Rootkit.TmpHider

Discussion in 'malware problems & news' started by sergey ulasen, Jul 12, 2010.

Thread Status:
Not open for further replies.
  1. EraserHW
    Offline

    EraserHW Malware Expert

    I had some free time so I published on my personal blog and on my personal youtube channel a video of the exploit I've built with my own dll

    [noparse]http://www.youtube.com/watch?v=6304Q0YoiBg[/noparse]
    Last edited by a moderator: Jul 19, 2010
  2. Meriadoc
    Offline

    Meriadoc Registered Member

    I known Frank is a member, so am I so if he doesn't see this and upload I will.

    016169ebebf1cec2aad6c7f0d0ee9026
    055a3421813caf77e1387ff77b2e2e28
    Last edited by a moderator: Jul 19, 2010
  3. Rmus
    Offline

    Rmus Exploit Analyst

    isc.sans.edu Raises Threat Level For LNK Vulnerability

    Preempting a Major Issue Due to the LNK Vulnerability - Raising Infocon to Yellow
    http://isc.sans.edu/diary.html?storyid=9190

    Reference to "the issue is not easy to fix until Microsoft issues a patch" is, of course, to the mitigating tweaks recommended by Microsoft in its Advisory.

    Much easier, safer protection measures have already been discussed in this thread.

    ----
    rich
  4. Dark Star 72
    Offline

    Dark Star 72 Registered Member

    Some tests here with the POC by our old *friend* :doubt: SSJ100:

    -http://ssj100.fullsubject.com/security-f7/vulnerability-in-windows-shell-could-allow-remote-code-execution-t187.htm#1302-

    and Ilya's reply to the DefenseWall test

    http://gladiator-antivirus.com/forum/index.php?showtopic=107368

    Notice the result for the newly released Returnil System Safe 2011 RC :thumb:
    Last edited by a moderator: Jul 19, 2010
  5. Rmus
    Offline

    Rmus Exploit Analyst

    Re: isc.sans.edu Raises Threat Level For LNK Vulnerability

    UPDATE
    http://isc.sans.edu/diary.html?storyid=9190

  6. CloneRanger
    Offline

    CloneRanger Registered Member

    Quotes from Sans

    Explains maybe why the POC didn't work for me ?

    The POC still didn't work from my desktop ?

    Ahh, could be why ?

    *

    Originally Posted by i_g

    F-secure said this

    So ?

    @EraserHW

    Sorry to say, even in HD mode i found it hard to view exactly what was happening :( Any chance you could give us a brief description ? TIA

    @Dark Star 72

    Thanks for the links :thumb:

    I didn't know ssj100 had branched out on his own :D

    Good news about Returnil System Safe 2011 RC :thumb:

    @Rmus

    Thanks for the updates :thumb:
  7. aigle
    Offline

    aigle Registered Member

    thanks, very nice testing indeed.
    Just two things i wil mention:
    1. Regarding CIS, it can be configured to intercept it.
    Post no. 125 of this thread.
    2. PE gaurd seems to intercept it. Post no. 108 of this thread.
  8. aigle
    Offline

    aigle Registered Member

    blog link pls? also can the POC be shared?
  9. EraserHW
    Offline

    EraserHW Malware Expert

    my personal blog is in italian and it's located here: https://www.pcalsicuro.com

    anyway I've written a similar blog post on Prevx blog at this address: http://www.prevx.com/blog/151/day-flaw-discovered-in-Microsoft-Windows.html (this time in english)

    About the POC: I wouldn't share the sample outside the company at the moment, even though there's already a known PoC out there (personally I'd not have shared the PoC online, this allows attackers to better exploit the flaw. Anyway I saw someone else already did it). I'm sorry :( Anyway for any question, I'm here :)

    Actually, as I've written in the blog post, I think Microsoft will have some trouble in fixing this flaw, because it is not a bug - it's a feature used inside Windows internals.
    Last edited: Jul 19, 2010
  10. EraserHW
    Offline

