Rootkit.TmpHider

Discussion in 'malware problems & news' started by sergey ulasen, Jul 12, 2010.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,856
    Location:
    California
    Thanks, weeNym.

    From the Advisory:

    Yet further on, it seems to imply that no clicking is necessary:

    ----
    rich
     
  2. wat0114

    wat0114 Guest

    Rich, nice work again as usual :thumb: Thank you :)
     
  3. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    16,902
    Location:
    U.S.A.
    Rich, taken from MrBrian's blog link:
     
  4. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,704
    @weeNym

    Good new find :thumb: but it seems it's yet another but different exploit in the link that MrBrian posted :thumb: from Technet

     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,856
    Location:
    California
    Thanks MrBrian for the link. This also implies no clicking on the icon is necessary:

    ----
    rich
     
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,856
    Location:
    California
    Yes, I just saw that. The first statement in the Microsoft Advisory is evidently in error, if it implies that clicking is the only way to launch the exploit:

    (my emphasis)

    ----
    rich
     
  7. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    16,902
    Location:
    U.S.A.
  8. wat0114

    wat0114 Guest

    Finally, some real evidence that anyone can understand has surfaced. Thank you MrBrian and JRViejo for the links. This seems to be similar to a .inf exploit, so does it stand to reason that, besides the whitelist/anti-executable appraoach, at least disabling autoplay should stop this?
     
  9. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    16,902
    Location:
    U.S.A.
    wat0114, according to the MS Security Advisory, under Mitigating Factors, disabling AutoPlay might help:
     
  10. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,704
  11. wat0114

    wat0114 Guest

    Good to know, thanks again!
     
  12. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    16,902
    Location:
    U.S.A.
    wat0114, you're welcome! Take care.
     
  13. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    That's strange. It doesn't look like you have the .lnk files that actually contain the exploit code on the removable drive. So why are the .tmp files flagged as if they were executing? It's the .lnk files that would actually execute those malicious .tmp files, so I don't see why AE would pop up an alert like that when there seem to be no .lnk files around. Well, I suppose the simple explanation would be that the .lnk files actually are there, but they're covered by the alert pop up. Or maybe there's an autorun file somewhere in there that tries to execute those .tmp files directly, without any exploit. Or something. But if none of those are true and the malicious .lnk files are missing, then that alert makes no sense. Something has to be executing the files for the alert to make sense, but what is it?

    Sure, the ability to load drivers is not a general requirement for malware. Everyone should know that (but doesn't). But, it seems from all the reports I've read that this malware does load drivers, and fails to do anything if it can't. So, simply not being admin would entirely prevent this infection based on that assumption. So, unless all the reports are simply omitting that the malware also does something (other than dying) if it's executed without admin privileges, then the user would not get infected at all, and also wouldn't be spreading it anywhere, not without sharing the infected USB drive that is. So in short, this malware would seem to be unable to infect anyone who isn't running as admin. But then again, AV companies often do omit things like what some malware does without admin privileges.
     
  14. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    For those who have tested this malware, what happens when browsing an infected USB stick while running as admin with UAC on default settings? Do you get a UAC prompt?
     
  15. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    This would be a good time to consider how you would have fared against this particular malware had you been exposed to it two or three weeks ago, before it was widely known. And for those who normally use a standard user account, also consider what would have happened if you had browsed an infected USB stick while using an admin account.
     
    Last edited: Jul 17, 2010
  16. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    Most any reasonable setup would have stopped it, it seems, now that it's been revealed this is simply a shell vulnerability that only gains the attacker the privileges of the currently logged in user, not superuser level access to the system.

    As far as infected USB sticks are concerned, it's not a good idea to stick such things in the system while logged in as admin. If you've got a suspect stick, it could be worth checking it first without admin privileges. The rootkit drivers won't be able to hide the malicious .lnk and .tmp files on the USB drive if the rootkit drivers can't install due to limited users not having the required privilege. Seeing such unexplained files should be warning enough to delete the contents of the stick, at the very least the unexplained .lnk and .tmp files. :)
     
  17. wat0114

    wat0114 Guest

    I'll be happy to test this if someone can pm me a link.
     
  18. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,856
    Location:
    California
    I don't have the .lnk files. I would like to get them to really test the entire exploit.

    Anti-Executable v.2 parses the files in a directory and flags an alert if an executable is not on the white list. Here is firehole.exe, an old leak test I keep around. It's not on the white list, so when I go to the directory, AE pops up an alert:

    rootkitTMP-firehole.gif

    A similar example is blocking downloads by its Copy protection. Here, a remote code execution exploit attempts to download an executable spoofed as a .gif file. AE somehow "reads" the code as it attempts to download, and is prevented from getting onto the computer at all:

    cnte-code1.gif

    gif-block.gif

    Some years ago, BlueZannetti and I discussed this in a thread. He had some ideas as to how this works, but I've forgotten exactly what he wrote.


    ----
    rich
     
  19. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,856
    Location:
    California
    It seems to be just another remote code execution exploit that attempts to run a binary:

    Microsoft Security Advisory (2286198 )
    Vulnerability in Windows Shell Could Allow Remote Code Execution
    http://www.microsoft.com/technet/security/advisory/2286198.mspx

    (my emphasis)

    Anyone with White List or execution prevention would have blocked the binary from executing.

    As long as the payload is a binary executable (as most exploits these days carry), White List protection will block the attempted execution, no matter what vulnerability is being exploited.

    ----
    rich
     
  20. wat0114

    wat0114 Guest

    Yep, no question it would seem. Also, even without these provisions, plugging the infected drive while in a standard account even with autorun enabled would likely subdue the file's capabilities, as Windchild has suggested.

    Often or always.
     
  21. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    JRViejo,

    Does this also apply to private messages?
     
  22. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I agree (and with Rmus' and wat0114's statements also) :).

    I was just trying to make everyone, especially those of the "I always run as admin, with UAC disabled, without SRP/AppLocker or similar, with AutoPlay disabled, and with a sandboxed browser, and I'm fairly knowledgeable and careful" variety, consider what would have happened in your own setup before this issue became widely known.
     
    Last edited: Jul 17, 2010
  23. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    16,902
    Location:
    U.S.A.
    MrBrian, perhaps this LowWaterMark's Post will explain why Wilders can't have any exchanges of malware. The possibility of losing our hosting is just too great and while understanding that PM is private, if live malware samples are exchanged, it runs against our hosting company's rules.
     
  24. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Thank you JRViejo :).

    I had assumed so as well, and now it's clear.
     
  25. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    16,902
    Location:
    U.S.A.
    MrBrian, you're welcome! Take care.
     
Thread Status:
Not open for further replies.