Rootkit.TmpHider

Discussion in 'malware problems & news' started by sergey ulasen, Jul 12, 2010.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,855
    Location:
    California
    Is this vulnerability present in all Windows Operating Systems? I cannot get shortcut links to run automatically from a USB drive in Win2K or WinXP.

    ----
    rich
     
  2. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Maybe it was written by someone in the Utilities business?
     
  3. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,690
    When i ran the installer.0022.exe malware very recently, it tried to infect using NTVDM.exe MS-DOS Emulation. Nobody picked up on it, or seemed to think it relevant enough to comment on it ?

    http://www.wilderssecurity.com/showthread.php?

    Wonder if there might be more this after all, than was initially thought by some people, and in this case too ?
     
  4. i_g

    i_g Registered Member

    Joined:
    Aug 30, 2006
    Posts:
    133
    Yes, it is.
    Well, didn't try on Win2k, but it works on XP, Vista, Win7.
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,855
    Location:
    California
    Can you explain how you tested using WinXP?

    Thanks,

    -rich
     
  6. sergey ulasen

    sergey ulasen AV Expert

    Joined:
    Sep 4, 2009
    Posts:
    50
  7. i_g

    i_g Registered Member

    Joined:
    Aug 30, 2006
    Posts:
    133
    First you need a sample of the exploit, of course (it's not an ordinary .lnk file you create using the "Create shortcut" option in Windows Explorer). Then it's enough e.g. to enter the corresponding folder in Total Commander - and the code is started.
     
  8. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    8,938
    Location:
    North Carolina
  9. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    aigle you have your pm
     
  10. Einsturzende

    Einsturzende Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    390
    Location:
    neubauten
    uh, I would also like a pm if it is no problem of some kind :oops:
    HIPS tests is my interest and those signed files +exploit is temptation for me
     
    Last edited: Jul 16, 2010
  11. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    A question, as I don't have a sample of this malware: when the code runs, does it run with the privileges of the currently logged in user, or does the vulnerability allow privilege escalation to admin/system? If the exploit only manages to gain the privileges of the current user, then even the very basic measure of running as a limited user would be enough to prevent the infection, seeing how the malware attempts to load drivers and limited users don't have the privilege required for that. That would make this whole big fuss a little less big, at least for those of the Average Users who have been set up with a non-admin account. If you have a sample and can test the malware as a limited user, I'd appreciate it if you could report back whether or not the malware manages to infect the system when executed under a limited account.


    Interesting stuff! Maybe the digital signature was compromised via outsourcing. That would be... well, sad.
     
  12. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,005
    Location:
    USA
    Reading about this behind a SonicWall threat management package and when I went to the 3rd blog link, I get the message "This request is blocked by the SonicWALL Gateway Anti-Virus Service. Name: Stuxnet.B (Trojan)"

    So 2 good things I guess. The signature needed to stop this little bugger is in place. And that there is something @ that URL that triggers an alert.

    But I still wanted to read it... :(
     
  13. i_g

    i_g Registered Member

    Joined:
    Aug 30, 2006
    Posts:
    133
    Yes, the code runs under the current user's account. This particular malware has rootkit drivers (and I don't know how it behaves if it cannot load the drivers), but generally it's not a requirement.

    Well, the "average user" cannot spread the infection to other users of the system directly, but this user gets infected nevertheless - and I can imagine possible attempts to spread the infection further.
     
  14. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,690
    Here's a possible contender as to why it's called those names ;)

    @sergey ulasen

    Thanks for the http://www.securelist.com links :thumb:
     
  15. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    :) lol, paranoid av
     
  16. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,005
    Location:
    USA
    You are right! I went back to check this thread and was locked out of page 2. I'm guessing the piece of code that says "b:\myrtus\src\objfre_w2k_x86\i386\guava.pdb" must be the issue because it's on both the blog URL and listed here too...
     
  17. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Yes this is string from rootkit driver. added emphasis in quote
     
  18. stonerhash

    stonerhash Registered Member

    Joined:
    Jul 16, 2010
    Posts:
    4
    Hey guys where can I download a sample of this worm. I'm especially interested in the lnk files
     
  19. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    16,476
    Location:
    U.S.A.
    stonerhash, Wilders is not a Malware Exchange Forum and any posts pointing to such malware is against our Terms of Service thus removed.
     
  20. stonerhash

    stonerhash Registered Member

    Joined:
    Jul 16, 2010
    Posts:
    4
    Sorry about that, I thought that given that many members of this forum are security researchers that wouldn't be a problem.

    The problem is that there is no official advisory so I can not find elsewhere more details about the lnk vuln
     
  21. wat0114

    wat0114 Guest

    You're right, I also can't find anything official on this. It seems to be more overhyped bs than substance.
     
  22. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,855
    Location:
    California
    I put the files on a USB drive and they are flagged as I view the drive in Windows Explorer:

    rootkitTMP.gif

    This exploit goes nowhere with proper protection in place. To test, using the command prompt, which simulates a lnk file attempting to start the two ~tmp files (see screen shot of the lnk file in the PDF):

    rootkitTMP-cmd.gif

    Being an espionage exploit, as has been suggested, begs the question of how company personnel acquire a USB drive infected with these files.

    One scenario was proven to work some years ago. This article references a penetration test from 2006:

    Island Hopping: The Infectious Allure of Vendor Swag
    http://technet.microsoft.com/en-us/magazine/2008.01.securitywatch.aspx

    The original article was on DarkRoom's Perimeter/Security page, but doesn't seem to be accessible now.

    ----
    rich
     
    Last edited: Jul 17, 2010
  23. weeNym

    weeNym Registered Member

    Joined:
    Jul 14, 2003
    Posts:
    19
  24. Ibrad

    Ibrad Registered Member

    Joined:
    Dec 8, 2009
    Posts:
    1,926
  25. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
Thread Status:
Not open for further replies.