Rootkit.TmpHider

[Sadeghi85]

Quote:

Originally Posted by CloneRanger

The best way i've found to stop this dead, is to have run32.dll set to prompt, as i showed earlier when i tested the POC It's not a cure as such, but that setting is staying on my comp with ProcessGuard

rundll32.exe only gets involved when you double click the shortcut, what do you do about explorer.exe?

-http://ssj100.fullsubject.com/security-f7/vulnerability-in-windows-shell-could-allow-remote-code-execution-t187-15.htm#1391

[CloneRanger]

@Sadeghi85

Just recently seen the newer replies in that thread, and will be responding

[CloneRanger]

The .lnk POC provided by - http://www.ivanlef0u.tuxfamily.org/?p=411 - ONLY works if you copy dll.dll into c:\ first.

As Rmus has said

Quote:

"no exploit in the wild works that way"

I must admit i overlooked that aspect when testing, and so did a lot of other people

Yes it goes to prove how .lnk works so but how would ANY associated nasty get into c:\ etc without a system/app being set up to allow the transfer ?

Maybe i'm missing something, if so please elaborate

Edit

I deleted dll.dll from C:\ and tried the POC again from both my USB stick and a folder on my desktop. This time just cruising and double clicking showed NO entry in DbgView ! = Fail

[Rmus]

Quote:

Originally Posted by CloneRanger

The best way i've found to stop this dead, is to have run32.dll set to prompt, as i showed earlier when i tested the POC It's not a cure as such, but that setting is staying on my comp with ProcessGuard

Yes, it is a reactive solution, rather than a proactive one.

A better solution is to White List the executables on the system. Then, you don't care what rundll32.exe does as long as it doesn't attempt to load a non-white listed DLL.

This is easy to test White Listing security.

Here, I use rundll32.exe in an autorun.inf file to load the hmmapi.dll which starts IE with Windows Hotmail:

Code:

shellexecute=rundll32.exe hmmapi.dll,MailToProtocolHandler %1

Rundll32.exe can happily do its task since the hmmapi.dll is an authorized executable.

Now, I use a different version of the hmmapi.dll - not white listed on my system - and rundll32.exe is not permitted to load the DLL:

The problems with setting rundll32.exe to prompt are

1) where do you stop in trying to figure out how an exploit is going to use a system file? You can end up prompting many Windows systems files and effectively cripple the system.

2) you get many false positives. Check the ProcessGuard archives here at Wilders and search for rundll32.exe. You will find many unhappy PG users who complained about this very thing: how to you deal with these system executables?

----
rich

[Rmus]

Quote:

Originally Posted by CloneRanger

The .lnk POC provided by - hxxp://www.ivanlef0u.tuxfamily.org/?p=411 - ONLY works if you copy dll.dll into c:\ first.

As Rmus has said

Quote:

I must admit i overlooked that aspect when testing, and so did a lot of other people

Yes, the exact exploit in the wild had everything on USB stick. This exploit cannot be tested unless you get the USB stick itself, since the .lnk files are hardcoded to point to a specific device.

A better test is to put a non-white listed executable on a USB device and create a shortcut to that executable. Now, the .lnk file will not execute automatically, but you can simulate the exploit by manually clicking on the .lnk file.

The same result occurs: the executable file is launched.

Or, maybe not, if you have proper protection in place.

Here, I use an old leaktest file, firehole.exe, not white listed on my system. I create a shortcut to it and attempt to run it. It goes nowhere. End of exploit.

----
rich

[i_g]

Quote:

Originally Posted by Rmus

A better test is to put a non-white listed executable on a USB device and create a shortcut to that executable. Now, the .lnk file will not execute automatically, but you can simulate the exploit by manually clicking on the .lnk file.

The same result occurs: the executable file is launched.

The real exploit doesn't execute an executable, it loads a DLL - which might be pretty different (protection-wise).

[Rmus]

Quote:

Originally Posted by i_g

The real exploit doesn't execute an executable, it loads a DLL - which might be pretty different (protection-wise).

Yes, they are spoofed with the .tmp file extension:

W32.Stuxnet Installation Details
http://www.symantec.com/connect/blog...lation-details

Quote:

Infected removable drives also contain the following files:

~WTR4141.tmp (~25Kb)
~WTR4132.tmp (~500Kb)

The above files are .dll files and the file names are hardcoded.

