Rootkit.TmpHider

Discussion in 'malware problems & news' started by sergey ulasen, Jul 12, 2010.

Thread Status:
Not open for further replies.
  1. Rmus
    Online

    Rmus Exploit Analyst

    Is this vulnerability present in all Windows Operating Systems? I cannot get shortcut links to run automatically from a USB drive in Win2K or WinXP.

    ----
    rich
  2. Searching_ _ _
    Offline

    Searching_ _ _ Registered Member

    Maybe it was written by someone in the Utilities business?
  3. CloneRanger
    Offline

    CloneRanger Registered Member

    When i ran the installer.0022.exe malware very recently, it tried to infect using NTVDM.exe MS-DOS Emulation. Nobody picked up on it, or seemed to think it relevant enough to comment on it ?

    http://www.wilderssecurity.com/showthread.php?

    Wonder if there might be more this after all, than was initially thought by some people, and in this case too ?
  4. i_g
    Offline

    i_g Registered Member

    Yes, it is.
    Well, didn't try on Win2k, but it works on XP, Vista, Win7.
  5. Rmus
    Online

    Rmus Exploit Analyst

    Can you explain how you tested using WinXP?

    Thanks,

    -rich
  6. sergey ulasen
    Offline

    sergey ulasen AV Expert

  7. i_g
    Offline

    i_g Registered Member

    First you need a sample of the exploit, of course (it's not an ordinary .lnk file you create using the "Create shortcut" option in Windows Explorer). Then it's enough e.g. to enter the corresponding folder in Total Commander - and the code is started.
  8. trjam
    Offline

    trjam Registered Member

  9. Meriadoc
    Offline

    Meriadoc Registered Member

    aigle you have your pm
  10. Einsturzende
    Offline

    Einsturzende Registered Member

    uh, I would also like a pm if it is no problem of some kind :oops:
    HIPS tests is my interest and those signed files +exploit is temptation for me
    Last edited: Jul 16, 2010
  11. Windchild
    Offline

    Windchild Registered Member

    A question, as I don't have a sample of this malware: when the code runs, does it run with the privileges of the currently logged in user, or does the vulnerability allow privilege escalation to admin/system? If the exploit only manages to gain the privileges of the current user, then even the very basic measure of running as a limited user would be enough to prevent the infection, seeing how the malware attempts to load drivers and limited users don't have the privilege required for that. That would make this whole big fuss a little less big, at least for those of the Average Users who have been set up with a non-admin account. If you have a sample and can test the malware as a limited user, I'd appreciate it if you could report back whether or not the malware manages to infect the system when executed under a limited account.


    Interesting stuff! Maybe the digital signature was compromised via outsourcing. That would be... well, sad.
  12. HAN
    Offline

    HAN Registered Member

    Reading about this behind a SonicWall threat management package and when I went to the 3rd blog link, I get the message "This request is blocked by the SonicWALL Gateway Anti-Virus Service. Name: Stuxnet.B (Trojan)"

    So 2 good things I guess. The signature needed to stop this little bugger is in place. And that there is something @ that URL that triggers an alert.

    But I still wanted to read it... :(
  13. i_g
    Offline

    i_g Registered Member

    Yes, the code runs under the current user's account. This particular malware has rootkit drivers (and I don't know how it behaves if it cannot load the drivers), but generally it's not a requirement.

    Well, the "average user" cannot spread the infection to other users of the system directly, but this user gets infected nevertheless - and I can imagine possible attempts to spread the infection further.
  14. CloneRanger
    Offline

    CloneRanger Registered Member

    Here's a possible contender as to why it's called those names ;)

    @sergey ulasen

    Thanks for the http://www.securelist.com links :thumb:
  15. Meriadoc
    Offline

    Meriadoc Registered Member

    :) lol, paranoid av
  16. HAN
    Offline

    HAN Registered Member

    You are right! I went back to check this thread and was locked out of page 2. I'm guessing the piece of code that says "b:\myrtus\src\objfre_w2k_x86\i386\guava.pdb" must be the issue because it's on both the blog URL and listed here too...
  17. Meriadoc
    Offline

    Meriadoc Registered Member

    Yes this is string from rootkit driver. added emphasis in quote
  18. stonerhash
    Offline

    stonerhash Registered Member

    Hey guys where can I download a sample of this worm. I'm especially interested in the lnk files
  19. JRViejo
    Offline

    JRViejo Global Moderator

    stonerhash, Wilders is not a Malware Exchange Forum and any posts pointing to such malware is against our Terms of Service thus removed.
  20. stonerhash
    Offline

    stonerhash Registered Member

    Sorry about that, I thought that given that many members of this forum are security researchers that wouldn't be a problem.

    The problem is that there is no official advisory so I can not find elsewhere more details about the lnk vuln
  21. wat0114
    Offline

    wat0114 Guest

    You're right, I also can't find anything official on this. It seems to be more overhyped bs than substance.
  22. Rmus
    Online

    Rmus Exploit Analyst

    I put the files on a USB drive and they are flagged as I view the drive in Windows Explorer:

    rootkitTMP.gif

    This exploit goes nowhere with proper protection in place. To test, using the command prompt, which simulates a lnk file attempting to start the two ~tmp files (see screen shot of the lnk file in the PDF):

    rootkitTMP-cmd.gif

    Being an espionage exploit, as has been suggested, begs the question of how company personnel acquire a USB drive infected with these files.

    One scenario was proven to work some years ago. This article references a penetration test from 2006:

    Island Hopping: The Infectious Allure of Vendor Swag
    http://technet.microsoft.com/en-us/magazine/2008.01.securitywatch.aspx

    The original article was on DarkRoom's Perimeter/Security page, but doesn't seem to be accessible now.

    ----
    rich
    Last edited: Jul 17, 2010
  23. weeNym
    Offline

    weeNym Registered Member

  24. Ibrad
    Offline

    Ibrad Registered Member

  25. MrBrian
    Offline

    MrBrian Registered Member

Thread Status:
Not open for further replies.