Rootkit.TmpHider

Discussion in 'malware problems & news' started by sergey ulasen, Jul 12, 2010.

Thread Status:
Not open for further replies.
  1. wat0114
    Offline

    wat0114 Guest

    Right, and it seems UAC enabled at least on default (preferably maximum) provides more protection within an administrator account than it gets credit for, because of the Standard user access token (besides also the administrator access token) causing all applications to launch with only standard user priviledges unless the user okays for administrator consent. The parent process explorer.exe is launched with only Standard user priviledges. It doesn't mean this equals running under a standard account but it's far better than running administrator with UAC disabled.

    This MS Technet article explains it nicely in more detail without overwhelming technical language.
    Last edited by a moderator: Jul 17, 2010
  2. MrBrian
    Offline

    MrBrian Registered Member

    I agree :thumb:. I use a standard account normally, but I also have UAC on max. About UAC in an admin account, one of the UAC developers said,
    Source:http://www.wilderssecurity.com/showthread.php?t=273860

    I actually do think of UAC as being a security feature, among other things, just not a security boundary. UAC probably prompts with this particular malware, but testing is needed to be sure.
    Last edited: Jul 17, 2010
  3. Windchild
    Offline

    Windchild Registered Member

    Ah, okay, so AE is basically just scanning for executable files and popping up alerts for any found executables that have not been previously whitelisted, identifying executable files based on the typical signs like magic numbers and such, so it doesn't have to care about the file extensions. That would explain the alert coming up even though nothing is trying to execute those .tmp files. One wonders, though.... What if an AE user enters a directory that contains, say, 900 executable files that haven't been previously whitelisted? Do they get 900 popups in a row? :D Well, most users probably wouldn't meet such situations, but the thought occurred to me as I was just going through one of my many little archives, containing about 8000 unique executable files...

    That's a good point.
  4. Rmus
    Offline

    Rmus Exploit Analyst

    I've not tried that scenario, but I've tested AE2's delete prevention with a large group of files. You get one visible alert for the first file, but all the rest are denied anyway. Here, I attempted to delete all .exe files in the Windows directory:

    deleteprevent.gif

    I don't have that many, but I keep mine in zip files.

    In my example above of firehole.exe, I unzipped the file to another directory.

    BTW, with AE2's Copy protection, a child or other non-principal user of the family computer without the AE password, can't extract a non-whitelisted executable, preventing any mistakes with email attachments, for example.

    zipExtract.gif

    ----
    rich
  5. CloneRanger
    Offline

    CloneRanger Registered Member

    @ggbb

    I'm sure someone reading this might be able to assist you by PM, if you can prove who you say you are :D

    Be very interesting to hear you analysis of this malware :thumb: after you get hold of a copy. I would have thought approaching one or more of the AV companies should prove fruitfull ;)
  6. CloneRanger
    Offline

    CloneRanger Registered Member

    My emphasis. Other interesting stuff on there you might like ;)


  7. stonerhash
    Offline

    stonerhash Registered Member

    According to that http://www.kb.cert.org/vuls/id/940193 a mitigation technique is to disable the IconHandler. Maybe the bug is in the IconIndex attribute in the lnk struct or icon related

    I tried to corrupt various struct length values in an lnk file but no crash at all.
  8. ScadaGuy
    Offline

    ScadaGuy Registered Member

    I am a new poster on this site, so first a little back ground. I have been a SCADA and process control engineer for the past 25 years and VERY actively involved in SCADASEC since 2000. I have also worked on the Siemens systems in the past (actually I was a Siemens rep in the 1990's) and have been involved in many of the major ICS systems.

    My question is this - I am trying to determine is if this is really just a Siemens focused attack or if there may be other variations. Frank Boldewin's excellent decode and analysis is the only one I have seen and it appears that everyone is using this as the golden reference. I have been trying to locate other variants and see if they go after other systems such as ABB, Rockwell, WonderWare, Areva, etc. Has anyone seen variants and attempted to analzye them?

    Mind you according to MMPC, the activity of this worm is heavily weighted to the US, Indonesia, India, and Iran. If you forget the US, we are talking big-time Siemens markets. If I was going after SCADA targets in those three countries, I would also pick Siemens. (Courious that Europe is quiet as it is the heartland of Siemens WinCC installations).

    However if we see attacks against other SCADA systems, we may be able to determine the geographic and sector targets of this malware. For example, seeing attacks against Rockwell would make me believe this is widespread globaly and focused on Manufacturing IP theft rather than attacks against utilities.
  9. MrBrian
    Offline

    MrBrian Registered Member

    From http://isc.sans.edu/diary.html?storyid=9181:
    From http://secunia.com/advisories/40647/:
  10. Rmus
    Offline

    Rmus Exploit Analyst

    MrBrian.

    Is it your conclusion that any .lnk file should run when viewed in Windows Explorer?

    ----
    rich
  11. MrBrian
    Offline

    MrBrian Registered Member

    Not in general, or else my system would be opening a lot of programs when I browse a start menu folder, which contains many .lnk files. However with a specially crafted .lnk file, it appears to be possible to automatically execute a given executable when Windows Explorer processes the .lnk to attempt to display an icon.
  12. Rmus
    Offline

    Rmus Exploit Analyst

    That makes sense; I've tested with WinXP SP3 and regular .lnk files don't do anything automatically.

