Rootkit.TmpHider

[EraserHW]

I had some free time so I published on my personal blog and on my personal youtube channel a video of the exploit I've built with my own dll

http://www.youtube.com/watch?v=6304Q0YoiBg

[Meriadoc]

Quote:

Originally Posted by KptnKork

We would like to take a deeper look into the TmpHider, but we don't have a sample yet. Especially a sample of the mrxnet.sys (016169ebebf1cec2aad6c7f0d0ee9026) would be very interesting to get, because it seems to contain the espionage code. But seems to be inpossible to get the code (or a link to a sample) here in this forum. Maybe someone of the one who owns a sample is able to upload it to the ~ Removed Link as per Policy - We don't want inexperienced users clicking over to a Malware Samples site ~ malware sample database. Would be very helpful. There are multiple sample requests for TmpHider at offensivecomputing but so far no one got a sample.
Thanks for any help.

I known Frank is a member, so am I so if he doesn't see this and upload I will.

016169ebebf1cec2aad6c7f0d0ee9026
055a3421813caf77e1387ff77b2e2e28

[Rmus]

Preempting a Major Issue Due to the LNK Vulnerability - Raising Infocon to Yellow
http://isc.sans.edu/diary.html?storyid=9190

Quote:

We decided to raise the Infocon level to Yellow to increase awareness of the recent LNK vulnerability and to help preempt a major issue resulting from its exploitation.

Although we have not observed the vulnerability exploited beyond the original targeted attacks, we believe wide-scale exploitation is only a matter of time.

The proof-of-concept exploit is publicly available, and the issue is not easy to fix until Microsoft issues a patch. Furthermore, anti-virus tools' ability to detect generic versions of the exploit have not been very effective so far.

Reference to "the issue is not easy to fix until Microsoft issues a patch" is, of course, to the mitigating tweaks recommended by Microsoft in its Advisory.

Much easier, safer protection measures have already been discussed in this thread.

----
rich

[Dark Star 72]

Some tests here with the POC by our old *friend* SSJ100:

-http://ssj100.fullsubject.com/security-f7/vulnerability-in-windows-shell-could-allow-remote-code-execution-t187.htm#1302-

and Ilya's reply to the DefenseWall test

http://gladiator-antivirus.com/forum...owtopic=107368

Notice the result for the newly released Returnil System Safe 2011 RC

[Rmus]

UPDATE
http://isc.sans.edu/diary.html?storyid=9190

Quote:

Update: Several readers recommended focusing on preventing unauthorized code from running by using approaches such as application whitelisting.

For instance, Richard and Erno mentioned AppLocker, which is an enterprise software control feature built into Windows 7.

Erno wrote, "My solution is standard user accounts and Software Restriction Policy or AppLocker in Group Policy. You can block execution of any files on removable drives or network drives, or actually pretty much anywhere except system folders. In my networks I only allow execution from Windows and Program Files. Remember to apply the software restriction policy for all executable files, including libraries (dlls)."

[CloneRanger]

Quotes from Sans

Quote:

* If autorun is disabled, when a USB device with malicious LNK files is inserted, the exploit will not be triggered automatically.

Explains maybe why the POC didn't work for me ?

Quote:

* The exploit is triggered every time a folder containing a malicious LNK files is opened (for example, with Windows Explorer). It does not matter where this folder is – it does not have to be on a USB device,

The POC still didn't work from my desktop ?

Quote:

but in order to execute to malicious binary, the attacker has to specify its location correctly.

Ahh, could be why ?

Quote:

What makes this vulnerability extremely serious is the fact that it can be opened from any place, including remote shares, for example. The victim just has to browse to the remote share in order to trigger the vulnerability. So double check permissions on any remote shares you use in your companies (you shouldn't allow users to write in root folders, for example).

http://isc.sans.edu/diary.html?storyid=9181

*

Originally Posted by i_g

Quote:

I think it's wrong.

