LUA/SRP or AppLocker Failed ??

Hi Guys,

Yesterday i have some words with my dear friend Steve (Sully)...I have an issue in front of all of you...Hope you all help to solve this issue.

Issue Begins:-

I am running Windows 7 Ultimate (x86), which is protected by NIS 2010. I always use LUA with AppLocker Implemented. I have also disabled the Autorun feature through registry modifications. 3 Days ago, i plugged an infected USB Drive of my sister, which is infected by two nasty malwares one is Win32.Imaut and other is Win32.Downadup B. After inserting the USB drive i scanned it immediately with NIS 2010. After Scanning all the viruses got removed, but when i checked the details i found that Win32.Imaut tried to modify my Registry Entries...But all the modifications got repaired by NIS 2010.

Now i wonder how this Win32.Imaut able to modify my registry? Even i am on LUA, Autorun Disabled and AppLocker Implemented...how this virus executed itself? Can anybody tell me how he managed it. Last but not least this virus tried to modify 44 Registry Entries of my system, whereas Win32.DownadupB tried to modify only 1 Registry Entry.

You all are requested to look into this matter.

Please find the attachment for your reference. All this reference will tell you what action this virus done.

 

autorun disabled is the fishy part to me. Whatever was on the USB stick had to be opened for this to get on the system I am thinking.

If the LUA was first an Admin account then changed to LUA, then the LUA will still have write permission to about half of the subfolders in program files and C:/ directory. You can run AccessEnum tool to show which accounts have write capability to what folders. Applocker will prevent executables from running anywhere other than program files or C:/ directories, but as mentioned the LUA will be able to write to about 50% of the sub-directories if the account was admin first, then changed to LUA.

 

Firtst thing which I can't understand.
Why NIS is repairing this kind of registry values:
Registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\->Yahoo Messenger
Repaired

note: AppLocker with Default setting will not allow C:/ directory execution.
But only Program Files and Windows directory.


I think virus hasn't actually been executed but NIS repaired registry entries which would have been changed IF virus has been executed.
But I am not sure...

 

It seems very uncertain that the malware actually executed based on the info presented here. It appears to me that this might be NIS simply giving very confusing information.

But before I go into that txt file you attached to the post, I'd say that much also depends on the AppLocker policy. What have you blocked with AppLocker, IOW, what AppLocker rules are you enforcing? If the rules allow executing stuff from USB drives, then AppLocker won't stop executing malware from USB drives... But then, the malware would still execute as LUA, and wouldn't be able to write to HKLM without privilege escalation exploits.

But anyways, the attachment appears to be something created by NIS perhaps. It's perfectly natural for it to detect the malware executables and delete those - that in itself only proves the AV was doing its job, but does not imply that the malware was actually active. I don't know NIS much, but it appears that the txt file is some sort of cloud AV or heuristic sandbox analysis report. This is something you might want to confirm from NIS support. But look at what the report actually says (bolded emphasis mine):

See? There's no name of malware detected, and everything suggests a cloud AV type of detection ("fewer than 10 users in the Norton Community have used this file"). And what about the "Launched: No" part? Who knows for certain what that means, but it does sound like the file was not actually launched on your system, only scanned by NIS.

So far, it looks like a case of jumping the gun a little. I don't see any proof that the malware actually launched. I just see NIS making a lot of noise. But, of course, I could be wrong - there's not enough information for certainty either way.

 

oops, thats what happens after 4 hours of sleep. I meant to run only from Program Files and Windows directory.

and after looking at the log, I agree with your analysis Jav. It doesn't look like the file executed to me as infections were removed from f drive, where the USB stick was plugged in and never executed with autorun disabled.

If something did get through run AccessEnum and see where the LUA has write capability.

 

Hi Windchild Bro,

You are wrong here (Please don't take it -ve bro)...Its a virus. Its not based on any heuristic and cloud detections. Its totally based on signature analysis..The attachment which i have pasted here is detail analysis of virus from NIS 2010. The only problem is that in this report they have not mentioned the Virus Name. But if you would like to see the screen shot then i will put it on my next comment.

As far as AppLocker is concerned i am using default policy....that means user have no rights to execute anything from any any drive...except the default directories/folders. So there is no chance for a user to execute any .exe file from USB drive...But i wonder how this virus touches my Registry....

Any Idea Now?

 

Hi Bro Jav,

How's you? Happy to see your comments....Here you said that virus has not been executed from my USB drive. I also believe that...But then why NIS Repaired these registries, if virus didn't executed?

