Rootkit.TmpHider

Discussion in 'malware problems & news' started by sergey ulasen, Jul 12, 2010.

Thread Status:
Not open for further replies.
  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I believe that's not the correct interpretation. Microsoft simply isn't going to bother testing software that they no longer will update.

    From the Microsoft security advisory:
     
  2. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
  3. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    .....
     
  4. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    97,410
    Location:
    U.S.A.
     
  5. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    @JRViejo

    Good link :thumb:

    *

    Doesn't look pretty, but it's "supposed " to work.

    ic.jpg

    *

    Quite frankly, i'm very surprised a lot more of the baddies havn't jumped on the bandwagon and made use of this exploit, as of yet. Especially as most, if not all OS's are vulnerable. I would have thought this would be a golden opportunity for them. There must be a reason ! maybe it's the calm before the storm ?
     
  6. Ford Prefect

    Ford Prefect Registered Member

    Joined:
    Oct 31, 2008
    Posts:
    111
    Location:
    Germany, Ruhrpott
    I tried to check this on mrxcls.sys and mrxnet.sys using sigcheck -r,
    but the result was also 'verified signed'.
    I also didn't observe that sigcheck tried to access the inet (to check for crls).

    The revocation list issue is driving me crazy.

    Do I have to install a certain VeriSign crl manually?

    I imported all class3 concerning crls...

    Any advice?
     
  7. ParadigmShift

    ParadigmShift Registered Member

    Joined:
    Aug 7, 2008
    Posts:
    241
    Good grief, what a mess.

    And coupled with a read/write capable USB flash drive, they both make a nice pair. ;)
     
  8. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    Tested the POC again today, after checking in C:\ for dll.dll and suckme.lnk that i placed there originally. To my surprise i only found the suckme.lnk and no sign of dll.dll ! I know Avira detected it the other day, and it's "possible" that i could have allowed the deletion, but i'm sure i didn't. Also on the original tests it was done before Avira detected it.

    I disabled Avira and replaced the missing dll.dll file in C:\ and tested once more.

    s1.gif

    Also tested in a folder on my desktop by double clicking the suckme.lnk.

    s2.gif

    And via my USB stick by double clicking the suckme.lnk.

    s3.gif

    Just cruising to the USB stick didn't trigger anything ! I do have Autorun disabled.

    I removed run32.dll from ProcessGuard's list of allowable processes, and tested ALL 3 methods above again, and got the same response every time clicking Permit, as you might expect.

    r1.gif

    Clicking Deny and NOT one of the 3 methods succeeded :thumb:

    deny.gif

    I got no alerts from PEG during these latest tests. Could be because originally i allowed them, and PEG remembered ? ssj100 says that PEGuard doesn't block the exploit anyway - http://blog.didierstevens.com/2010/07/18/mitigating-lnk-exploitation-with-ariad/#comment-39140

    Can't explain what happened to the original C:\ dll.dll, but there you have it.
     
  9. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    Nice analysis here :thumb:

     
  10. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Thank you CloneRanger for the Symantec analysis :thumb:.

    I noticed this in the analysis:
    So maybe LUA/UAC does prevent some bad behavior by this malware.
     
  11. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Yes, thanks for that analysis. I'm looking forward to the Part 2.

    This today, on the hackers:

    The Hackers Behind Stuxnet
    http://www.symantec.com/connect/blogs/hackers-behind-stuxnet

    I notice that the definition of "targeted" is not applicable to this exploit, according to the Symantec blogger:

    ----
    rich
     
  12. frank_boldewin

    frank_boldewin Registered Member

    Joined:
    Jul 14, 2010
    Posts:
    2
    i had some free time today and analyzed the KERNEL32.DLL.ASLR.000xxxxx file a little further.
    i found out that there were lots of encrypted binaries in the resources of this dll.

    as you can see, there are some larger binaries. to analysis all this stuff will take some time. ;-)