I showed in Post #179 blocking the loading of a DLL. Without having the complete exploit on a USB device, people can only simulate the attack.

Any attempt to access those files flags an alert here:

----
rich

[Meriadoc]

Very nice post by Peter Silberman on M-unition the MANDIANT blog, I hadn't read it until the link was posted here so

[CloneRanger]

Some more info etc

*

Quote:

It seems that most all GUI-based Windows file explorer tools, including those not from Microsoft, could trip the vulnerability when used to view an infected USB storage device. One such text-based Windows file explorer tool that does not is reported to be Far Manager so you probably would do well to keep a version of this one on your systems when doing examinations of USB devices.

http://grandstreamdreams.blogspot.co...b-storage.html

Quote:

Super-Fast Linkfest Throw-down: Pt I

http://grandstreamdreams.blogspot.com

Quote:

LinkIconShim

A simple shell extension that inserts itself in front of the original buggy lnk file handler and checks the incoming files. If a link to control panel item is found (the exploitable one), default 'blocked' icon is returned instead of trying to extract one by running arbitrary dll.

http://code.google.com/p/linkiconshim

*

Quote:

Originally Posted by Meriadoc

Very nice post by Peter Silberman on M-unition the MANDIANT blog, I hadn't read it until the link was posted here so

Glad you liked it

[MrBrian]

SophosLabs Released Free Tool to Validate Microsoft Shortcut

[Sadeghi85]

Quote:

Originally Posted by Sadeghi85

Myrtus and Guava, Episode 1

Myrtus and Guava, Episode 2

Myrtus and Guava, Episode 3

Myrtus and Guava, Episode 4

Myrtus and Guava, Episode 5

[Sadeghi85]

Quote:

Previously in our series of blogs about Stuxnet we wrote about the installation details and the numerous files that are associated with the threat. In this installment I will discuss the network communication and command and control functionality of W32.Stuxnet. Although some of the tasks that the threat performs are automated, other tasks are performed only after the threat has connected to the command and control server and received specific instructions. It is this aspect of the threat that will be discuss here.

W32.Stuxnet – Network Operations

[SUPERIOR]

guys, i have some noobish questions, hope no one bothered by answering them
anyone tried comodo aganist this rootkit? i mean D+ aganist shortcut vul?
if i can get a sample of this rootkit? is it safe to run it in shadow mode?
i read Mandiant blog about this malware, it's using // instead of / in directory for process, is this called "hook" or "inject"?
@Ramus ....whats this environment you were using to test the malware if you dont mind my question?
Thanks in advance

[Ford Prefect]

Quote:

Originally Posted by MrBrian

SophosLabs Released Free Tool to Validate Microsoft Shortcut

G Data fights back Windows security flaw
http://www.gdatasoftware.co.uk/about...ndows-sec.html

[AvinashR]

Quote:

Originally Posted by MrBrian

SophosLabs Released Free Tool to Validate Microsoft Shortcut

Here is the direct link :-

http://www.sophos.com/pressoffice/news/articles/2010/07/shortcut.html

[CloneRanger]

@MrBrian

Thanks for the SophosLabs Free Tool link

More info and videos from the direct link AvinashR gave

Quote:

"When Windows tries to display an icon with a shortcut, the tool will intercept the request in order to validate it and give back control to the user if not found to be malicious."

http://isc.sans.edu/diary.html?storyid=9268

Installed it and it worked to stop the POC from both my USB stick and desktop, as viewed in DbgView. But i didn't get an alert box as seen in the video ?

@Ford Prefect

Nice find

G Data LNK-Check

Quote:

With this tool, G Data addresses the serious security flaw regarding shortcuts in Microsoft Windows products. The program prevents the automatic execution of malicious code upon the display of primed shortcuts. After the installation, it monitors the creation of shortcut icons. The “G Data LNK Checker” functions independently from an installed security suite and supplements it with a generic detection. Regular desktop icons with usual and harmless mechanisms are displayed as usual. But if a malicious mechanism is detected, a red warning signal icon is displayed.

Attention: A double-click on a file that “G Data LNK Checker” marked as dangerous activates the execution all the same. At this point, a good security suite is needed.