Secondly you are right here that i am using default AppLocker Policy....So a LUA will only allwoed the execution of Program Files and Windows Directory...So no chance for execution of anything from anywhere. Even i have no exclusion list in my policy...

 

Brother,

I just checked the details over Symantec Website (Please See Here)..
What i have found that this worm sends some messages through Yahoo! Instant Messenger...So now its clear that this viruses touches my registry...That's why Norton IS 2010 repaired the registry key....

You are requested to kindly look the details, over Symantec website..

Please note that i have some words with Norton Customer Care but he is unable to help me on this issue.

 

Oh, I don't doubt that it's a malware. I can easily believe that it is malware. What I have trouble believing is that the malware actually executed, in spite of AppLocker, since there's no proof of it executing. All we have to work with here is a mysterious text file report possibly from NIS that says "Launched: No" and other rather interesting things.

Let me put it this way: Do you have any reason at all to believe the malware executed, or that it made any changes to the system at all (including the registry), except what NIS claimed? Did you see the executables running? Anything? Because if you're only relying on NIS here, I think you should contact NIS support and ask them what all this means. I don't know where you got that report that you attached to your original post: if it was something that NIS produced for you on your system, then you should ask NIS support what the report means. Does it mean a malware was launched on your system in spite of AppLocker and LUA and USB autorun being disabled, or does it mean NIS just detected a malware that was never running, and then told you what that malware would do if it executed on a system with admin rights.

Let's be realistic. How is a malware on an USB stick going to execute and then change HKLM entries in the registry when:
1) you have the Windows autorun feature disabled for USB drives, so no autorun.inf is going to be launching the malware automatically when the USB stick is inserted
2) you have AppLocker configured to prevent anything from executing from USB drives, even if you actually knowingly try to execute it
3) you're running LUA

Unless a) the malware is literally magical, or b) the malware is something that has been never seen in the wild before and uses completely new techniques to bypass pretty much everything from autorun being disabled to AppLocker to then LUA, making it perhaps the most impressive malware in history, or c) something is seriously wrong with your LUA and AppLocker or your system is lacking a ton of patches, then there's literally no way for the malware to have executed that I can quickly think of. Quite honestly, this seems to me to be nothing more than NIS being confusing. I don't think you'll get anywhere with this without contacting NIS support and getting them to explain what that report of yours means, and you should also tell them you had autorun disabled and AppLocker active and were running in LUA.

Meanwhile, have you checked that AppLocker actually works? Does AppLocker block executing files that you haven't allowed? Test at least with one file - if it doesn't block, then there's a problem. Have you checked that LUA doesn't have write access to places it should not have, like system folders and those HKLM registry keys the malware allegedly tried to change? Use AccessEnum if you want to do this quickly.

But, again, I see no sure sign of any malware actually executing or doing anything to your registry. That Yahoo messenger registry key mentioned in the report isn't any proof, either. The text file report still seems to be some sort of analysis report, not anything that indicates what was truly done on the system. But since I can't see the system and wasn't around when this happened, I can do little more than speculate, and you really should take this to NIS and explain what happened to them and ask them what their report means, considering all your security measures. The W32.Imaut you mentioned seems to be a very old malware from 2006. Windows 7 did not even exist then, and neither did AppLocker. Considering that, it seems pretty unlikely that said malware contains some leet tricks to bypass AppLocker and LUA, especially since said tricks weren't mentioned by Symantec in their analysis, in spite of the fact such tricks would be extremely sensational and make good headlines for selling an AV product.

 

Hi Bro,

You know i have contacted Norton Support, and he told me that he is unable to help me on this..You can have chat transcript, which i have generated from the Chat session. Here you will see the facts he produced in front of me. Please go through the below attachment. The guy have his own theory. Now i am totally surprised, how he said all this without knowing LUA and AppLocker.
And yeah no new process created or nothing has been changed in my system. This makes me so jumbled, without any execution, how he attacked my registry files? This is something strange.

Secondly, the report which i have produced in front of all of you is the auto generated report from NIS 2010. Its totally auto generated.

 

Well, that chat log doesn't make much sense, I'm afraid. You also didn't show him the report, or ask him what the "Launched: No" part of the report means.