    EraserHW Malware Expert

    Sorry man :( I tried to do my best to record a good video :(

    Actually the video just shows how the exploit is working. I've written a PoC exploit from scratch and showed how a fake malicious DLL is loaded as soon as system starts rendering the icon
  11. ronjor
    Offline

    ronjor Global Moderator

    ESET.....
  12. CloneRanger
    Offline

    CloneRanger Registered Member

    Right at the bottom of here - http://isc.sans.edu/diary.html?storyid=9181 - is this FIX :thumb:

  13. CloneRanger
    Offline

    CloneRanger Registered Member

    @EraserHW

    Thanks for your blog post link on this exploit POC :thumb:

    *

    Re video issue

    This is just an example of part of the fullscreen HD video as it appears on my comp. Looks blurry to me.

    pocp.gif

    See how it compares to your comp, could be just at my end ?

    *

    @Ronjor :thumb:

    The plot thickens !

  14. MrBrian
    Offline

    MrBrian Registered Member

  15. Rmus
    Offline

    Rmus Exploit Analyst

    Hi MrBrian,

    Do you have any idea what he's referring to in that Diary? (webDAV and how it relates to the exploit?)

    thanks,

    rich
  16. CloneRanger
    Offline

    CloneRanger Registered Member

    @MrBrian Good find :thumb:

    @Rmus

    Re - WebDAV

    Appears to be these sorts of OS's that are vulnerable, business types and not domestic etc comps.

    Microsoft Windows 2000

    Windows XP Professional

    Windows Server


    So i'm ok on XP/SP2 by the looks of things The .lnk POC didn't work anyway when i tested it, so ?
  17. Rmus
    Offline

    Rmus Exploit Analyst

    This is why I don't like PoCs - they often aren't a good indication of how a real exploit in the wild will work on various systems.

    Even two different systems with the same OS version, etc, can react differently to a real exploit.

    ----
    rich
  18. MrBrian
    Offline

    MrBrian Registered Member

    From http://en.wikipedia.org/wiki/WebDAV:
    From the Microsoft advisory Workarounds section:
    Use of WebDAV is another means of infection and propagation for the .LNK vulnerability.
  19. Rmus
    Offline

    Rmus Exploit Analyst

    Thanks - I looked up WebDAV but didn't connect it with the Advisory!

    ----
    rich
  20. CloneRanger
    Offline

    CloneRanger Registered Member

    This might prove useful in .lnk analysis ?

    *

    Found this which "could" have some bearing on the latest situation ?

    *

    Originally Posted by Rmus

    Ain't that the truth ! And how frustrating for the bad guys, and girls :D
  21. KptnKork
    Offline

    KptnKork Registered Member


    Many Thanks for your upload at offensivecomputing !
  22. ace55
    Offline

    ace55 Registered Member

    Assuming I am correctly concluding that this exploit/feature allows code execution as explorer only, a better way to protect yourself from this exploit using CIS is to remove the default rule for explorer. As explorer is handling untrusted data (link shortcuts, possibly other exploitable aspects of files) it makes sense that manually restricting its actions would lend a security benefit.

    Doing so would not prevent the dll loading, but would prevent any actions taken by the malware through the compromised instance of explorer, and thus, prevent system compromise. However the compromised instance of explorer could, although it cannot make itself persistent on the system, attempt to escape the restriction of CIS using a shatter attack or keylog you.

    Unless you want to terminate and restart explorer after plugging in any flash drives but before entering any sensitive information, there are better solutions to this particular problem: AppLocker comes to mind.
  23. MrBrian
    Offline

    MrBrian Registered Member

  24. CloneRanger
    Offline

    CloneRanger Registered Member

    av.gif

    Not quite :D But could have been ;)
  25. CloneRanger
    Offline

    CloneRanger Registered Member

    Ronjor just posted this :thumb: - http://www.wilderssecurity.com/showthread.php?t=277360

    http://www.microsoft.com/technet/security/advisory/2286198.mspx

    aff.gif

    So it looks like as im on XP/SP2 i'm not affected by this vulnerability/exploit :D No wonder it didn't work when i've tested it several times. Just goes to show, not updating to the latest patches etc SP3, "can" be a bonus :D Not recommending everyone does as i do though.

    In an earlier MS advisory, it mentioned mainly only business type OS's that were vulnerable. So something must have changed in the malware samples out there for this latest revision ?
Thread Status:
Not open for further replies.