Rootkit.TmpHider

Discussion in 'malware problems & news' started by sergey ulasen, Jul 12, 2010.

Thread Status:
Not open for further replies.
  1. CloneRanger
    Offline

    CloneRanger Registered Member

    It looks like the .CPL - Shell etc method has actually been used before, from what i've seen. Here's just a few examples.




  2. Windchild
    Offline

    Windchild Registered Member

    Sophos also actually mentions SRP/AppLocker in their little blog article:

    Whether or not DLL rules have to be enabled, I don't know. But gut feeling tells me they would need to be enabled, if it's correct that the vulnerability causes the malicious file referenced in the specially-crafted .lnk files to be loaded as a dll library (and not created as a process).
  3. aigle
    Offline

    aigle Registered Member

  4. MrBrian
    Offline

    MrBrian Registered Member

  5. MrBrian
    Offline

    MrBrian Registered Member

  6. CloneRanger
    Offline

    CloneRanger Registered Member

    Ran the POC on XP/SP2, with less than half a dozen MS patches installed.

    Enabled Shadow Defender and then Dl'd the Suckme POC and unzipped into a new folder, and then onto a flash stick, and also did the same on my desktop. Made a copys of suckme.lnk_ and then made it "workable" suckme.lnk "supposedly"

    Started up DbgView.exe and ran the POC, got no alerts from it or ProcessGuard or anything else.

    dbv.gif

    Put ProcessGuard in learning mode, cleared rundll.dll from it's list of OK's, and ran it again.

    run-dll.gif

    Tried it from both the flash stick, and desktop.

    Clicked permit, and still no sign of anything happening, so ?

    *

    EDIT

    Found 3 instances of rundll.32.exe via TM which i couldn't kill ? and one using DSE

    zom.gif
    Last edited: Jul 18, 2010
  7. Sadeghi85
    Offline

    Sadeghi85 Registered Member

    You need to put dll.dll in C:\

    EDIT: Also you don't need to click on the lnk file, just put it on your flash stick.
  8. CloneRanger
    Offline

    CloneRanger Registered Member

    Originally Posted by Sadeghi85

    OK thanks :thumb: Did that and got a normal PEG prompt.

    ops.gif

    Then plugged in my USB stick

    db.gif

    Sure enough i see 2 entries, whatever they mean ?

    I did both.

    Still don't see anything out of the ordinary happening. What would i expect to find, and where ?

    TIA :thumb:
  9. CloneRanger
    Offline

    CloneRanger Registered Member

    Some extra info i found.

    *

  10. Sadeghi85
    Offline

    Sadeghi85 Registered Member

  11. CloneRanger
    Offline

    CloneRanger Registered Member

    Originally Posted by Sadeghi85

    Yes thanks i read that, but i don't see SUCK etc in my DbgView ?

    Also Didier Stevens appears to had dll.dll in a folder in D:\ his CD-ROM. I didn't see a mention of placing dll.dll in C:\ ?
  12. Rmus
    Offline

    Rmus Exploit Analyst

    From the h-online.com article posted by CloneRanger:

    This confirms what I learned in communication with Bojan Zdrnja of sans.isc.org, who analyzed the exploit. He said in essence, that these are targeted exploits with a hardcoded link file to the specific USB device. The links contain vendor names and other stuff, so if your USB disk is different (and it mostly likely is), it won't work since your Windows Explorer won't be able to find the malware.

    However, it's clear that some modifications could be made to make the exploit more generic. It seems to me that the exploit would still require the user|victim to insert an infected USB drive that had a link file and malware file(s) already on the stick.

    ----
    rich
    Last edited: Jul 19, 2010
  13. Sadeghi85
    Offline

    Sadeghi85 Registered Member

    He wrote:

    You can do that by editing the lnk file. The lnk file that comes with the PoC targets C:\dll.dll

    I could get it to work on a virtual CD drive, though it didn't work on a flash stick o_O I had to put dll.dll in C:\ and the lnk file onto flash stick.
  14. CloneRanger
    Offline

    CloneRanger Registered Member

    @Rmus

    Hi, you must have been typing and missed post 109 where i linked to the same h-online article and quoted from it ;)

