Rootkit.TmpHider

Is this vulnerability present in all Windows Operating Systems? I cannot get shortcut links to run automatically from a USB drive in Win2K or WinXP.

----
rich

 

Maybe it was written by someone in the Utilities business?

 

When i ran the installer.0022.exe malware very recently, it tried to infect using NTVDM.exe MS-DOS Emulation. Nobody picked up on it, or seemed to think it relevant enough to comment on it ?

https://www.wilderssecurity.com/showthread.php?

Wonder if there might be more this after all, than was initially thought by some people, and in this case too ?

 

Yes, it is.
Well, didn't try on Win2k, but it works on XP, Vista, Win7.

 

Can you explain how you tested using WinXP?

Thanks,

-rich

 

Hello guys!

While Microsoft is trying to reveal problem, our colleague Alexander Gostev from LK wrote yesterday interesting review about Rootkit.TmpHider. You can read it here:

http://www.securelist.com/en/blog/269/Myrtus_and_Guava_Episode_1

http://www.securelist.com/en/blog/271/Myrtus_and_Guava_Episode_2

http://www.securelist.com/en/blog/272/Myrtus_and_Guava_Episode_3

 

First you need a sample of the exploit, of course (it's not an ordinary .lnk file you create using the "Create shortcut" option in Windows Explorer). Then it's enough e.g. to enter the corresponding folder in Total Commander - and the code is started.

 

thanks sergey

 

aigle you have your pm

 

uh, I would also like a pm if it is no problem of some kind
HIPS tests is my interest and those signed files +exploit is temptation for me

 

A question, as I don't have a sample of this malware: when the code runs, does it run with the privileges of the currently logged in user, or does the vulnerability allow privilege escalation to admin/system? If the exploit only manages to gain the privileges of the current user, then even the very basic measure of running as a limited user would be enough to prevent the infection, seeing how the malware attempts to load drivers and limited users don't have the privilege required for that. That would make this whole big fuss a little less big, at least for those of the Average Users who have been set up with a non-admin account. If you have a sample and can test the malware as a limited user, I'd appreciate it if you could report back whether or not the malware manages to infect the system when executed under a limited account.

Interesting stuff! Maybe the digital signature was compromised via outsourcing. That would be... well, sad.

 

Reading about this behind a SonicWall threat management package and when I went to the 3rd blog link, I get the message "This request is blocked by the SonicWALL Gateway Anti-Virus Service. Name: Stuxnet.B (Trojan)"

So 2 good things I guess. The signature needed to stop this little bugger is in place. And that there is something @ that URL that triggers an alert.

But I still wanted to read it...

 

Yes, the code runs under the current user's account. This particular malware has rootkit drivers (and I don't know how it behaves if it cannot load the drivers), but generally it's not a requirement.

Well, the "average user" cannot spread the infection to other users of the system directly, but this user gets infected nevertheless - and I can imagine possible attempts to spread the infection further.

 

Here's a possible contender as to why it's called those names

@sergey ulasen

Thanks for the http://www.securelist.com links

 

lol, paranoid av

 

You are right! I went back to check this thread and was locked out of page 2. I'm guessing the piece of code that says "b:\myrtus\src\objfre_w2k_x86\i386\guava.pdb" must be the issue because it's on both the blog URL and listed here too...

 

Yes this is string from rootkit driver. added emphasis in quote

 

Hey guys where can I download a sample of this worm. I'm especially interested in the lnk files

 

Sorry about that, I thought that given that many members of this forum are security researchers that wouldn't be a problem.

The problem is that there is no official advisory so I can not find elsewhere more details about the lnk vuln

 

You're right, I also can't find anything official on this. It seems to be more overhyped bs than substance.

 

I put the files on a USB drive and they are flagged as I view the drive in Windows Explorer:

​

This exploit goes nowhere with proper protection in place. To test, using the command prompt, which simulates a lnk file attempting to start the two ~tmp files (see screen shot of the lnk file in the PDF):

​

Being an espionage exploit, as has been suggested, begs the question of how company personnel acquire a USB drive infected with these files.

One scenario was proven to work some years ago. This article references a penetration test from 2006:

Island Hopping: The Infectious Allure of Vendor Swag
http://technet.microsoft.com/en-us/magazine/2008.01.securitywatch.aspx

The original article was on DarkRoom's Perimeter/Security page, but doesn't seem to be accessible now.

----
rich

 

Microsoft Security Advisory ( 2286198 )
Vulnerability in Windows Shell Could Allow Remote Code Execution
Published: July 16, 2010

http://www.microsoft.com/technet/security/advisory/2286198.mspx

weeNym

 

Panda Cloud antivirus should now be detecting this malware as Rootkit/Tmphider: http://www.cloudantivirus.com/forum/thread.jspa?threadID=54622&tstart=0

 

According to http://blogs.technet.com/b/mmpc/archive/2010/07/16/the-stuxnet-sting.aspx, the RealTek certificate has been revoked.