F-secure said this

Quote:

From Microsoft's MSDN Library: "The countersignature method of time stamping … allows for signatures to be verified even after the signing certificate has expired or been revoked."

So ?

@EraserHW

Sorry to say, even in HD mode i found it hard to view exactly what was happening Any chance you could give us a brief description ? TIA

@Dark Star 72

Thanks for the links

I didn't know ssj100 had branched out on his own

Good news about Returnil System Safe 2011 RC

@Rmus

Thanks for the updates

[aigle]

Quote:

Originally Posted by Dark Star 72

Some tests here with the POC by our old *friend* SSJ100:

-http://ssj100.fullsubject.com/security-f7/vulnerability-in-windows-shell-could-allow-remote-code-execution-t187.htm#1302-

and Ilya's reply to the DefenseWall test

http://gladiator-antivirus.com/forum...owtopic=107368

Notice the result for the newly released Returnil System Safe 2011 RC

thanks, very nice testing indeed.
Just two things i wil mention:
1. Regarding CIS, it can be configured to intercept it.
Post no. 125 of this thread.
2. PE gaurd seems to intercept it. Post no. 108 of this thread.

[aigle]

Quote:

Originally Posted by EraserHW

I had some free time so I published on my personal blog and on my personal youtube channel a video of the exploit I've built with my own dll

http://www.youtube.com/watch?v=6304Q0YoiBg

blog link pls? also can the POC be shared?

[EraserHW]

Quote:

Originally Posted by aigle

blog link pls? also can the POC be shared?

my personal blog is in italian and it's located here: https://www.pcalsicuro.com

anyway I've written a similar blog post on Prevx blog at this address: http://www.prevx.com/blog/151/day-fl...t-Windows.html (this time in english)

About the POC: I wouldn't share the sample outside the company at the moment, even though there's already a known PoC out there (personally I'd not have shared the PoC online, this allows attackers to better exploit the flaw. Anyway I saw someone else already did it). I'm sorry Anyway for any question, I'm here

Actually, as I've written in the blog post, I think Microsoft will have some trouble in fixing this flaw, because it is not a bug - it's a feature used inside Windows internals.

[EraserHW]

Quote:

Originally Posted by CloneRanger

@EraserHW

Sorry to say, even in HD mode i found it hard to view exactly what was happening Any chance you could give us a brief description ? TIA

Sorry man I tried to do my best to record a good video

Actually the video just shows how the exploit is working. I've written a PoC exploit from scratch and showed how a fake malicious DLL is loaded as soon as system starts rendering the icon

[ronjor]

Quote:

On July 17th, ESET identified a new malicious file related to the Win32/Stuxnet worm. This new driver is a significant discovery because the file was signed with a certificate from a company called "JMicron Technology Corp". This is different from the previous drivers which were signed with the certificate from Realtek Semiconductor Corp. It is interesting to note that both companies whose code signing certificates were used have offices in Hsinchu Science Park, Taiwan.

ESET.....

[CloneRanger]

Right at the bottom of here - http://isc.sans.edu/diary.html?storyid=9181 - is this FIX

Quote:

LinkIconShim

A simple shell extension that inserts itself in front of the original buggy lnk file handler and checks the incoming files. If a link to control panel item is found (the exploitable one), default 'blocked' icon is returned instead of trying to extract one by running arbitrary dll.

# All control panel (i.e. potentially dangerous) links now have the 'stop' icon, but still work as before.

http://code.google.com/p/linkiconshim

[CloneRanger]

@EraserHW

Thanks for your blog post link on this exploit POC

Quote:

This is not the case, because a new Windows security 0-day flaw has been discovered that is able to execute malware without user interaction.

After our initial analysis, it looks like the flaw is not exploiting any coding error. There is no buffer/heap overflow, null-pointer dereference or use-after-free errors that you would usually expect from a 0-day flaw. It is just exploiting a feature used in Windows to handle some kind of libraries, and it is actively used more times inside Windows internals.

