Rootkit.TmpHider

Discussion in 'malware problems & news' started by sergey ulasen, Jul 12, 2010.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    It looks like the .CPL - Shell etc method has actually been used before, from what i've seen. Here's just a few examples.




     
  2. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    Sophos also actually mentions SRP/AppLocker in their little blog article:

    Whether or not DLL rules have to be enabled, I don't know. But gut feeling tells me they would need to be enabled, if it's correct that the vulnerability causes the malicious file referenced in the specially-crafted .lnk files to be loaded as a dll library (and not created as a process).
     
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
  4. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  5. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  6. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    Ran the POC on XP/SP2, with less than half a dozen MS patches installed.

    Enabled Shadow Defender and then Dl'd the Suckme POC and unzipped into a new folder, and then onto a flash stick, and also did the same on my desktop. Made a copys of suckme.lnk_ and then made it "workable" suckme.lnk "supposedly"

    Started up DbgView.exe and ran the POC, got no alerts from it or ProcessGuard or anything else.

    dbv.gif

    Put ProcessGuard in learning mode, cleared rundll.dll from it's list of OK's, and ran it again.

    run-dll.gif

    Tried it from both the flash stick, and desktop.

    Clicked permit, and still no sign of anything happening, so ?

    *

    EDIT

    Found 3 instances of rundll.32.exe via TM which i couldn't kill ? and one using DSE

    zom.gif
     
    Last edited: Jul 18, 2010
  7. Sadeghi85

    Sadeghi85 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    747
    You need to put dll.dll in C:\

    EDIT: Also you don't need to click on the lnk file, just put it on your flash stick.
     
  8. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    Originally Posted by Sadeghi85

    OK thanks :thumb: Did that and got a normal PEG prompt.

    ops.gif

    Then plugged in my USB stick

    db.gif

    Sure enough i see 2 entries, whatever they mean ?

    I did both.

    Still don't see anything out of the ordinary happening. What would i expect to find, and where ?

    TIA :thumb:
     
  9. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    Some extra info i found.

    *

     
  10. Sadeghi85

    Sadeghi85 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    747
  11. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    Originally Posted by Sadeghi85

    Yes thanks i read that, but i don't see SUCK etc in my DbgView ?

    Also Didier Stevens appears to had dll.dll in a folder in D:\ his CD-ROM. I didn't see a mention of placing dll.dll in C:\ ?
     
  12. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    From the h-online.com article posted by CloneRanger:

    This confirms what I learned in communication with Bojan Zdrnja of sans.isc.org, who analyzed the exploit. He said in essence, that these are targeted exploits with a hardcoded link file to the specific USB device. The links contain vendor names and other stuff, so if your USB disk is different (and it mostly likely is), it won't work since your Windows Explorer won't be able to find the malware.

    However, it's clear that some modifications could be made to make the exploit more generic. It seems to me that the exploit would still require the user|victim to insert an infected USB drive that had a link file and malware file(s) already on the stick.

    ----
    rich
     
    Last edited: Jul 19, 2010
  13. Sadeghi85

    Sadeghi85 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    747
    He wrote:

    You can do that by editing the lnk file. The lnk file that comes with the PoC targets C:\dll.dll

    I could get it to work on a virtual CD drive, though it didn't work on a flash stick o_O I had to put dll.dll in C:\ and the lnk file onto flash stick.
     
  14. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    @Rmus

    Hi, you must have been typing and missed post 109 where i linked to the same h-online article and quoted from it ;)

    It'll be interesting to see how this malware develops, if it does. I wonder what method the people who have already being infected with it were subject to, in order for it to get into their comps ?
     
  15. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    Originally Posted by Sadeghi85

    You're quite correct :thumb: Overlooked that :(

    I see :thumb:

    Strange as although i did put dll.dll in C:\ and the lnk file onto my flash stick, i'm not aware of anything happening ? What effects did it have on your comp, what/where did you see/find anything ?
     
  16. Sadeghi85

    Sadeghi85 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    747
    All it does is that "SUCKM3..." message in DbgView’s output.
     
  17. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    Originally Posted by Sadeghi85

    OK thanks :thumb: All i can say is, it didn't work on my comp. Why i don't know, but i guess that's good :)

    I would like to know though, and i'm sure others might be interested in knowing why it failed too. If anyone has any ideas etc, let us know :thumb: I'm sure someone must have some suggestions :)
     
  18. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    No, I was quoting from your quote! I just edited a clarification.

    My reason for quoting it was to confirm what I had learned a couple of days ago from the sans.edu Diary.

    See my Post #47, the link at the end, to the article, "Island Hopping...".

    ----
    rich
     
  19. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    Originally Posted by Rmus

    OK. thanks :thumb:

    Nice conformation ;)

    Just looked at your Post #47 Island Hopping link, :thumb:

    *

    For the record.

    My USB stick is not a U3-enabled USB flash drive, just a memory stick.

    I have AutoPlay set to off on my CD/USB drives.
     
  20. burebista

    burebista Registered Member

    Joined:
    Mar 4, 2010
    Posts:
    225
    Location:
    Romania
    It works here. I've tried only Windows Explorer and Filezilla I don't have any other file browsers installed ATM.
    From Explorer I must right-click on that lnk Properties and for Filezilla not, is enough to browse stick.
    No alert from CIS.
    CIS Proactive, FW and D+ in Safe Mode, AV Stateful, Sandbox Enabled/Disabled. XP SP3 all patches.

    rootkit.png
     
  21. KptnKork

    KptnKork Registered Member

    Joined:
    Jul 19, 2010
    Posts:
    2
    We would like to take a deeper look into the TmpHider, but we don't have a sample yet. Especially a sample of the mrxnet.sys (016169ebebf1cec2aad6c7f0d0ee9026) would be very interesting to get, because it seems to contain the espionage code. But seems to be inpossible to get the code (or a link to a sample) here in this forum. Maybe someone of the one who owns a sample is able to upload it to the ~ Removed Link as per Policy - We don't want inexperienced users clicking over to a Malware Samples site ~ malware sample database. Would be very helpful. There are multiple sample requests for TmpHider at offensivecomputing but so far no one got a sample.
    Thanks for any help.
     
    Last edited by a moderator: Jul 19, 2010
  22. i_g

    i_g Registered Member

    Joined:
    Aug 30, 2006
    Posts:
    133
    I think it's wrong. The countersigning allows the signature, created before the corresponding certificate expired, to be verified even after the certificate expires - which is what MSDN says. However, you cannot use the certificate to sign anything else (after it has expired).
     
  23. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    611
    Location:
    Wallachia
    And yet another Comodo failure.The way Comodo 4 is built leads to very little security in real threats.
     
  24. burebista

    burebista Registered Member

    Joined:
    Mar 4, 2010
    Posts:
    225
    Location:
    Romania
    Agree for now, but I want to see how it's handled by other security suites too. :)
     
  25. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    I tried the POC. Just opening my USB stick in explorer.exe triggered laoding of dll.dll.

    1- Regarding CIS, the problem is that POC is nothing but a dll loading. CIS and any other HIPS by default don,t intercept dll loading as it gives rise to hundreds of useless pop up alerts.

    Infact CIS can be configured to give alert about dll.dll loading but it,s not practical at all as in this case CIS also gives dozens of other legit dll loading alerts.

    So in case of real malware( that was not a dll I think), CIS will give a usuall execution alert.

    2- If dll.dll is marked as isolated/ untrusted in GesWall, Explorer.exe falils to load dll.dll.

    cis.jpg
    geswall.jpg
    geswall log.jpg

    Can any one test DefenceWall and SBIE with this POC?

    Thanks
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.