Comments on: Mitigating .LNK Exploitation With Ariad

By: How do I protect myself against the .LNK vulnerability?

How do I protect myself against the .LNK vulnerability? — Mon, 07 Mar 2011 07:43:23 +0000

[...] approach to mitigate the possible LNK attack involves the use of Didier Stevens’ tool Ariad. Note that the tool is beta-software operating in the OS kernel, so it’s probably not a good [...]

By: Stuxnet / CPLink la situation ne s’arrange pas | Linux-backtrack.com

Stuxnet / CPLink la situation ne s’arrange pas | Linux-backtrack.com — Thu, 10 Feb 2011 21:32:46 +0000

[...] l’utilisation de son logiciel Ariad qui permet de contrôler finement l’ouverture automatique de fichiers depuis les supports amovibles ou externes. [...]

By: Jan Willem

Jan Willem — Fri, 29 Oct 2010 23:24:04 +0000

Thanks a lot Sr. Didier Stevens,
I think Ariad will contribute a lot in the fight with an outbreak of LNK FLAW exploiting rootkit-virusses here in Juigalpa, Nicaragua.

gracias, Jan Willem

By: Quickpost: Ariad & DLL Preloading « Didier Stevens

Quickpost: Ariad & DLL Preloading « Didier Stevens — Thu, 26 Aug 2010 12:11:24 +0000

[...] I’m writing this quickpost just in case you hadn’t figured this out for yourself: the techniques I described to protect machines from the .LNK vulnerability also help you mitigate the DLL [...]

By: How do I protect myself against the .LNK vulnerability? | Blogs News

How do I protect myself against the .LNK vulnerability? | Blogs News — Thu, 05 Aug 2010 13:24:35 +0000

By: CloneRanger

CloneRanger — Fri, 30 Jul 2010 23:34:45 +0000

@ssj100

Ditto, You write:

“I don’t see why that would be relevant in the case of a USB device. When you plug in an infected USB device (eg. which ALREADY has the DLL file on it), you wouldn’t need to copy anything first.”

I have already posted at least TWICE,

“ONLY if dll.dll has already been placed in C:\ first manually. Please see Post 178 here – http://www.wilderssecurity.com/showthread.php?p=1717108#post1717108”

From my wilders post,

“I deleted dll.dll from C:\ and tried the POC again from both my USB stick and a folder on my desktop. This time just cruising and double clicking showed NO entry in DbgView ! = Fail”

Do remember i am talking about the POC !

Still no PM with a Real Stuxnet nasty for me to run and test and respond to ?

Have a nice weekend everybody

By: ssj100

ssj100 — Thu, 29 Jul 2010 23:43:03 +0000

@CloneRanger My friend, thanks for the reply. I’ll give it one last shot. You write:

***
“I’m more concerned that UNLESS dll.dll is FIRST copied to C:\ NEITHER A or B test exploit works.”
***

I don’t see why that would be relevant in the case of a USB device. When you plug in an infected USB device (eg. which ALREADY has the DLL file on it), you wouldn’t need to copy anything first.

By: CloneRanger

CloneRanger — Thu, 29 Jul 2010 03:37:46 +0000

@ssj100

I see why you’re hung up over the rundll32.exe thingy !

I’m more concerned that UNLESS dll.dll is FIRST copied to C:\ NEITHER A or B test exploit works.

As i mentioned before, if you want to send me a version of the “REAL” Stuxnet i’ll test it LIVE from my USB stick. Someone will have to PM me at Wilders with a rapidshare etc link

C ya

By: ssj100

ssj100 — Wed, 28 Jul 2010 08:15:55 +0000

@CloneRanger Sorry, but you’re still not understanding what I’m trying to tell you. “rundll32.exe” is only called when you double click the LNK file. However, it is not called when you just browse the files (which is the original exploit).

Please repeat your tests against the POC as described here (test A):
http://ssj100.fullsubject.com/security-f7/vulnerability-in-windows-shell-could-allow-remote-code-execution-t187.htm#1308

Hopefully now you will understand why blocking “rundll32.exe” does absolutely nothing against the original exploit. If you still disagree, then there’s nothing more I can do. You can ask someone professionally knowledgeable like EraserHW from Prevx for confirmation – he will agree with me, just like Zero_One from BluePoint Security did. In fact, I’m surprised Didier Stevens himself hasn’t commented on this – it’s his blog after all, and I would have thought his readers deserved clarification of any mis-information.

By: CloneRanger

CloneRanger — Wed, 28 Jul 2010 02:50:53 +0000

@ssj100

The following post is from July 21st, 2010, 04:03 PM You must have missed it ?

Tested the POC again today Post 158 – http://www.wilderssecurity.com/showthread.php?s=e552f5bdfcc2d68751a41d9f0a393206&t=276994&page=7

It shows what happened when i included, and removed run32.dll detection in ProcessGuard.