This allow us to think it is more a feature that has not been correctly hardened and it has been abused than a security bug

http://www.prevx.com/blog/151/day-fl...t-Windows.html

*

Re video issue

This is just an example of part of the fullscreen HD video as it appears on my comp. Looks blurry to me.



See how it compares to your comp, could be just at my end ?

*

@Ronjor

The plot thickens !

Quote:

This new information is important because it provides more information on the people behind Win32/Stuxnet. We rarely see such professional operations. They either stole the certificates from at least two companies or purchased them from someone who stole them. At this point, it isn't clear whether the attackers are changing their certificate because the first one was exposed or if they are using different certificates in different attacks, but this shows that they have significant resources.

http://blog.eset.com/2010/07/19/win3...igned-binaries

[MrBrian]

LNK vulnerability now with Metasploit module implementing the WebDAV method

[Rmus]

Hi MrBrian,

Do you have any idea what he's referring to in that Diary? (webDAV and how it relates to the exploit?)

thanks,

rich

[CloneRanger]

@MrBrian Good find

@Rmus

Re - WebDAV

Appears to be these sorts of OS's that are vulnerable, business types and not domestic etc comps.

Microsoft Windows 2000

Windows XP Professional

Windows Server

Quote:

Microsoft Security Bulletin MS09-020 - Important
Vulnerabilities in Internet Information Services (IIS) Could Allow Elevation of Privilege

http://www.microsoft.com/technet/sec.../MS09-020.mspx

Quote:

MS09-020 IIS6 WebDAV Unicode Auth Bypass
Simplified version of MS09-020 IIS6 WebDAV Unicode Auth Bypass scanner. It attempts to bypass authentication using the WebDAV IIS6 Unicode vulnerability discovered by Kingcope. The vulnerability appears to be exploitable where WebDAV is enabled on the IIS6 server, and any protected folder requires either Basic, Digest or NTLM authentication.

http://www.metasploit.com/modules/au...unicode_bypass

So i'm ok on XP/SP2 by the looks of things The .lnk POC didn't work anyway when i tested it, so ?

[Rmus]

Quote:

Originally Posted by CloneRanger

So i'm ok on XP/SP2 by the looks of things The .lnk POC didn't work anyway when i tested it, so ?

This is why I don't like PoCs - they often aren't a good indication of how a real exploit in the wild will work on various systems.

Even two different systems with the same OS version, etc, can react differently to a real exploit.

----
rich

[MrBrian]

Quote:

Originally Posted by Rmus

Do you have any idea what he's referring to in that Diary? (webDAV and how it relates to the exploit?)

From http://en.wikipedia.org/wiki/WebDAV:

Quote:

Web-based Distributed Authoring and Versioning, or WebDAV, is a set of extensions to the Hypertext Transfer Protocol (HTTP) that allows computer-users to edit and manage files collaboratively on remote World Wide Web servers.

From the Microsoft advisory Workarounds section:

Quote:

Disable the WebClient service

Disabling the WebClient service helps protect affected systems from attempts to exploit this vulnerability by blocking the most likely remote attack vector through the Web Distributed Authoring and Versioning (WebDAV) client service. After applying this workaround, it will still be possible for remote attackers who successfully exploited this vulnerability to cause Microsoft Office Outlook to run programs located on the targeted user's computer or the Local Area Network (LAN), but users will be prompted for confirmation before opening arbitrary programs from the Internet.

To disable the WebClient Service, follow these steps:

1. Click Start, click Run, type Services.msc and then click OK.
2. Right-click WebClient service and select Properties.
3. Change the Startup type to Disabled. If the service is running, click Stop.
4. Click OK and exit the management application.

Impact of workaround. When the WebClient service is disabled, Web Distributed Authoring and Versioning (WebDAV) requests are not transmitted. In addition, any services that explicitly depend on the Web Client service will not start, and an error message will be logged in the System log. For example, WebDAV shares will be inaccessible from the client computer.

