Page 1 of 2 12 LastLast
Results 1 to 15 of 17
  1. #1
    iNET Interactive
    Join Date
    Jan 2010
    Location
    Seattle, WA, USA
    Posts
    376
    Thanks
    1
    Thanked 29 Times in 24 Posts



    TOP STORY

    A threat to common ".dll" files hits many apps


    By Susan Bradley

    Microsoft's latest Security advisory on .dll-file vulnerabilities reveals a whole new chapter of Internet security troubles — and raises many more questions than it gives answers.

    Many popular applications may be targets of this new threat, and there's no single patch that will fix it.

    The full text of this column is posted at WindowsSecrets.com/2010/09/09/01 (opens in a new window/tab).

    Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.
    Last edited by revia; 2011-01-19 at 13:49.

  2. #2
    Lounger
    Join Date
    Dec 2009
    Location
    Canada
    Posts
    29
    Thanks
    3
    Thanked 0 Times in 0 Posts
    Feel like the example picture of the Linksys router showing port filtering should have indicated what one should do with those ports or where they should be forwarded to.

  3. #3
    New Lounger
    Join Date
    Sep 2010
    Posts
    10
    Thanks
    0
    Thanked 0 Times in 0 Posts
    This was an auspicious lack of success! First Avira AnitiVir highlighted two of the DLLs installed by Metasploit's DLLHijackAuditKit as containing trojans, and then after much flashing of Windows Process monitor crashed with an out of memory error. Oh well, I suppose I will have to stay ignorant!

    And then after writing this I discovered that the routine stopped Avira anyway, so I feel more vulnerable now than before!

  4. #4
    New Lounger
    Join Date
    Dec 2009
    Location
    Cannes, France
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Downloaded the audit files as instructed but my AVG Anti-virus found 2 DLL's as Trojan Horses and a third with a heuristic feature when they were unpacked. Could someone please confirm that these are SAFE files before I continue.

    Thanks in Advance

  5. #5
    New Lounger
    Join Date
    Dec 2009
    Location
    Cannes, France
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Forgot to add that the trojan horses were found in the Metasploits DLLHijackAuditKit file

  6. #6
    New Lounger
    Join Date
    Feb 2010
    Location
    Weston s Mare, England
    Posts
    4
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I'm sorry - but although I regard myself as moderately computer savvy - this article was beyond me. Some of us readers need a bit more hand holding. David

  7. #7
    New Lounger
    Join Date
    Dec 2009
    Location
    Boston, MA
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts
    A few quick points:
    1) The Sysinternasl program named "Process Explorer" is not the same as the one named "Process Monitor". You need the latter to run MetaSploit's software.
    2) Be aware that the author has made an assumption that if you are running XP, you are automatically running as Administrator.
    3) There should have been a notice to turn off your AV software before trying to run MetaSploit's software or else you get a large number of error messages.

  8. #8
    New Lounger
    Join Date
    Sep 2010
    Location
    Bedford, Massachusetts
    Posts
    4
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I cannot recommend this approach to solving the problem. First of all, the exploit software downloads a test trojan, which McAfee immediately deleted as it should. Second, the instructions say to download Process Explorer from SysInternals, but the actual program needed is Process Monitor (PROCMON.EXE) which also has to be in the same directory as the exploit tester BTW. Third, this test is really scary as it takes over the entire computer and attempts to launch more than 1500 file extension types in sequence. For many of these the user must respond to a windows prompt to either cancel the launch or accept the fact that the program could not start. Also, this extension launching often starts up the entire application that is responsible for the extension e.g. Access for MDB files, and it sits there running. Hence, you will soon have a crapload of applications running. I can't remember seeing a warning about this behavior in the original article.

    Did anybody at Windows Secrets actually follow these instructions before posting them as pseudo-gospel?

    Very annoyed.

  9. #9
    New Lounger
    Join Date
    Dec 2009
    Location
    London
    Posts
    18
    Thanks
    0
    Thanked 2 Times in 1 Post
    The article suggests using HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Session Manager and changing the value of CWDIllegalInDllSearch if you have problems with an individual app, but that is misleading as this is the global setting.

    KB2264107 (http://support.microsoft.com/kb/2264107/en-us) says:
    * To use this registry entry for a specified application on a computer:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<application binary name>
    (Using the same CWDIllegalInDllSearch values)

    Robin

  10. #10
    New Lounger
    Join Date
    Dec 2009
    Location
    Massachusetts
    Posts
    16
    Thanks
    6
    Thanked 0 Times in 0 Posts
    Vista Home Basic SP1, 32 bit:
    "C:\Users\Al\Downloads\ProcessExplorer\audit.js(41 , 1) SWbemObjectEx: No such interface supported"

    is the message I get after attempting to start the audit.

