Rootkit.TmpHider

Discussion in 'malware problems & news' started by sergey ulasen, Jul 12, 2010.

Thread Status:
Not open for further replies.
  1. Rmus
    Offline

    Rmus Exploit Analyst

    Thanks, weeNym.

    From the Advisory:

    Yet further on, it seems to imply that no clicking is necessary:

    ----
    rich
  2. wat0114
    Offline

    wat0114 Guest

    Rich, nice work again as usual :thumb: Thank you :)
  3. JRViejo
    Online

    JRViejo Global Moderator

    Rich, taken from MrBrian's blog link:
  4. CloneRanger
    Offline

    CloneRanger Registered Member

    @weeNym

    Good new find :thumb: but it seems it's yet another but different exploit in the link that MrBrian posted :thumb: from Technet

  5. Rmus
    Offline

    Rmus Exploit Analyst

    Thanks MrBrian for the link. This also implies no clicking on the icon is necessary:

    ----
    rich
  6. Rmus
    Offline

    Rmus Exploit Analyst

    Yes, I just saw that. The first statement in the Microsoft Advisory is evidently in error, if it implies that clicking is the only way to launch the exploit:

    (my emphasis)

    ----
    rich
  7. JRViejo
    Online

    JRViejo Global Moderator

  8. wat0114
    Offline

    wat0114 Guest

    Finally, some real evidence that anyone can understand has surfaced. Thank you MrBrian and JRViejo for the links. This seems to be similar to a .inf exploit, so does it stand to reason that, besides the whitelist/anti-executable appraoach, at least disabling autoplay should stop this?
  9. JRViejo
    Online

    JRViejo Global Moderator

    wat0114, according to the MS Security Advisory, under Mitigating Factors, disabling AutoPlay might help:
  10. CloneRanger
    Offline

    CloneRanger Registered Member

  11. wat0114
    Offline

    wat0114 Guest

    Good to know, thanks again!
  12. JRViejo
    Online

    JRViejo Global Moderator

    wat0114, you're welcome! Take care.
  13. Windchild
    Offline

    Windchild Registered Member

    That's strange. It doesn't look like you have the .lnk files that actually contain the exploit code on the removable drive. So why are the .tmp files flagged as if they were executing? It's the .lnk files that would actually execute those malicious .tmp files, so I don't see why AE would pop up an alert like that when there seem to be no .lnk files around. Well, I suppose the simple explanation would be that the .lnk files actually are there, but they're covered by the alert pop up. Or maybe there's an autorun file somewhere in there that tries to execute those .tmp files directly, without any exploit. Or something. But if none of those are true and the malicious .lnk files are missing, then that alert makes no sense. Something has to be executing the files for the alert to make sense, but what is it?

    Sure, the ability to load drivers is not a general requirement for malware. Everyone should know that (but doesn't). But, it seems from all the reports I've read that this malware does load drivers, and fails to do anything if it can't. So, simply not being admin would entirely prevent this infection based on that assumption. So, unless all the reports are simply omitting that the malware also does something (other than dying) if it's executed without admin privileges, then the user would not get infected at all, and also wouldn't be spreading it anywhere, not without sharing the infected USB drive that is. So in short, this malware would seem to be unable to infect anyone who isn't running as admin. But then again, AV companies often do omit things like what some malware does without admin privileges.
  14. MrBrian
    Offline

    MrBrian Registered Member

    For those who have tested this malware, what happens when browsing an infected USB stick while running as admin with UAC on default settings? Do you get a UAC prompt?
  15. MrBrian
    Offline

    MrBrian Registered Member

    This would be a good time to consider how you would have fared against this particular malware had you been exposed to it two or three weeks ago, before it was widely known. And for those who normally use a standard user account, also consider what would have happened if you had browsed an infected USB stick while using an admin account.
    Last edited: Jul 17, 2010
  16. Windchild
    Offline

    Windchild Registered Member

    Most any reasonable setup would have stopped it, it seems, now that it's been revealed this is simply a shell vulnerability that only gains the attacker the privileges of the currently logged in user, not superuser level access to the system.

    As far as infected USB sticks are concerned, it's not a good idea to stick such things in the system while logged in as admin. If you've got a suspect stick, it could be worth checking it first without admin privileges. The rootkit drivers won't be able to hide the malicious .lnk and .tmp files on the USB drive if the rootkit drivers can't install due to limited users not having the required privilege. Seeing such unexplained files should be warning enough to delete the contents of the stick, at the very least the unexplained .lnk and .tmp files. :)
  17. wat0114
    Offline

    wat0114 Guest

    I'll be happy to test this if someone can pm me a link.
  18. Rmus
    Offline

    Rmus Exploit Analyst

    I don't have the .lnk files. I would like to get them to really test the entire exploit.

    Anti-Executable v.2 parses the files in a directory and flags an alert if an executable is not on the white list. Here is firehole.exe, an old leak test I keep around. It's not on the white list, so when I go to the directory, AE pops up an alert:

    rootkitTMP-firehole.gif

    A similar example is blocking downloads by its Copy protection. Here, a remote code execution exploit attempts to download an executable spoofed as a .gif file. AE somehow "reads" the code as it attempts to download, and is prevented from getting onto the computer at all:

    cnte-code1.gif

    gif-block.gif

    Some years ago, BlueZannetti and I discussed this in a thread. He had some ideas as to how this works, but I've forgotten exactly what he wrote.


    ----
    rich
  19. Rmus
    Offline

    Rmus Exploit Analyst

    It seems to be just another remote code execution exploit that attempts to run a binary:

    Microsoft Security Advisory (2286198 )
    Vulnerability in Windows Shell Could Allow Remote Code Execution
    http://www.microsoft.com/technet/security/advisory/2286198.mspx

    (my emphasis)

    Anyone with White List or execution prevention would have blocked the binary from executing.

    As long as the payload is a binary executable (as most exploits these days carry), White List protection will block the attempted execution, no matter what vulnerability is being exploited.

    ----
    rich
  20. wat0114
    Offline

    wat0114 Guest

    Yep, no question it would seem. Also, even without these provisions, plugging the infected drive while in a standard account even with autorun enabled would likely subdue the file's capabilities, as Windchild has suggested.

    Often or always.
  21. MrBrian
    Offline

    MrBrian Registered Member

    JRViejo,

    Does this also apply to private messages?
  22. MrBrian
    Offline

    MrBrian Registered Member

    I agree (and with Rmus' and wat0114's statements also) :).

    I was just trying to make everyone, especially those of the "I always run as admin, with UAC disabled, without SRP/AppLocker or similar, with AutoPlay disabled, and with a sandboxed browser, and I'm fairly knowledgeable and careful" variety, consider what would have happened in your own setup before this issue became widely known.
    Last edited: Jul 17, 2010
  23. JRViejo
    Online

    JRViejo Global Moderator

    MrBrian, perhaps this LowWaterMark's Post will explain why Wilders can't have any exchanges of malware. The possibility of losing our hosting is just too great and while understanding that PM is private, if live malware samples are exchanged, it runs against our hosting company's rules.
  24. MrBrian
    Offline

    MrBrian Registered Member

    Thank you JRViejo :).

    I had assumed so as well, and now it's clear.
  25. JRViejo
    Online

    JRViejo Global Moderator

    MrBrian, you're welcome! Take care.
Thread Status:
Not open for further replies.