But one thing is absolutely clear: If no malware executed, then no malware changed your registry. That's simply the fact here. There is no way for a malware to start creating HKLM run keys and modifying the registry all over the place if the malware cannot execute first. The malware can be a script, a regular portable executable or a few lines of shell code, but it can't do anything before it executes! If the malware did not execute, then your registry was not changed as far as those run keys and others are concerned. And no, no matter what virus is in the "settings of the USB" (what?), this cannot happen. The malware needs to execute before it can start creating run keys to HKLM or anything that it allegedly did. If some mystical USB settings try to execute the malware, that's one thing. It still needs to execute before it can actually do anything. It's just a matter of what executes it and with what privileges. But I guess I've repeated this part enough now.

Frankly, I don't think that Shanil person really knows what he's doing. Consider the stuff he says: "the virus have attached the registry". Yeah, okay. Perhaps that means something. But if it does, I can't tell what exactly. Unfortunately, this stuff only adds to the confusion.

I would hope Symantec could offer better support. That is to say: offer someone who knows about the Windows security model, including LUA and AppLocker, and can actually explain what reports generated by (apparently) NIS mean. Until you get someone like that to explain the report, this won't go anywhere. But if one wants my opinion, then it's simply that no malware was executed, and NIS is simply giving you confusing reports (a bit of a snake-oilish report, even).

 

Yeah i totally agree with you, this report totally confused me. If this malware is not in the wildlist how he managed to do it....I also feel that its just a confusing report...Hope i will found more details on it...

 

My guess of what happened is this:

1) No malware was executed.
2) NIS detected the malicious files sitting around on the USB doing nothing, and then gave you a report of what the file might do if it executed and got admin privileges.
3) NIS support people are, how shall we put it, a little on the strange side, with comments like this: "when ever a virus get into a computer it first attack registry".

So, I don't think you have any reason to worry about any malware having executed, much less bypassed your security measures.

However, it would not hurt to review that everything is in working order. Use AccessEnum to check if your user account or Users in general have permissions they should not have in the file system and registry. Test AppLocker. If everything seems to be okay, then no worries.

 

Hey Bro,

Thanks for your valuable comments...I always trust your comments...I have checked the policy and its working rock solid. Nothing is on exclusion list for LUA. I have tried many executable files but no one executed, even i tried execute 5 files from my USB Drive and none of them executed. Secondly i checked the registry and found that Autorun feature is completely disabled for All Drives...Now AccessEnum left, i want to know should i run it with Admin privileges or from user. If i have to run it from user, then i have to put it on exclusion list of AppLocker ...

Your comments awaited.

 

AccessEnum is best run as admin. Otherwise, you'll get "" and "access denied" in the results for some areas of the file system and registry.

Your tests so far suggest that AppLocker is working like it should, and give even further support to the conclusion that no malware was executed, and instead it was just NIS being confusing.

 

Yeah, on that day also i am pretty much sure that nothing has been executed. But after i saw this report, i got surprised. This lead me to get into the details...Still i have doubts, but i guess it won't get cleared...

Secondly i am going to run AccessEnum, but let me tell you that i am totally unaware of this Microsoft's tool...I have never used it. So i am gonna paste my result here here...You are requested to look into the same....And tell me whether everything is okay or not.

 

Pretty much the only way to clear your doubts would be to get in contact with someone at Symantec who knows what they're talking about and can explain the NIS report. Considering the state of support for most software, that might be difficult to impossible.

But as far as AccessEnum is concerned, you should read the help file. It's quite thorough. And AccessEnum is a fairly simple tool to use. Just point it at some folder or registry key and hit scan. AccessEnum will tell you who can Read and who can Write to that folder, file or registry key. You can post some results here if you'd like, but they can be long, and they can also contain stuff you may want to keep to yourself, such as usernames on the system. But the main thing to look out for in your case is the name of your limited user account and the Users group - those should not have write access in important folders or HKLM, with a couple of standard exceptions.

 

Okie Bro, I will try to look the help file...

Slightly off topic, but this topic indirectly connected to what we are discussing our matter...

There is something strange happen right now. I tried randomly some .exe files on my computer..I tried to execute GMER.exe file which is legitimate file downloaded from GMER Website. As soon as i executed it, My AppLocker Policy denied its execution. But after 10-15 Seconds NIS SONAR pop up and deleted GMER exe as High Risk File...I am completely sure that its a false +ve as it already happened with me many times...But now question arrives how Norton detected its process, if it was not executed...and blocked by AppLocker..??

Please put some light on this new and strange issue. I also request you test it yourself if you don't believe on me.

