M32 Security » Chymine http://m32consulting.com Network Security Info, News, and Resources Sun, 22 Jan 2012 23:37:02 +0000 en hourly 1 Microsoft LNK vulnerability exploit spreading quicklyhttp://m32consulting.com/2010/07/microsoft-lnk-vulnerability-exploit-spreading-quickly/?utm_source=rss&utm_medium=rss&utm_campaign=microsoft-lnk-vulnerability-exploit-spreading-quickly http://m32consulting.com/2010/07/microsoft-lnk-vulnerability-exploit-spreading-quickly/#comments Thu, 29 Jul 2010 05:14:41 +0000 Kyle http://m32consulting.com/?p=119 At last writing, the Microsoft LNK vulnerability that was originally used to target SCADA systems by the Stuxnet worm in Iran, India, and Indonesia was slowly gaining speed and the exploit had a proof-of-concept in the open. Now it is accelerating. It is now being picked up by old virus/worm/malware families and incorporated into their arsenals to take new victims; some using social engineering, some using their own unique tactics. While the exploit method itself hasn’t changed, the exploiters using it are vigorously churning out new versions of their software. I think it’s safe to say Madagascar will be closing its ports soon. (Warning: addictive)

New detected malwares are Chymine, Vobfus, SalityZeus, and most recently, Downloader-CJX

Technet article on Vobfus

The Register on LNK exploit activity

F-Secure blog entry

Tags: , , , , , , , , , ,
]]> http://m32consulting.com/2010/07/microsoft-lnk-vulnerability-exploit-spreading-quickly/feed/ 0 LNK Zero-Day Exploit: Siemens WinCC SCADA systems targetedhttp://m32consulting.com/2010/07/ln-zero-day-exploit-siemens-wincc-scada-systems-targeted/?utm_source=rss&utm_medium=rss&utm_campaign=ln-zero-day-exploit-siemens-wincc-scada-systems-targeted http://m32consulting.com/2010/07/ln-zero-day-exploit-siemens-wincc-scada-systems-targeted/#comments Mon, 26 Jul 2010 05:20:59 +0000 Kyle http://m32consulting.com/?p=104 It turns out that the original targets for the highly-dangerous Windows Shell LNK Zero-Day Exploit were Siemens WinCC SCADA systems with hard-coded credentials used in large infrastructure systems like factories and power grids. Once the attacker had successfully executed the LNK exploit, they accessed the Siemens WinCC program and extracted sensitive data from the database the software uses. It is highly suspected that the exploit was explicitly used for espionage toward Iran and Indonesia at the very least, but by whom or what exact purpose is not clear. What is clear is that the Siemens WinCC software was targeted. The Siemens WinCC software has what is considered one of the top vulnerabilities in software according to CWE/SANS, which is the use of fixed-credentials. This type of vulnerability has been publicly disclosed for over two years and the password to this specific software (2WSXcder) has been publicly known since at least 2008. Siemens was made aware of the issue on July 14 and shortly started to asses the problem and notify customers.

In the meantime, a security researcher known as Ivanlef0u has posted a proof-of-concept of the exploit (site is in French), while Win32/TrojanDownloader.Chymine.A and Win32/Autorun.VB.RP are in the wild already actively actively using this exploit according to ESET. Expect to see this exploit to be a bit prolific due to its new and unique nature combined with the relative ineffectiveness of detection/removal systems thus far.

Wired Article on password’s public exposure

ESET Blog on new Zero-day exploit in the wild

Tags: , , , , , , , , ,
]]> http://m32consulting.com/2010/07/ln-zero-day-exploit-siemens-wincc-scada-systems-targeted/feed/ 0