    I may have an infection. Had to redo my Lightroom 2 catalog last night.

    I believe I've followed the instructions.

  11. #11
    New Lounger
    Join Date
    Dec 2009
    Location
    Calgary, AB, Canada
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Yes, my Vipre Antivirus nailed the MetaSploit's as a known Trojan. Couldn't run.

    Not too keen on turning off my AV, but here's some postings from MetaSploit's blog:

    Post from their site:
    Multiple AV products will consider this link a trojan -- the DLL and EXE that run the Calculator were generated by the standard Metasploit codebase. You can see how they were generated by looking at the regenerate_payloads.rb script in the ZIP file. These are not malicious (after all, they just run calc). If you want a viable test, you will need to disable your AV to run these.

    The four files triggering the AV signatures are the two DLLs and two EXEs that were generated by Metasploit. If you are concerned, you can delete these binaries from the ZIP and recreate them using the regenerate_payloads.rb script also included in the archive

  12. #12
    New Lounger
    Join Date
    Dec 2009
    Location
    San Jose, CA, USA
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Comcast automatically blocks these ports on their modems.

  13. #13
    Lounger
    Join Date
    Dec 2009
    Posts
    38
    Thanks
    0
    Thanked 4 Times in 3 Posts
    I was a little disappointed by this article in Windows Secrets, and would have hoped that they would have tried to put all the recent hysteria about it in perspective. The long list of 'vulnerable' applications has resulted solely because people have been running the metasploit test platform and identifying applications solely from this. Very little has been said about the circumstances when you could expect to be hit by such exploits. Realistically for MOST people, the chances of being infected by this mechanism are practically zero.

    Former WS corresponent Woodey Leonard puts the whole thing into perspective in his article at http://www.infoworld.com/t/malware/h...ties-looms-071 and it is clear from that that if you follow sensible precautions, which hopefully we all do here, you are unlikely to be hit. You don't get infected by browsing to dodgey sites, you might do if you are on a network with dodgey machines on it and you might also if you often plug in USB sticks from equally dodgey sources. But follow Woodey's suggestion and copy the file you want to your own machine first and you will always be safe.

    For what it is worth, Opera has today released v10.62 which fixes this problem, and the latest update to Avast also cures it. In both these cases the chances of getting infected were zilch, but the program writers are taking it seriously.

  14. #14
    New Lounger
    Join Date
    Dec 2009
    Location
    London
    Posts
    18
    Thanks
    0
    Thanked 2 Times in 1 Post
    What I don't understand from the example in Woody's article is how it picks up the .DLL from the folder the document is in, if that .dll is already present in the same folder as the .exe.
    The search order as defined by MSDN is:
    1. The directory of the application loaded
    2. The system directory
    3. The 16-bit system directory
    4. The Windows directory
    5. The current directory
    6. The PATH environment variable

    So you would expect the .dll to be picked up from 1. the directory of the application and not 5. the current directory.
    My impression is that in this scenario the exploit doesn't actually work and it depends on the application trying to load a .dll which ISN'T present (Windows keep searching till it gets to 5.) This scenario is more common than you would expect. The .PDF referenced in the original Windows Secrets article, gives some examples and is something I have noticed myself when using Dependency Walker.

    If I'm missing something here, would somebody please explain.

  15. #15
    3 Star Lounger
    Join Date
    Dec 2009
    Location
    Fresno, California, USA
    Posts
    259
    Thanks
    0
    Thanked 71 Times in 45 Posts
    The ways that one could be "attacked" is more likely to be from a remote file sharing site that allows you to launch a file and open it up remotely. For example JungleDisk that uses webdav.

    I ran these tests both on Windows XP and on a Windows 7. In my own case I found that the apps were ones that in my mind I could justify that I wouldn't be opening up files remotely over file shares and web shares. That's the key here, don't panic, realize what this means, which ones are impacted, which ones need updates and then laser in on those that there may be some risk from.

    If the developer of the program has not specified where the dll will be loaded from, it will pick it up from location #5. If you don't control location #5, then you could be at risk.

    As to a/vs flagging that dll as a risk, they are responding to the site as it's an exploit research site.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •