Rootkit.TmpHider

[CloneRanger]

It looks like the .CPL - Shell etc method has actually been used before, from what i've seen. Here's just a few examples.

Quote:

cmicnfg.cpl

What is cmicnfg.cpl, and is this file spyware?
Type of file:
Cmicnfg.cpl is listed as a Windows miscellaneous file. The file is not an .exe or .dll file, but follow an executable format if it is a part of an ActiveX file or script.

The Cmicnfg.cpl appears in known file sizes on Windows XP are 2596864 bytes (29% of all occurrence). Cmicnfg.cpl is not a Windows core file. The file becomes a Microsoft signed file, after it is installed on the system. The file is able to record inputs and comes under the technical security rating of 8%.

Extremely vulnerable to viruses, the program is a Windows start up process. Cmicnfg.cpl should not be disabled, as it is required by essential applications to work properly.

The malware often camouflage as the cmicnfg.cpl. This malware often replaces the original file, if it is located on c:\windows or c:\windows\system32 folder. If the file is a 'non-Microsoft' .exe file is located in the C:\Windows or C:\Windows\System32 folder, then the audio file runs a high risk of a virus, spyware, Trojan or worm infection

Function of this file:
Cmicnfg.cpl is a process file that belongs to C-Media based soundcards. The file initiates upon startup and is used to configure the audio hardware's control panel applet. Though the program is a non-essential process and is set under low priority, the process tree should not be terminated unless suspected of safeguarding a virus. The file simply provides an easy access to the C-Media dictionary page and appears as an icon in the control panel for the soundcard control.

http://www.pcfixsoftware.com/cmicnfg-cpl.php

Quote:

microAV.cpl

How to Remove Micro Antivirus Malware

http://www.ehow.com/how_6058759_remo...s-malware.html

Quote:

Various.cpl

http://forums.spybot.info/showthread.php?t=52435

Quote:

Quote:

You can right click the Control Panel "Task and Start Menu" applet and send a shortcut to your Desktop if that is of any help.

Because I write VB file to call control and call .cpl file

http://www.windowsbbs.com/windows-xp...-menu-cpl.html

[Windchild]

Quote:

Originally Posted by Rmus

Nonetheless, I created a regular shortcut and manually clicked on it to reconfirm that with proper protection in place, the exploit is stopped dead in its tracks:

Attachment 220058

Windchild mentions other protection:
"The malware wouldn't run at all, though, if there's a SRP or AppLocker policy in effect that denies executing stuff from random USB drives. Similarly, any HIPS and such that would warn you whenever explorer.exe or anything else for that matter tries to execute some new file should prevent the infection."

Sophos also actually mentions SRP/AppLocker in their little blog article:

Quote:

Today, a colleague suggested the best mitigation I have heard so far: deploying a GPO disallowing the use of executable files that are not on the C: drive. This will work for most environments, and you really shouldn't be running executables from USB drives and network shares anyway. We tested this solution against the vulnerability and it does in fact provide protection.

Whether or not DLL rules have to be enabled, I don't know. But gut feeling tells me they would need to be enabled, if it's correct that the vulnerability causes the malicious file referenced in the specially-crafted .lnk files to be loaded as a dll library (and not created as a process).

[aigle]

Has this thing any realtion with the current exploit?

http://www.greatis.com/security/expl...artup_hole.htm

[MrBrian]

Mitigating .LNK Exploitation With Ariad

[MrBrian]

Quote:

Originally Posted by aigle

Has this thing any realtion with the current exploit?

http://www.greatis.com/security/expl...artup_hole.htm

I don't know, but see Malware persistence via DLL search order hijacking.

[CloneRanger]

Ran the POC on XP/SP2, with less than half a dozen MS patches installed.

Enabled Shadow Defender and then Dl'd the Suckme POC and unzipped into a new folder, and then onto a flash stick, and also did the same on my desktop. Made a copys of suckme.lnk_ and then made it "workable" suckme.lnk "supposedly"

Started up DbgView.exe and ran the POC, got no alerts from it or ProcessGuard or anything else.



Put ProcessGuard in learning mode, cleared rundll.dll from it's list of OK's, and ran it again.



Tried it from both the flash stick, and desktop.

Clicked permit, and still no sign of anything happening, so ?

*

Quote:

Ariad

You can use Ariad if you want to mitigate attacks with these shortcut links until Microsoft releases a patch. As it is expected that Microsoft will not release a patch for Windows XP SP2, Ariad can offer permanent mitigation

@Didier: btw it’s not just xp sp2 support that stopped, also win2k workstation

http://blog.didierstevens.com/2010/0...ion-with-ariad

EDIT

Found 3 instances of rundll.32.exe via TM which i couldn't kill ? and one using DSE

[Sadeghi85]

Quote:

Originally Posted by CloneRanger

Started up DbgView.exe and ran the POC, got no alerts from it or ProcessGuard or anything else.

You need to put dll.dll in C:\

EDIT: Also you don't need to click on the lnk file, just put it on your flash stick.

[CloneRanger]

Originally Posted by Sadeghi85

Quote:

You need to put dll.dll in C:\

OK thanks Did that and got a normal PEG prompt.



Then plugged in my USB stick



Sure enough i see 2 entries, whatever they mean ?

Quote:

EDIT: Also you don't need to click on the lnk file, just put it on your flash stick.

I did both.

Still don't see anything out of the ordinary happening. What would i expect to find, and where ?

TIA

[CloneRanger]

Some extra info i found.

Quote:

Microsoft has been informed about the vulnerability, but appears to have problems with reproducing it. Andreas Marx of AV-Test says that every .lnk file is linked to the ID of the newly infected USB Flash drive. This means that the sample trojans found so far can't simply be started on an arbitrary Windows system – the malware will only start in the OllyDbg debugger after some modifications to the code.

http://www.h-online.com/security/new...e-1038992.html

*

Quote:

Malicious software using valid digital signatures is something that our Jarno Niemelä recently predicted in his Caro 2010 Workshop presentation: It's Signed, therefore it's Clean, right?

Regarding the SCADA systems that are being targeted, the Siemens SIMATIC WinCC database appears to use a hardcoded admin username and password combination that end users are told not to change.

Thus, any organization successfully compromised by this targeted attack could be completely vulnerable to database compromise. This Slashdot comment has additional details.

We'll have more on this case as it develops.

Edited to add: While the certificate used for signing has expired, noted above, because a countersigning technique to time stamp is used, it is still possible that the certificate can be utilized.

http://www.f-secure.com/weblog/archives/00001987.html

[Sadeghi85]

It's explained here: http://blog.didierstevens.com/2010/0...on-with-ariad/

[CloneRanger]

Originally Posted by Sadeghi85

Quote:

It's explained here

Yes thanks i read that, but i don't see SUCK etc in my DbgView ?

Also Didier Stevens appears to had dll.dll in a folder in D:\ his CD-ROM. I didn't see a mention of placing dll.dll in C:\ ?

[Rmus]

From the h-online.com article posted by CloneRanger:

Quote:

Marx of AV-Test says that every .lnk file is linked to the ID of the newly infected USB Flash drive. This means that the sample trojans found so far can't simply be started on an arbitrary Windows system

This confirms what I learned in communication with Bojan Zdrnja of sans.isc.org, who analyzed the exploit. He said in essence, that these are targeted exploits with a hardcoded link file to the specific USB device. The links contain vendor names and other stuff, so if your USB disk is different (and it mostly likely is), it won't work since your Windows Explorer won't be able to find the malware.

However, it's clear that some modifications could be made to make the exploit more generic. It seems to me that the exploit would still require the user|victim to insert an infected USB drive that had a link file and malware file(s) already on the stick.

----
rich

[Sadeghi85]

Quote:

Originally Posted by CloneRanger

Originally Posted by Sadeghi85



Yes thanks i read that, but i don't see SUCK etc in my DbgView ?

Also Didier Stevens appears to had dll.dll in a folder in D:\ his CD-ROM. I didn't see a mention of placing dll.dll in C:\ ?

He wrote:

Quote:

I adapted the PoC to work on a CD-ROM for drive D

You can do that by editing the lnk file. The lnk file that comes with the PoC targets C:\dll.dll

I could get it to work on a virtual CD drive, though it didn't work on a flash stick I had to put dll.dll in C:\ and the lnk file onto flash stick.

[CloneRanger]

@Rmus

Hi, you must have been typing and missed post 109 where i linked to the same h-online article and quoted from it

It'll be interesting to see how this malware develops, if it does. I wonder what method the people who have already being infected with it were subject to, in order for it to get into their comps ?

[CloneRanger]

Originally Posted by Sadeghi85

Quote:

He wrote:

Quote:
I adapted the PoC to work on a CD-ROM for drive D

You're quite correct Overlooked that

Quote:

You can do that by editing the lnk file. The lnk file that comes with the PoC targets C:\dll.dll

I see

Quote:

I could get it to work on a virtual CD drive, though it didn't work on a flash stick I had to put dll.dll in C:\ and the lnk file onto flash stick

Strange as although i did put dll.dll in C:\ and the lnk file onto my flash stick, i'm not aware of anything happening ? What effects did it have on your comp, what/where did you see/find anything ?

[Sadeghi85]

All it does is that "SUCKM3..." message in DbgView’s output.

[CloneRanger]

Originally Posted by Sadeghi85

Quote:

All it does is that "SUCKM3..." message in DbgView’s output.

OK thanks All i can say is, it didn't work on my comp. Why i don't know, but i guess that's good

I would like to know though, and i'm sure others might be interested in knowing why it failed too. If anyone has any ideas etc, let us know I'm sure someone must have some suggestions

[Rmus]

Quote:

Originally Posted by CloneRanger

Hi, you must have been typing and missed post 109 where i linked to the same h-online article and quoted from it

No, I was quoting from your quote! I just edited a clarification.

My reason for quoting it was to confirm what I had learned a couple of days ago from the sans.edu Diary.

Quote:

Originally Posted by CloneRanger

I wonder what method the people who have already being infected with it were subject to, in order for it to get into their comps ?

See my Post #47, the link at the end, to the article, "Island Hopping...".

----
rich

[CloneRanger]

Originally Posted by Rmus

Quote:

No, I was quoting from your quote! I just edited a clarification.

OK. thanks

Quote:

My reason for quoting it was to confirm what I had learned a couple of days ago from the sans.edu Diary.

Nice conformation

Just looked at your Post #47 Island Hopping link,

Quote:

As you do not need to be an administrator to modify these settings, users can set them to whatever they want, including automatically running whatever malware is on the drive they found in the parking lot. In fact, they can do it by checking the appropriate box in the AutoPlay dialog.

-

Many USB controllers are actually Direct Memory Access (DMA) devices. This means they can bypass the operating system and directly read and write memory on the computer. Bypass the OS and you bypass the security controls it provides—now you have complete and unfettered access to the hardware. This renders device control implemented by the OS completely ineffective. I am unaware of any hacking tools that currently use this technique, but I very much doubt that this has not already been done.

-

New in Windows Vista, Group Policy now has a set of policies to govern device installation (see Figure 6). As shown, the administrator can block all new removable devices from installing if the driver specifies that they are removable. If the driver states that they are not, however, the policy does not take effect. Thus, this policy can be circumvented using custom drivers.

-

Ignoring the DMA scenario for a moment, the success of the attacks I have discussed, as well as the success of the countermeasures, will depend on the privileges of the user using the computer. If the user is a standard user, the amount of damage the exploit can do is limited. It can still steal that user's data and anything that user has access to.

http://technet.microsoft.com/en-us/m...ritywatch.aspx

*

For the record.

My USB stick is not a U3-enabled USB flash drive, just a memory stick.

I have AutoPlay set to off on my CD/USB drives.

[burebista]

It works here. I've tried only Windows Explorer and Filezilla I don't have any other file browsers installed ATM.
From Explorer I must right-click on that lnk Properties and for Filezilla not, is enough to browse stick.
No alert from CIS.
CIS Proactive, FW and D+ in Safe Mode, AV Stateful, Sandbox Enabled/Disabled. XP SP3 all patches.

[KptnKork]

Quote:

Originally Posted by frank_boldewin

hi guys,

has anyone already taken a deeper look at the malware?

i found stuff like this after some decryption/unpacking stages of MD5 sample 016169ebebf1cec2aad6c7f0d0ee9026

this points me to the Siemens WinCC SCADA system.
looks like this malware was made for espionage.

We would like to take a deeper look into the TmpHider, but we don't have a sample yet. Especially a sample of the mrxnet.sys (016169ebebf1cec2aad6c7f0d0ee9026) would be very interesting to get, because it seems to contain the espionage code. But seems to be inpossible to get the code (or a link to a sample) here in this forum. Maybe someone of the one who owns a sample is able to upload it to the ~ Removed Link as per Policy - We don't want inexperienced users clicking over to a Malware Samples site ~ malware sample database. Would be very helpful. There are multiple sample requests for TmpHider at offensivecomputing but so far no one got a sample.
Thanks for any help.

[i_g]

Quote:

Originally Posted by CloneRanger

Quote:

I think it's wrong. The countersigning allows the signature, created before the corresponding certificate expired, to be verified even after the certificate expires - which is what MSDN says. However, you cannot use the certificate to sign anything else (after it has expired).

[Sm3K3R]

Quote:

Originally Posted by burebista

It works here. I've tried only Windows Explorer and Filezilla I don't have any other file browsers installed ATM.
From Explorer I must right-click on that lnk Properties and for Filezilla not, is enough to browse stick.
No alert from CIS.
CIS Proactive, FW and D+ in Safe Mode, AV Stateful, Sandbox Enabled/Disabled. XP SP3 all patches.

Attachment 220072

And yet another Comodo failure.The way Comodo 4 is built leads to very little security in real threats.

[burebista]

Agree for now, but I want to see how it's handled by other security suites too.

[aigle]

I tried the POC. Just opening my USB stick in explorer.exe triggered laoding of dll.dll.

1- Regarding CIS, the problem is that POC is nothing but a dll loading. CIS and any other HIPS by default don,t intercept dll loading as it gives rise to hundreds of useless pop up alerts.

Infact CIS can be configured to give alert about dll.dll loading but it,s not practical at all as in this case CIS also gives dozens of other legit dll loading alerts.

So in case of real malware( that was not a dll I think), CIS will give a usuall execution alert.

2- If dll.dll is marked as isolated/ untrusted in GesWall, Explorer.exe falils to load dll.dll.





Can any one test DefenceWall and SBIE with this POC?

Thanks