Use of WebDAV is another means of infection and propagation for the .LNK vulnerability.

[Rmus]

Quote:

Originally Posted by MrBrian

Use of WebDAV is another means of infection and propagation for the .LNK vulnerability.

Thanks - I looked up WebDAV but didn't connect it with the Advisory!

----
rich

[CloneRanger]

This might prove useful in .lnk analysis ?

Quote:

LinkInfo v1.51 Plugin for viewing all possible parameters of LNK-files, and changing them via right click.

Total Commander Plugins

Plugins are extensions of Total Commander with additional functions

http://www.ghisler.com/plugins.htm

*

Found this which "could" have some bearing on the latest situation ?

Quote:

Reading contents of Web Folders By Roman Koreshkov 28 Feb 2006

An analysis of the different ways of getting the list of files in a web folder (including SharePoint) programmatically, and a simple solution.

-

The Alternative Solution ? Web Folder Short Cuts

-

Inside, the appropriate shell extension (pre-installed with Windows) provides the necessary Folder and FolderItem objects, doing all the hard work of interacting with the web server through WebDAV/WEC for us ? we will just utilize their results.

-

So now, when one wants to get a list of files in a web folder, the algorithm will be as follows:

* We create a temporary shortcut to the web folder.
* We use Shell32 to read its contents.

-

Conclusion

The suggested solution seems to be quite simple and feasible for Windows or console applications. However, for server applications, use it with caution ? you may likely face some problems with security.

http://www.codeproject.com/KB/aspnet...erContent.aspx

*

Originally Posted by Rmus

Quote:

Even two different systems with the same OS version, etc, can react differently to a real exploit.

Ain't that the truth ! And how frustrating for the bad guys, and girls

[KptnKork]

Quote:

Originally Posted by Meriadoc

I known Frank is a member, so am I so if he doesn't see this and upload I will.

016169ebebf1cec2aad6c7f0d0ee9026
055a3421813caf77e1387ff77b2e2e28

Many Thanks for your upload at offensivecomputing !

[ace55]

Quote:

Originally Posted by aigle

I tried the POC. Just opening my USB stick in explorer.exe triggered laoding of dll.dll.

1- Regarding CIS, the problem is that POC is nothing but a dll loading. CIS and any other HIPS by default don,t intercept dll loading as it gives rise to hundreds of useless pop up alerts.

Infact CIS can be configured to give alert about dll.dll loading but it,s not practical at all as in this case CIS also gives dozens of other legit dll loading alerts.

So in case of real malware( that was not a dll I think), CIS will give a usuall execution alert.

Assuming I am correctly concluding that this exploit/feature allows code execution as explorer only, a better way to protect yourself from this exploit using CIS is to remove the default rule for explorer. As explorer is handling untrusted data (link shortcuts, possibly other exploitable aspects of files) it makes sense that manually restricting its actions would lend a security benefit.

Doing so would not prevent the dll loading, but would prevent any actions taken by the malware through the compromised instance of explorer, and thus, prevent system compromise. However the compromised instance of explorer could, although it cannot make itself persistent on the system, attempt to escape the restriction of CIS using a shatter attack or keylog you.

Unless you want to terminate and restart explorer after plugging in any flash drives but before entering any sensitive information, there are better solutions to this particular problem: AppLocker comes to mind.

[MrBrian]

Mitigating .LNK Exploitation With SRP

[CloneRanger]

Not quite But could have been

[CloneRanger]

Ronjor just posted this - http://www.wilderssecurity.com/showthread.php?t=277360

http://www.microsoft.com/technet/sec...y/2286198.mspx



So it looks like as im on XP/SP2 i'm not affected by this vulnerability/exploit No wonder it didn't work when i've tested it several times. Just goes to show, not updating to the latest patches etc SP3, "can" be a bonus Not recommending everyone does as i do though.

In an earlier MS advisory, it mentioned mainly only business type OS's that were vulnerable. So something must have changed in the malware samples out there for this latest revision ?