probably react this way …

“Aha?!, Interesting!”

Categories: Daily Thoughts

PDF Adobe Reader Zero Day

Adobe Reader has two vulnerable JavaScript functions getAnnots() and spell.customDictionaryOpen() that could allow a remote attacker to execute arbitrary code on the system. PoCs were published here.

PSIRT blogged an update saying that this vulnerability is still under investigation and updates will be available by 12th May:

We are in the process of fixing the issue, and expect to make available product updates for the relevant supported Adobe Reader and Acrobat versions and platforms by May 12th, 2009.

Adobe Released Security Bulletin

Release date: May 1, 2009

Vulnerability identifier: APSA09-02

CVE number: CVE-2009-1492, CVE-2009-1493

Platform: All Platforms

Mac users are vulnerable and affected with this vulnerability and as usual it is best recommended that you disable JavaScript if you are using Adobe Reader. Please follow the instruction here.

Who’s Rogue?

The first Mac rogue software “MacSweeper” appeared last year January – although AngelO (the developer) tried defending its software by replying to different forums and blog post. 

Two months later, “iMunizator” appeared which is a repackage version of MacSweeper. This version has few improvement for example, the nagging pop-ups was removed as the authors tries to prove that their product has been modified for safe use. 

Around January this year, “iMunizator” was spotted again online and serving rogue software. Obviously, they can’t sell it as researchers raised awareness about it. What do you expect? 

February when MacPaw twit “CleanMyMac is Out”   

How did I came across to this site? Oh, I was looking for the PoC Worm “Tored” -> Obviously, it’s not in-the-wild but definitely something to investigate. 

Anyway, MacPaw website offers two software – “CleanMyMac” and “MacHider”.  “CleanMyMac” has exactly similar functionality and features as “MacSweeper” although this time it’s clean. 

scanWhat’s interesting here is this (below screenshot) … Sounds familiar with “iMunizator” lifetime offer. The question now is, what do you pay for lifetime? 

price2

 

On the other hand, what is meant by lifetime offer/warranty? Here’s good explanation from wiki.

A lifetime warranty is usually a guarantee on the lifetime of the product on the market rather than the lifetime of the consumer (the exact meaning should be defined in the actual warranty documentation). If a product has been discontinued and is no longer available, the warranty may last a limited period longer. For example, the Cisco Limited Lifetime Warranty currently lasts for five years after the product has been discontinued.

Take note, “Lifetime is guarantee on the lifetime of the product on the market” which means if these guys disappear tomorrow then you are tricked to buy it. 

There are good tools and application out there, please make sure that you buy from reliable and trusted source.