You are not logged in. Please login or register.
Hello VX-world!
I am many researched Windows ShortCut's - flags, locked lnk and others interesting things.
StuxNet has opened me quite new subject. Shortcut on Control panel & DllMain...
So, possible create LNK and prescribe ABSOLUTE network path, and provide mass infection on LAN-network. 
(\\comp\hidden-shared$\test.dll)
But...how can prescribe relative path in vulnerable lnk?
e.g. ".\test.dll"
i'm not sure about this but as the bug is in explorer, my tests using a relative path like .\bla.dll always resulted in bla.dll being executed from the same drive as the system dir (as it's being executed from explorer, it does make sense) so from that it does not seem possible so i ended up making copies for each drive letter that would be relevant
Last edited by crim (2011-11-11 14:45:57)
around 10 or 12 years ago i found the "pif" tech. ...
the principle was easy, a .pif is handled as an executable, my idea was to include more things in the .pif.
structure was :
______________
pif commands ( & icon)
--
bat script
--
irc script
______________
When run as a .pif, the file copied itself as a .bat, adding an autostart, and copied itself as a .ini in irc client directory
When run as a .bat, the file could made many things
When load as a .ini (in irc client), the file was an irc backdoor
As you see, such "shortcut file" can include many different things or codes inside, playing with extensions only the linked code will be executed.
You can probably find some of thoses "pif worms" on vxnetlux. I've lost almost all the things i did.
Sadly my ".pif" idea was badly copied, all the worms or trojans using it were just .exe renamed, without editing the ".pif".
Last edited by Del_Armg0 (2011-11-11 15:03:44)
around 10 or 12 years ago i found the "pif" tech. ...
the principle was easy, a .pif is handled as an executable, my idea was to include more things in the .pif.
structure was :
______________
pif commands ( & icon)
--
bat script
--
irc script
______________When run as a .pif, the file copied itself as a .bat, adding an autostart, and copied itself as a .ini in irc client directory
When run as a .bat, the file could made many things
When load as a .ini (in irc client), the file was an irc backdoorAs you see, such "shortcut file" can include many different things or codes inside, playing with extensions only the linked code will be executed.
You can probably find some of thoses "pif worms" on vxnetlux. I've lost almost all the things i did.Sadly my ".pif" idea was badly copied, all the worms or trojans using it were just .exe renamed, without editing the ".pif".
while the subject is interesting it's not really relevant to the topic as the vulnerability lies in how windows handles the icon loading in .lnk files
more here
[Register or log in to view the URL]
И да, через 2 с лишним месяца после обнаружения stuxnet'a, M$ наконец таки открывает формат lnk-файла.
[Register or log in to view the URL]
Last edited by kiber_punk (2011-11-11 16:52:09)
английски, пожалуйста
английски, пожалуйста
Sorry, "untransferable russian folklore". ))
And sorry for my eng.
----------------------------
I have said that certain time (~2 month) after detect stuxnet-worm* , Microsoft "clamp heart" [скрепя сердцем] has opened [Register or log in to view the URL].
* [Register or log in to view the URL] in its blog. Much interesting.