 

I don't use NIS, so this is simply a very educated guess:

What you described doesn't sound strange to me. You were trying to execute gmer.exe, which would cause the file to be read. AppLocker would deny it from being created as a process, if the rules don't allow gmer.exe, but AV software like NIS has file system filter drivers and all sorts of hooking in the OS that will detect things like files being read. So, the file being read from the hard disk causes NIS to scan it, and then report it as a high risk file. In this case, probably because anti-rootkit tools like GMER tend to load drivers and do things that actually look quite suspicious to AV programs. You shouldn't have to execute a file for an AV to detect the file as possibly malicious. As for the delay in detection, that would likely be caused by whatever cloud AV type analysis NIS does, if any. Or, NIS could be using its hooks to monitor what is trying to get executed. The user doubleclicks on a program in Explorer, and NIS with its hooks then goes: "What's this, explorer.exe wants to run gmer.exe? I guess I'd better scan those files to make sure it's not evil stuff." And then NIS continues on with the scanning, not really caring that Windows checks the AppLocker policy and says: "Sorry, this file isn't allowed. I won't execute it. Better luck next time, friend."

But if you're up for testing and have nothing better to do, you could place gmer.exe somewhere on your hard drive with NIS enabled, and then just click on the file once, or read its properties, or open it in a hex editor. Anything except executing it. That will cause the file to be read, and may cause NIS to jump at it.

 

Okay, Now i understood.

 

ohh.. I see Windchild already did great job.
Firstly, quick question: can you open your IE and check what is your homepage now?
is it changed to something like http://securityresponse.symantec.com/avcenter/fix_homepage/

I do agree with Windchild that there is noway that it could have been executed and changed your registry entries.
But I still think it is not just report to show what would have happened, but report shows what actions have NIS taken.
After each registry value it says "Repaired"
So I guess It DID repair those registry values even knowing that it wasn't executed, maybe it's their policy just in case...

So, that's why I am asking you to check your homepage.

Unfortunately we can't expect them to have high profile specialists on customer service. Though I felt offended aswell by the way they gave technical service

 

May be, i was too late to reply your above question, But now i confirmed that Yes My homepage of IE8 got changed to http://securityresponse.symantec.com/avcenter/fix_homepage

So now i can probably say that this malware actually touched my registry key. No offense, but if nothing executed on that day, then why my IE8 homepage got changed? Why Norton did that? Its still a mystery... I am sure that none of you good guys will believe me but today i am damn sure that something did happen.

Please do note that, i have never used IE8 for anything, as because i always use Mozilla FF. But today when i opened it, i found this change....That's why i came here...

 

No, actually misunderstood my point.
The fact that your NIS changed you homepage dosen't prove that malware was executed and changed your homepage.

There are 2 explanations to it and no mystery as you said

1. Malware was somehow executed and NIS fixed it.
Less belivebele. as: Firestly there is AppLocker rules which would have blocked it (you can check Event Viewer If anything was allowed to run at that time)
Secondly there is AutoPlay disabled.
And Finally there is NIS log which says that it wasn't launched.

2. Malware wasn't executed and detected by NIS before doing any harm. (that's why log say, not launched. Last Used:
1/19/2010 at 3:44:06 PM (which is not date you told us. 3 days before from your first post will be January 23))
So NIS detected it and deleted. But as I alreay mentioned it's more likely that NIS like many AV programs have strategy to clean up malware traces after it's detection even though it wasn't executed..
So, NIS detects malware.
Look at it's database and determines what malware does.
Cleans up after amlware even though it wasn't executed and did any harm.
But NIS just makes sure and changes all settings and registry which amlware would have changed IF executed...

I more believe on second option.
But I am not security expert so I will leave making conclusions to yourself or other people.
But my knowleadge tells me that only those 2 options are possible and my instinct tells me that second one is more likely.
I hope you understood what I meant.

 

That's why i am bit confused, why NIS changed my homepage if nothing has been executed? Why so much confusing report if nothing has been executed? And if something executed then how he managed it?

 

NIS changed because it's strategy is to make sure, as it dosn't know if virus had done any activities before NIS started monitoring.
Report a bit confusing but you look at it at another aspect. It's really straightforward:

NIS detected malware (date and time)
Since when files is on the system
Last time files used
Cloud analyse results
It's hasn't been launched
It's not in startup

What NIS did.
Removed files.

Fixed registry enteries (as AV definitions say that this particular virus will change those enteries. So it will fix those enteries.)

It was detcted by signutare based part of the NIS, so actions were taking according definitions of signutare.
If it was detected by behaviour blocker, different actions would have been taken.taken