The problem with executable files is that the search priority list changes. According to a blog post at the Acros Security blog, exe files are either loaded with the highest or second highest priority in Windows.

This means for instance that a command to launch a new process will look into the current working directory prior to looking into the Windows directories or directories in the path environment.

An attacker could exploit this by placing executables of the same name in the working directory, e.g. a malicious explorer.exe that is launched by the application executed by the user of the system.

What does it mean? It means that the situation is highly critical as the available workarounds to protect a system from the DLL hijacking vulnerability are not working to protect it against the exe hijacking.

[CreateProcess] Apparently the current working directory is in the second place, which means that when an application tries to launch the Windows Calculator by calling something like CreateProcess(NULL,”calc.exe”,…), a malicious calc.exe lurking in the current working directory will get launched instead. And remotely, too, if the current working directory happens to point to a remote network share in a local network or on Internet. And no, launching remote executables using these functions will never issue any security warnings to the user, in contrast to ShellExecute*. As far as we know, introducing ShellExecute-like security warnings to these functions would cause serious problems with various batch jobs and server back-end operations running without humans present.

Acros have created a test and have released it to the public. The Online Binary Planting Exposure Test is available on Binaryplanting.com. This test is aimed at users who want totest their exposure to binary planting attacks.

The easiest way to fix the issue, at least for users who do not use WebDav is to disable it. Windows 7 users need to open the Windows Services with the hotkey Windows-R, typing services.msc and hitting enter. They then need to locate the service WebClient, which is set to manual by default. A double-click on the entry and the selection of disabled disables the service completely on the operating system.

webclient

The issue itself still exists on local drives, after disabling WebDav. An example was given for Apple’s Safari web browser, which can be used in the attacks (Apple has updated the browser since then):

As a result of an incorrect process launching in Apple Safari for Windows, an attacker can cause her malicious EXE [1] to be loaded and executed from local drives, remote Windows shares, and even shares located on Internet.

What a remote attacker has to do is plant a malicious explorer.exe on a network share and get the user to open an HTML file from this network location with Safari – which should require minimal social engineering. Then, when the user tries to open one of his downloaded files in the
containing folder (e.g., menu: Window -> Downloads -> right-click on a file -> Show Containing Folder), the malicious explorer.exe is launched instead of the legitimate one.

Alternatively, if the HTML file opens (or redirects to) any “file://” location, Safari’s attempt to launch Windows Explorer will result in launching the malicious explorer.exe. (via)

Security software that is up to date is the most effective option in protecting the system from local attacks.

Attackers could exploit the vulnerability to infect Windows operating systems during connection of removable drives, if autoplay is enabled on the system. The attack uses a specifically prepared lnk-file, containing code that is executed because Windows Shell does not parse that parameter sufficiently.

Affected are all Microsoft operating systems since (and including) Windows XP. Microsoft mentions other attack scenarios besides removable devices. The vulnerability can also be exploited via WebDAV or network shares.

Microsoft mentions three mitigating factors in the security advisory. A successful attack will give the attacker the same rights as the active user. Limited usage rights would mean that the attack could have less impact than an attack on a system where the user has administrative rights.

Systems with autoplay disabled cannot be attacked during connection. A user would have to launch “Windows Explorer or a similar application and browse to the root folder of the removable disk” for the attack to be started.

Finally, “Blocking outbound SMB connections on the perimeter firewall will reduce the risk of remote exploitation using file shares”.

A patch is currently not offered, a workaround exists however. The following steps need to be completed to protect a computer system:

Disable the displaying of icons for shortcuts

Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the “Changing Keys And Values” Help topic in Registry Editor (Regedit.exe) or view the “Add and Delete Information in the Registry” and “Edit Registry Data” Help topics in Regedt32.exe.

1. Click Start, click Run, type Regedit in the Open box, and then click OK
2. Locate and then click the following registry key:
   HKEY_CLASSES_ROOT\lnkfile\shellex\IconHandler
3. Click the File menu and select Export
4. In the Export Registry File dialog box, enter LNK_Icon_Backup.reg and click Save

   Note This will create a backup of this registry key in the My Documents folder by default

5. Select the value (Default) on the right hand window in the Registy Editor. Press Enter to edit the value of the key. Remove the value, so that the value is blank, and press Enter.
6. Restart explorer.exe or restart the computer.

Impact: Will disable all shortcut icons, which means for instance that all Windows 7 taskbar items or start menu items are showing as white icons, which makes identification hard to impossible.

Microsoft suggests to disable the WebClient service to block the most likely remote attack vector through the Web Distributed Authoring and Versioning (WebDAV) client service.

To disable the WebClient Service, follow these steps:

• Click Start, click Run, type Services.msc and then click OK.
• Right-click WebClient service and select Properties.
• Change the Startup type to Disabled. If the service is running, click Stop.
• Click OK and exit the management application.

Additional information are available at the Microsoft Security Advisory page and the Wilders Security forum.

Modules of current malware were first time detected by “VirusBlokAda” (http://anti-virus.by/en/) company specialists on the 17th of June, 2010 and were added to the anti-virus bases as Trojan-Spy.0485 and Malware-Cryptor.Win32.Inject.gen.2. During the analysis of malware there was revealed that it uses USB storage device for propagation.

You should take into consideration that virus infects Operation System in unusual way through vulnerability in processing lnk-files (without usage of autorun.inf file).

So you just have to open infected USB storage device using Microsoft Explorer or any other file manager which can display icons (for i.e. Total Commander) to infect your Operating System and allow execution of the malware.