    It'll be interesting to see how this malware develops, if it does. I wonder what method the people who have already being infected with it were subject to, in order for it to get into their comps ?
  15. CloneRanger
    Offline

    CloneRanger Registered Member

    Originally Posted by Sadeghi85

    You're quite correct :thumb: Overlooked that :(

    I see :thumb:

    Strange as although i did put dll.dll in C:\ and the lnk file onto my flash stick, i'm not aware of anything happening ? What effects did it have on your comp, what/where did you see/find anything ?
  16. Sadeghi85
    Offline

    Sadeghi85 Registered Member

    All it does is that "SUCKM3..." message in DbgView’s output.
  17. CloneRanger
    Offline

    CloneRanger Registered Member

    Originally Posted by Sadeghi85

    OK thanks :thumb: All i can say is, it didn't work on my comp. Why i don't know, but i guess that's good :)

    I would like to know though, and i'm sure others might be interested in knowing why it failed too. If anyone has any ideas etc, let us know :thumb: I'm sure someone must have some suggestions :)
  18. Rmus
    Offline

    Rmus Exploit Analyst

    No, I was quoting from your quote! I just edited a clarification.

    My reason for quoting it was to confirm what I had learned a couple of days ago from the sans.edu Diary.

    See my Post #47, the link at the end, to the article, "Island Hopping...".

    ----
    rich
  19. CloneRanger
    Offline

    CloneRanger Registered Member

    Originally Posted by Rmus

    OK. thanks :thumb:

    Nice conformation ;)

    Just looked at your Post #47 Island Hopping link, :thumb:

    *

    For the record.

    My USB stick is not a U3-enabled USB flash drive, just a memory stick.

    I have AutoPlay set to off on my CD/USB drives.
  20. burebista
    Online

    burebista Registered Member

    It works here. I've tried only Windows Explorer and Filezilla I don't have any other file browsers installed ATM.
    From Explorer I must right-click on that lnk Properties and for Filezilla not, is enough to browse stick.
    No alert from CIS.
    CIS Proactive, FW and D+ in Safe Mode, AV Stateful, Sandbox Enabled/Disabled. XP SP3 all patches.

    rootkit.png
  21. KptnKork
    Offline

    KptnKork Registered Member

    We would like to take a deeper look into the TmpHider, but we don't have a sample yet. Especially a sample of the mrxnet.sys (016169ebebf1cec2aad6c7f0d0ee9026) would be very interesting to get, because it seems to contain the espionage code. But seems to be inpossible to get the code (or a link to a sample) here in this forum. Maybe someone of the one who owns a sample is able to upload it to the ~ Removed Link as per Policy - We don't want inexperienced users clicking over to a Malware Samples site ~ malware sample database. Would be very helpful. There are multiple sample requests for TmpHider at offensivecomputing but so far no one got a sample.
    Thanks for any help.
    Last edited by a moderator: Jul 19, 2010
  22. i_g
    Offline

    i_g Registered Member

    I think it's wrong. The countersigning allows the signature, created before the corresponding certificate expired, to be verified even after the certificate expires - which is what MSDN says. However, you cannot use the certificate to sign anything else (after it has expired).
  23. Sm3K3R
    Offline

    Sm3K3R Registered Member

    And yet another Comodo failure.The way Comodo 4 is built leads to very little security in real threats.
  24. burebista
    Online

    burebista Registered Member

    Agree for now, but I want to see how it's handled by other security suites too. :)
  25. aigle
    Offline

    aigle Registered Member

    I tried the POC. Just opening my USB stick in explorer.exe triggered laoding of dll.dll.

    1- Regarding CIS, the problem is that POC is nothing but a dll loading. CIS and any other HIPS by default don,t intercept dll loading as it gives rise to hundreds of useless pop up alerts.

    Infact CIS can be configured to give alert about dll.dll loading but it,s not practical at all as in this case CIS also gives dozens of other legit dll loading alerts.

    So in case of real malware( that was not a dll I think), CIS will give a usuall execution alert.

    2- If dll.dll is marked as isolated/ untrusted in GesWall, Explorer.exe falils to load dll.dll.

    cis.jpg
    geswall.jpg
    geswall log.jpg

    Can any one test DefenceWall and SBIE with this POC?

    Thanks
Thread Status:
Not open for further replies.