Anyway kudos to Sophos and G Data for releasing these, they should help a lot of people till a permanent fix arrives, if the word is spread about them, and used correctly The Sophos one does appear less risky though.

Wonder if these tools are using the LinkIconShim trick in some way in Post 184 ?

@Sadeghi85

Thanks, W32.Stuxnet Network Information already in Post #175

[AvinashR]

As per LinkIconShim :-

The Sophos Windows Shortcut Exploit Protection Tool doesn't handle all malicious link files due to mishandling of the .lnk internal data..

Now how can we test this thing?

[AvinashR]

Some more article on .LNK Exploit

"Read It Here"

[Kid Shamrock]

Version 3.05 of DefenseWall blocks the .lnk exploit. http://www.softsphere.com/cgi-bin/re...NSEWALL_PF.EXE

[AvinashR]

Quote:

Originally Posted by Kid Shamrock

Version 3.05 of DefenseWall blocks the .lnk exploit. http://www.softsphere.com/cgi-bin/re...NSEWALL_PF.EXE

This is not a free tool, whereas GData .LNK Tool and Sophos Labs Blocking tools are absolutely free.

[Sadeghi85]

Quote:

Originally Posted by CloneRanger

@Sadeghi85

Thanks, W32.Stuxnet Network Information already in Post #175

This one is Network Operations.

+ that Sophos tool doesn't seem to work if the dll/lnk files are on the hard drive.

-http://ssj100.fullsubject.com/security-f7/vulnerability-in-windows-shell-could-allow-remote-code-execution-t187-60.htm

[EraserHW]

Quote:

Originally Posted by Sadeghi85

+ that Sophos tool doesn't seem to work if the dll/lnk files are on the hard drive.

-http://ssj100.fullsubject.com/security-f7/vulnerability-in-windows-shell-could-allow-remote-code-execution-t187-60.htm

This behavior was expected. Due to the nature of the flaw (design flaw) it is pretty difficult to develop a fully working patch. You can't exactly understand which LNK is malicious and which one is not. While waiting for Microsoft patch, solutions are two:

1) heuristically try to detect the malicious file (i.e. the linked file is loaded from removable device and/or network), but this will leave some vulnerability if the LNK is located on hard drive;

2) totally filtering the vulnerable function, this will prevent every LNK from exploiting it, but this filter will cut off some legitimate LNK icons too (it is still far better than having all LNK shortcuts with blank icon)

I've developed my own patch SafeLink and choosed the 2nd way currently I've uploaded a sample video on Youtube -http://www.youtube.com/watch?v=e422t-cLAm0-

[AvinashR]

Quote:

Originally Posted by EraserHW

I've developed my own patch SafeLink and choosed the 2nd way currently I've uploaded a sample video on Youtube -http://www.youtube.com/watch?v=e422t-cLAm0-

Please share this technique with us...

[CloneRanger]

Quote:

Originally Posted by Sadeghi85

This one is Network Operations.

Well spotted sorry, thanks

Quote:

+ that Sophos tool doesn't seem to work if the dll/lnk files are on the hard drive.

I've seen reports of both the Sophos a Gdata tools failing

*

Quote:

W32.Changeup Threat Profile

Introduction

It has been all about W32.Stuxnet for the past two weeks due to its connection to SCADA systems as well as the use of an unpatched vulnerability to propagate. But from about a month ago, we observed a significant increase in infection numbers of W32.Changeup worldwide, especially in the Enterprise environment.

-

However, recently W32.Changeup equipped itself with the Microsoft Windows Shortcut 'LNK' Files Automatic File Execution Vulnerability (BID 41732) for propagation.

http://www.symantec.com/connect/fr/b...threat-profile

[CloneRanger]

Quote:

LNK Vulnerability: Chymine, Vobfus, Sality and Zeus

Here's the bad news: several additional malware families are now attempting to exploit Microsoft's LNK vulnerability (228619.

-

Zeus is a challenging threat to combat, and not many vendors detect this variant yet. We're adding detection now. Fortunately, the exploit used is detected by many and the entire thing relies on socially engineering its victim into opening a password protected zip file and copying the lol.dll to the root of the C: since the path must be known in order for the exploit to work.

We don't really expect great success for this particular variant of Zeus.

http://www.f-secure.com/weblog/archives/00001996.html

You might be surprised how many people will actually do that