The short answer is, no.
SJVN’s answer would be “not if the Internet runs on Linux.” But it doesn’t, and the answer is still “no.”
Yup, it’s the LNK malware family. To quote SJVN: “The LNK vulnerability is an obnoxious little security hole that’s present in all versions of Windows from Windows 2000 on up.” Amazing it’s taken hackers ten whole years to exploit it, isn’t it?
Well, no, it isn’t. You have to get an infected .lnk file on to your computer first. To be fair, if you do, you’re potentially toast (I think: SJVN doesn’t provide any details. Maybe you have to be logged in as Admin for this to matter worth crap? Who knows?)
And I know you’re all wondering: how could this infection come about? Well, to quote SJVN again, “Early versions of the attack required users to plug in a USB key with the malicious software. If that were still required, this would be a minor problem. Now, however, exploits exist that can launch attacks over SMB (Server Message Block) file shares and Windows’ WebClient services.”
Interesting that SJVN considers USB keys as a minor problem. Any normal person would consider them quite a major one. But there you go.
And, of course, such tried-and-true-virus-spreading methods as sending a LNK file over an IM (instant message) or in an e-mail will also spread it.
Oh yeah, I do that all the time. Totally innocently, of course, but there’s nothing quite like sending a link file over the 'net to make my day. People fall for it every time!
For interested parties, here’s the Microsoft Advisory. Don’t forget to check it for LNK files.
Well, it’s all a bit of a bother, particularly because SJVN claims that:
“So, what can you do about it? Not a lot … In short, there’s no cure. The attack is about as nasty as it can get, and the 'cures’ that we have now may be worse than the diseases.”
This is just before he goes into full-featured spume-flamed maniac mode and suggests shutting down the internet altogether. (It’s worth reading.)
Or you could just look at this and consider how freakishly trivial it would be for an antivirus provider to detect the thing. Let alone how freakishly easy it would be to avoid being infected in the first place.
Oh, did I mention that there has to be a “malicious binary” on your machine in the first place, and that the rogue LNK file has to know the exact pathname to that malicious binary? Whoops, silly me. I’ll just go back and make sure that SJVN was a little more thorough than I’ve been.
PS To be fair, SJVN does link to this, which suggests that the attacker can install a rootkit (a fairly trivial one that just disguises the LNK vulnerability, but still). Which makes it so entirely different from any other attack that depends upon you being logged in as Admin, of course.
PPS Here’s the Mitre CVE on the subject.
Comments
I can accept that they could set up the binary on a WebDAV share somewhere, so this vulnerability could be used to execute it if someone had WebClient running.
However;
1. How the hell does the LNK get onto the network or USB key in the first place? Magic? Outlook blocks LNK files, so email is out for most corporate networks using Office. (Attempting to SEND an LNK in Outlook, OWA or Hotmail just attaches the linked executable, and EXEs are blocked too. Other clients are probably the same, so accidental forwarding is unlikely.) Someone with access to the network would either have to be malicious and know where the malware lives, or be mind-meltingly stupid.
2. Does SJVN think that an anti-virus won’t detect the the malicious binary as it executes? The associated rootkit/trojan package associated with this exploit is already detected by most (by now probably all) the major AV vendor’s signatures and would probably be flagged and quarantined heuristics scanning too.
“Can Windows kill the Internet?”
No, but Linux trolls can make it crappy for everyone else.
Everytime they bleat about security, I remind them of http://www.vupen.com/english/security-advisories/. Linux and open source applications get identified with as many, if not more, security issues as Windows.
DrLoser, you forget SolidGoldComments™. Check out this gem:
“I believe Microsoft’s Windows to be the largest and longest lived example of mass delusion in the History of Humankind. People are sold junk and told it is gold.”
@Ted
Well, that’s an interesting question, and it gets to the left ventricle of the matter.
I prodded around a bit and, as far as I can see, the LNK attack only works if there’s a malicious executable around to run. Of course, that malicious executable could be “rm” and could be linked with arguments “-rF /*” (just to use an artificial example), but then it would still have to have admin privileges. A script would do for that. A link is no more scary.
Now, I think that SJVN is fixated on network-delivered viruses. He says himself that (a) this wouldn’t be a problem if confined to USBs (idiot) and (b) it’s only just emerged onto file-shares and such. It’s like the man has an Aristotelian view of the universe, where every storage class sits in its own crystal ball and orbits the kernel. There really isn’t any difference (except one) in delivery method, although SJVN is still talking crystal balls.
That one difference? Windows Autoplay. I always thought that was a bad feature. It’s certainly annoyed me a hell of a lot of times. But, the thing is, in this case, it’s the central part of the problem: a naive user (like me — I didn’t even know you could shut the damn thing off other than by hitting the cancel button every time) sticks a USB key in, autoplay magically executes the lnk file, and there you are. I’m pretty sure that’s what all the fuss is about, although since SJVN has the investigative imagination of a three toed sloth, we’ll never know.
Sorry; too much time musing on this non-issue and on SJVN’s weird micromoniacal fanstasies. You’re right. In every obvious way, this is probably the worst way to compromise the Security of the Free World, evah.
I’m not even sure how the root-kits get there, given a pure LNK attack on its own. Here’s the (unofficial) API for a lnk file:
http://www.stdlib.com/art6-Shortcut-File-Format-lnk.html
It’s all indirection, isn’t it? Indirection is a useful technique in CS. On the other hand, if you need indirection to stick a virus onto Windows, then MS must be doing a reasonable job of excluding direct attacks … Not that SJVN would admit that.
Just for yuks, one of the first authorities to discover this vulnerability was a company in Byelorus. Oh yeah, like I’m going to believe a state-sponsored technician in the last Stalinist country in Europe. (Ad stalinistem defence.)
If you’ve got a malicious LNK files on a WebDAV or SMB share, or in SharePoint, you got bigger problems then the exploitation itself.
The only real danger I could see here, are USB sticks, but if you got an antivirus scanner, that should catch it.
You must be signed in to leave comments.