    Have you figured out how the malicious .lnk file is different so as to invoke an auto execution? I've asked Bojan (sans.edu) and hopefully he'll give me an answer.

    Note in his Diary:

    This seems to contradict other reports that Autorun isn't involved, unless I misinterpreted something.

    ----
    rich
  13. MrBrian
    Offline

    MrBrian Registered Member

    No, but then again I don't have any samples and I haven't looked into it.

    Microsoft in its security advisory stated,
    I'm not sure how much consolation that is though, because wouldn't most users with AutoPlay off eventually browse a USB stick to view its contents?
  14. Rmus
    Offline

    Rmus Exploit Analyst

    Yes, and things become confusing.

    In an autorun/autoplay exploit, depending on how those are disabled, the exploit will trigger automatically if the USB drive letter is clicked-to-open in My Computer (Windows Explorer single pane view)

    Code:
    [autorun]
    
    open=calc.exe
    I-mycomp.gif

    but not if the USB drive letter is clicked from the left pane in Windows Explorer 2-pane view.

    I-explore.gif

    ----
    rich
  15. MrBrian
    Offline

    MrBrian Registered Member

    AutoPlay can automatically browse a folder upon insertion of a USB stick.
  16. stonerhash
    Offline

    stonerhash Registered Member

    I was wondering maybe this thing is not an exploit.

    For example I have a malicious dll and in its resources I have an Icon.
    So I create a shortcut with an icon pointing to that dll.

    If the shell32 uses LoadLibrary to load the dll and sequentially the icon resource then we would have an execution. Keep in mind that maybe LoadLibrary is not used at all in case that shell32 just reads raw data from the shortcut.

    Unfortunately I havent managed to make it work yet, maybe I'm doing something wrong, it's just a theory
  17. Windchild
    Offline

    Windchild Registered Member

    Well, it seems now that Sophos is reporting this malware works just fine in spite of UAC or limited privileges. Apparently there's a user mode rootkit involved to hide the malicious files on the USB drive - Sophos didn't say anything about privilege escalation occurring and there are no UAC prompts. The .lnk file exploit itself surely works with any privileges, since it's just a shell vulnerability, and apparently when the exploit (or more accurately explorer.exe) starts the Styxnet/TmpHider malware, the malware detects it's running without admin privileges and falls back to a user mode rootkit in order to hide its files and does not ask for higher privileges so as not to spook the user with a sudden and unexpected UAC prompt. The malware wouldn't run at all, though, if there's a SRP or AppLocker policy in effect that denies executing stuff from random USB drives. Similarly, any HIPS and such that would warn you whenever explorer.exe or anything else for that matter tries to execute some new file should prevent the infection.

    Ok, that makes sense. I figured (well, hoped) there would be something like that to avoid a popup storm...
    Last edited: Jul 18, 2010
  18. CloneRanger
    Offline

    CloneRanger Registered Member

    @Windchild

    Is Sophos now calling it Styxnet/TmpHider or should that be Stuxnet/TmpHider ?

    Whoever coded up this certainly know what they are doing, very clever.
  19. MrBrian
    Offline

    MrBrian Registered Member

  20. MrBrian
    Offline

    MrBrian Registered Member

    Some information about user-mode rootkits from Prevx blog entry Is Limited User Account enough? Not really...:

  21. s23
    Offline

    s23 Registered Member

    In the Sophos video, UAC is at Default settings. In maximum will make difference?
  22. MrBrian
    Offline

    MrBrian Registered Member

    The Sophos blog post states that admin privileges aren't needed for this malware, so a UAC prompt needn't be triggered. What's left unsaid is whether the malware does even worse things if it gets admin privileges, and whether a UAC prompt is triggered (at various settings) when an admin account is used.
  23. Rmus
    Offline

    Rmus Exploit Analyst

    I asked Bojan at sans.edu for an explanation of the specifics of how the .lnk file actually works - the Diary was referenced in a previous post.

    He said in essence that the .lnk files contain a number of structures that point to the destination they are linking to. and that Windows Explorer will parse these structures to display the resulting icon. This is where the vulnerability is -- they carefully craft these structures so they point to Control Panel and then link back to the removable drive. While parsing this there is a vulnerability in Shell32.dll which, when trying to open the icon of the malware gets it executed.

    This is why just making a regular shortcut to the malware doesn't automatically trigger the exploit.

    Nonetheless, I created a regular shortcut and manually clicked on it to reconfirm that with proper protection in place, the exploit is stopped dead in its tracks:

    rootkitTMP-AEblock.gif

    Windchild mentions other protection:

    ----
    rich
  24. Rmus
    Offline

    Rmus Exploit Analyst

    Agreed, but if AutoPlay is disabled, there is still danger if the user goes to the folder, as you have pointed out earlier.

    ----
    rich
  25. erikloman
    Offline

    erikloman Developer

    Proof of concept exploit code here.
    Last edited: Jul 18, 2010
Thread Status:
Not open for further replies.