    10.240 executable_extracted_from_res-203_CAB_file.bin
    26.616 res-201__MRXCLS_SYS.bin
    5.237 res-203__CAB_file_with_packed_executable_in_it.bin
    17.400 res-242__MRXNET_SYS.bin
    14.848 res202__executable.bin
    298.000 res208__executable.bin
    9.728 res210__executable.bin
    145.920 res221__executable.bin
    102.400 res222__executable.bin
    4.171 res240__lnk_skeleton.bin
    25.720 res241__~WTR4141_TMP.bin
    40.960 res250__executable.bin
     
  13. Sadeghi85

    Sadeghi85 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    747
  14. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    Not sure, i don't use it, but others might know. Or even better they could try it ;)

    :thumb:
    Lower down :)

    Thanks for stopping by :thumb: Any input you can give would be welcome. We're not all experts though, well i'm not :D Some info about the encryption, and more, in the following links. But maybe you've seen them already ?

    *

    _

    Edit - Just seen that Sadeghi85 has posted with one of the same links as i was typing ! Thanks :thumb:
     
    Last edited: Jul 22, 2010
  15. Sadeghi85

    Sadeghi85 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    747
  16. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    Siemens/Trendmicro have released info and a clean up tool for Stuxnet for their product. It's a whopping 50 Megs :eek:

    *

    Edit -

    Just DL'd the above file, it's 70 Megs unpacked :eek: :eek: plus you need to DL the latest versions of the pattern files as well !

    Anyway it turns out that it's for Windows, not just SCADA, so i "presume" anyone could use this to try and remove the infection/s ?

    Quote from the Readme

     
    Last edited: Jul 22, 2010
  17. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
  18. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    97,410
    Location:
    U.S.A.
     
  19. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
  20. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  21. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    Notice how some are calling these nasties a virus, others worms !


    Sounds like potential nightmare for SCADA users. It will be interesting to know how many of them actually do get infected via this method ?

    @EraserHW

    Thanks for the up to date news/analysis. Yes those people don't waste a "good" oportunity do they, and i wouldn't expect them to.

    Re - Post 167. Have seen any evidence of "non malicious betting" www's being contacted etc ? And/or what does the payload actually do in ANY of these nasties, keylog and upload etc or ? Please see link below.

    @MrBrian

    Thanks for the link, i thought it had already been posted, obviously not. A lot of people thought that Drive-by attacks were a thing of the past. Just goes to show, we can't take anything for granted, and need to be ever vigilant.

    *

    The best way i've found to stop this dead, is to have run32.dll set to prompt, as i showed earlier when i tested the POC ;) It's not a cure as such, but that setting is staying on my comp with ProcessGuard :thumb:
     
  22. tgell

    tgell Registered Member

    Joined:
    Nov 12, 2004
    Posts:
    1,097
    In reference to the drive-by attacks in @MrBrian's link:

     
  23. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    :thumb:

    *

    *

    It successfully found ALL real "exploitable "Stuxnet files, and the POC :thumb: and 4 FP's which isn't too bad. It only took about 3 minutes to complete the test.

    term.gif

    If you right click on each one it shows it will delete

    del.gif

    There was no way to save a log :( so i scanned it

    scroll.gif

    Thanks to tesk for the tool and link :thumb: - https://www.wilderssecurity.com/showthread.php?t=277360
     
  24. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    Ran the real Stuxnet malware yesterday, after enabling Shadow Defender and disabling my AV. MBRGuard was installed several months ago, and doesn't alert, just blocks if it needs to.

    stux.gif

    Unfortunately after about 15 minutes my comp became unresponsive and i had to reboot :eek: All the screenies/notes i had taken were lost somehow during the shutdown :( so what follows is a brief recap.

    Allowed it to run via ProcessGuard prompts, and observed it with Process Explorer launching a number of lsass.exe's etc. I also saw svchost.exe at 50% after a few minutes. Ran various tools such as GMER/Rku/Icesword etc, which detected it in various places.

    Also ran MBRCheck which showed the same as this, no change

    mbr.gif

    After the reboot ran all the tests again, and NO sign of anything :)

    In short, Shadow Defender proved it's provides VERY strong protection :thumb:
     
    Last edited: Jul 23, 2010
  25. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    .....
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.