Malware Quiz: Test your detective skills

Discussion in 'malware problems & news' started by Rmus, Sep 24, 2010.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    As many know, the recent in-the-wild LNK vulnerability via USB drive could not be tested unless you had an actual USB stick that had been infected by the cybercriminals. That is, you just couldn't get the files from a malware domain list, put them on a USB stick, and run it.

    This is because the LNK files contained pathnames pointing to the particular USB drive, and putting them on another drive would not work.

    That's why the Proof of Concept required everyone putting the test DLL on C:\ so that the test LNK file could find it.

    Question #1:

    Since no two computer systems would probably have the same path for their USB drive, such as:

    E:\

    or

    H:\

    how could the malware writers insure that the LNK file would be able to find and execute the malware on the USB drive?


    Question #2

    Why were there four LNK files in addition to the 2 malware executables?
    Here is how they appeared on the USB drive:

    • Copy of Shortcut to.lnk
    • Copy of Copy of Shortcut to.lnk
    • Copy of Copy of Copy of Shortcut to.lnk
    • Copy of Copy of Copy of Copy of Shortcut to.lnk

    • ~WTR4141.TMP
    • ~WTR4132.TMP

    That's it.

    ----
    rich
     
    Last edited: Sep 24, 2010
  2. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    It's so it can be made to infect as widely as possible.

    Page 27 in here

     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Yes, that analysis has the answers.

    I wonder, before reading that analysis, if people would be able to discern why it was done that way. I certainly didn't, and I asked a number of security people about the reason for 4 LNK files and no one knew the answer.

    Also, I never knew about long pathnames that point to a USB drive. Here is an example from the analysis - I put in line breaks so you can see the parts of the path, the last line pointing to the malware executable:

    Code:
    \\.\STORAGE#Volume#_??_USBSTOR#Disk&Ven_____USB&Prod_FLASH_DRIVE&
    Rev_#12345000100000000173&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
    \~WTR4141.tmp
    Various articles have pointed out the immense sophistication and knowledge behind the construction of the Stuxnet worm. This is just one example, and the Eset Analysis reveals many more!

    If you haven't read it, it's worth the time to get inside the thinking of these cybercriminals.

    ----
    rich
     
  4. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ Rmus

    Just like you, i didn't know what we do do now, thanks in part to the ESET article :thumb:

    I'm sure other articles/blogs mentioned some of these things, but not all together in one place. But that's the luxury of having more time for analysis after the event/s ;) Of course it depends on who's doing it, and how. Some people explain things more clearly than others, and with lots of screenies, and not all of us are experts, i'm not, who automatically understand everything, or straightaway !

    *

    PS - How do i claim my prize ? :D
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Were there any articles that explained about the long pathnames and why 4 LNK files?

    Hmm, I don't recall anything about a prize...


    This Eset paper has made me recall a Forensics article I read some years ago, where I learned that there is much that can be discovered about how one uses her/his computer if you know where to look in the Registry.

    USB, for example. It can be determined if a particular USB device has ever been connected to your computer and the last time it was used.

    Some background:

    USB History Viewing
    http://www.forensicswiki.org/wiki/USB_History_Viewing

    You will find an explanation of the CSLID {53f56307-b6bf-11d0-94f2-00a0c91efb8b} which appears in the long pathname in the malicious LNK file - I posted one above. This is a Device Class GUID key for disks. The sub-keys below this key store the IDs for the drives that have been connected to the computer.

    Some pertinent Registry entries. These are Win2K entries, so the exact last Key name may be different on other operating systems.


    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\
    HKEY_LOCAL_MACHINE\SYSTEM\MountedDevice1
    HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\


    ----
    rich
     
  6. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Yes indeed there were :)

    June 17th the 4 LNK files etc mentioned in here

    http://www.f-secure.com/weblog/archives/new_rootkit_en.pdf

    July 16th the 4 LNK files etc mentioned in here

    http://www.symantec.com/connect/blogs/w32temphid-commonly-asked-questions

    And here - http://www.sophos.com/blogs/chetw/g/2010/07/16/windows-day-attack-works-windows-systems - You'll like the advice also given :thumb:

    Round about the same time,

    July 15th {53f56307-b6bf-11d0-94f2-00a0c91efb8b} and others mentioned in here

    http://www.securelist.com/en/blog/269/Myrtus_and_Guava_Episode_1

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001 etc mentioned in here

    http://www.pandasecurity.com/homeusers/security-info/222123/information/Stuxnet.A

    *

    Also you and/or others might be interested in this,

    I know i was kidding ;)

    Regards
     
  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    But I asked for the reason "why" there are 4. Also, "why" a long pathname is required. I didn't see those explanations in those articles.