Malware installs two drivers: mrxnet.sys and mrxcls.sys. They are used to inject code into systems processes and hide malware itself. That’s the reason why you can’t see malware files on the infected USB storage device. We have added those drivers to anti-virus bases as Rootkit.TmpHider and SScope.Rookit.TmpHider.2. Note that both drivers are signed with digital signature of Realtek Semiconductor Corp. (www.realtek.com).

Thus, current malware should be added to very dangerous category causes the risk of the virus epidemic at the current moment.

After we have added a new recordes to the anti-virus bases we are admitting a lot of detections of Rootkit.TmpHider and SScope.Rookit.TmpHider.2 all over the world.

Expect a patch soon that is addressing the issue.

Any Client is one of those secure ftp clients that supports the ftp, sftp, webdav and ftps protocol. It runs remotely using Java and webmasters can use it to connect to their web servers to perform all the operations a ftp client offers them including file transfers and manipulations. The use of protocols that use encryption such as sftp or ftps ensure data safety during transfer. All settings and parameters are stored on the local computer system.

Cautious users might want to consider installing a secure ftp server directly on their web server that can be accessed using a web browser to avoid any security risks or complications that exist while trusting third party websites with your ftp data.

Any Client will load the Java Applet in the web browser and display the contents of the local computer system on the left. A click on the Connect button will open a new smaller window allowing the user to configure and add ftp servers. The ftp client configuration menu contains similar options than local ftp clients offer. Users can add and store multiple ftp servers, select the protocol, add sftp / ssh authentication and specify a starting local and remote directory.

The only difference is the absence of options that configure the ftp client itself, for example the number of simultaneous connections or file transfer limitations.

Once the ftp server has been added the ftp client can be used to connect to it. Users can now download, edit, rename or delete files while connected to the ftp server. A feature that is missing is chmod which can be used to configure access rights for files.

Any Client offers a quick and easy way to connect to ftp servers. It provides access to the basic feature set of ftp clients but lacks several advanced features that webmasters might need every now and then. Security sensitive users and those with important data on their servers might want to consider using a self hosted ftp server script instead of a third party service to reduce the security risks.

Update: the service seems to have been discontinued.

An alternative to connecting to remote ftp servers with ftp programs is to mount the ftp server as a local drive on the computer system. NetDrive provides the means to do that.

The software comes with a clean interface that has several popular ftp servers preinstalled. New servers can be added by providing the IP, port, username, password and drive letter for that connection. There is also a setting to define when the ftp server or webdav server should be added as a drive letter. The options are to do that when the system starts or when NetDrive starts.

Once the remote ftp has been mounted it is possible to access the ftp like any other drive letter in Windows. It essentially means that no ftp software is needed to connect to the ftp server and that programs like Windows Explorer or equivalents can be used instead.

Goodsync provides the typical left / right interface that many file synchronization software programs use. One interesting aspect is that it can not only be used to keep files in sync but also to backup them. Both operations are started as so called jobs. A job consists of a few steps that the user has to configure.

A file synchronization requires the selection of two folders that should be kept in sync. This can be used to sync emails, documents, music and anything practically anything else that is needed in more than one folder.

The analyze button will scan both directories and display the folders, files, sizes and additional information of both sides. The program will also list the space requirements on both hard drives if the synchronization is started. All files and the direction that they are copied will be shown as well.

Goodsync can also change the display mode so that only conflicts, errors and other information such as the sync state will be displayed.

Users can finetune the process before starting the synchronization. It is for example possible to exclude folders or files from synchronization or change their direction. The default sync direction is a two-way sync but it is possible to change that to a one-way sync easily in the options.

Filters can be used to exclude certain files or folders from the synchronization. One of the most important aspects of a file synchronization software is the support of storage space. GoodSync supports synchronization and backups on local hard drives, network drives, ftp, sftp, Amazon S3, WebDav and WinMobile hardware. It is therefor no problem to sync files from ftp or sftp to the local computer.

Once everything has been configured according to your wishes you can the automatic options. It’s much like a scheduler. You can set the interval or event when the file synchronization software should analyze or sync files and what the software should do if conflicts are encountered.

The options are also the place to create global filters and to change other options like the buffer size or if locked files should be copied.

Experienced users will like the sheer amount of command line options that are provided by the file synchronization software. There is practically a switch for every option of the software to synchronize or backup files. It is possible to import or export the job list to run it on multiple computers.

Every user is able to create file synchronization or backup jobs with GoodSync in a few easy steps. Experts will love all the settings and options to tweak the software.

Five licenses of GoodSync are up for grabs. To win one simply leave a comment and tell us what you would sync or backup with it.

Installation of the Google Docs Open Office extension could not be easier. A double-click on the program’s icon after downloading it should open the Extension Manager of Open Office automatically with a prompt to install the extension. The selection of yes will install it.

The extension will display five new icons that can be placed in a Open Office toolbar. Here is what they do from left to right: Export to Google Docs, Import from Google Docs, Export to Zoho, Import from Zoho, Export to WebDAV server.

A click on an icon will open a new dialog. It is usually required to provide account information of the service or server before performing the action. To export a document to Google Docs one would have to supply the Google username and password which can be saved locally to avoid the hassle of having to fill out the information every time that feature is being used.

Importing documents works pretty much the same way with the difference that all supported documents that are available online will be displayed giving the user the choice to load them locally or in the browser.

The document import is limited. It is possible to import text documents or presentations from Google Docs. Zoho is supporting the import of spreadsheets in addition to that. Virtually any document can be exported to both services though.