    From the Eset analysis, p. 27:

    I may have missed the above explanations in the other articles, which you may feel free to point out!

    But the connection is not made between that CLSID and the DeviceClasses sub-key. Also the USBSTOR sub-key is not mentioned. The Panda reference to HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001 is regarding the installation of files by the installer. From Panda:

    Whereas the importance of these Keys:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\

    is where information including the unique ID for each USB drive is stored upon connection of the device to the computer, making it easy for anyone to retrieve that information.

    usbRegSubStor.gif

    usbRegDevices.gif

    While none of this is really necessary to know from the standpoint of prevention, in addition to being just interesting, again, it reveals the cunning nature of the cybercriminals to uncover such malicious uses for Windows functions.

    ----
    rich
     
    Last edited: Sep 25, 2010
  8. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ Rmus

    I thought there might be enough info in some of those links, i spent lots of time getting to post, that would be useful ! At least several did mention/show the 4 .tmps and long pathnames etc. I agree they didn't go into detail about them.

    So no prize and, what a B for trying :p

    Sad that nobody else has been able to provide any info :(
     
  9. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    No, you get an A, just no prize! (I can't afford one)

    I knew you had already read the Eset analysis, and I was hoping others would attempt to answer the questions before you or someone else who had read it, responded.

    My point was that most analyses fall short of really explaining the details of an exploit at the triggering stage, which is my interest. They spend a lot of time stepping through the execution of the malware, showing where files are installed, etc. The reason may be that they are interested in detection/removal for their products, thus, needing to know the details of the nooks and crannies where the malware installs stuff, especially rootkits.

    I'm not really interested in what the malware does once installed (although it certainly is fascinating reading!) -- I'm more concerned with keeping it off the computer in the first place!

    But just notice in the next exploit to come, how articles focus on the sensational parts of the exploit: what it does once executed, rather than giving useful information about the attack vector and how preventative measures will block the triggering.

    For example, what advisories\reports\blogs about Stuxnet emphasized the fact that the malware file were DLL files which, as binary executables, could be blocked from executing with proper protection in place?

    So many people reacted with fear at the thought of an unpatched vulnerability. That's fine, as far as it goes, but so many bloggers/would-be security writers, and others, hype the sensational aspects of exploits without presenting calming, secure proactive measures that can be implemented pending the arrival of the patch.

    EDIT: Unless you consider Registry fiddling.

    Early on in this Stuxnet saga, most articles posted screen shots of the files on the USB drive: 4 LNK files and 2 malware files (TMP). We also were told that the files would only work from the USB drive from which they were taken, and were told that the reason was because the LNK files pointed directly to the malware location: the specific USB drive.

    This is why the PoC required us to place the test DLL on C:\ which is where the tester indicated the path in the test LNK file.

    But until the Eset analysis we were never told -- to my knowledge -- the reason for 4 LNK files, nor the specifics of the path names in the LNK files, which is pertinent to the triggering phase of the exploit.

    What's strange to my way of thinking is why researchers at Sophos, Symantec, and others, weren't curious enough to delve into these two areas and include details in their otherwise very good analyses.

    Kudos to Eset for doing that!


    ----
    rich
     
  10. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Its OK i wasn't expecting a prize, i got a Sirprize instead :D Thank you Sir :)

    I'll try to delay posting for your next test :D

    Yes it would have been nice to see others chipping in too.

    I'm interested in both, but especially "attempting" 100% protection.

    Hyping the sensational aspects of exploits "may" be deliberate on occasions by some, "good" copy and all that ! Other times it could be either analysis is their field, or simply people get carried away with the moment, without pausing to think how it could have been prevented in the first place. Having said that, we might expect after several such events the penny might have dropped, and they would give some at least some focus to educating people in just how easy it is to be malware free, and at minimal cost, or even for free like me !

    I must admit though, this Stuxnet "business" takes the cream, and i doubt if it's the last we hear about it, and even maybe copy cats variants etc.

    ESET has indeed gone further in explaining how/why etc :thumb: but i still gleaned lots of useful info from all the other articles/blogs etc :)

    Yes i got a lot of persistant grief from "someone" not on here, over the PoC requiring us to place the test DLL on C:\ They said it would work without, i showed it didn't on my comp, several times, but still they insisted :p

    Thanks for the test/info etc :thumb:

    *

    EDIT

    Moved what was here to the Stuxnet thread, posted it in here by mistake :D
     
    Last edited: Sep 26, 2010
Loading...
Thread Status:
Not open for further replies.