Rootkit.TmpHider

EraserHW · Jul 19, 2010

I had some free time so I published on my personal blog and on my personal youtube channel a video of the exploit I've built with my own dll

[noparse]http://www.youtube.com/watch?v=6304Q0YoiBg[/noparse]

Meriadoc · Jul 19, 2010

KptnKork said:

We would like to take a deeper look into the TmpHider, but we don't have a sample yet. Especially a sample of the mrxnet.sys (016169ebebf1cec2aad6c7f0d0ee9026) would be very interesting to get, because it seems to contain the espionage code. But seems to be inpossible to get the code (or a link to a sample) here in this forum. Maybe someone of the one who owns a sample is able to upload it to the ~ Removed Link as per Policy - We don't want inexperienced users clicking over to a Malware Samples site ~ malware sample database. Would be very helpful. There are multiple sample requests for TmpHider at offensivecomputing but so far no one got a sample.
Thanks for any help.
Click to expand...

I known Frank is a member, so am I so if he doesn't see this and upload I will.

016169ebebf1cec2aad6c7f0d0ee9026
055a3421813caf77e1387ff77b2e2e28

Rmus · Jul 19, 2010

isc.sans.edu Raises Threat Level For LNK Vulnerability

Preempting a Major Issue Due to the LNK Vulnerability - Raising Infocon to Yellow
http://isc.sans.edu/diary.html?storyid=9190

We decided to raise the Infocon level to Yellow to increase awareness of the recent LNK vulnerability and to help preempt a major issue resulting from its exploitation.

Although we have not observed the vulnerability exploited beyond the original targeted attacks, we believe wide-scale exploitation is only a matter of time.

The proof-of-concept exploit is publicly available, and the issue is not easy to fix until Microsoft issues a patch. Furthermore, anti-virus tools' ability to detect generic versions of the exploit have not been very effective so far.
Click to expand...

Reference to "the issue is not easy to fix until Microsoft issues a patch" is, of course, to the mitigating tweaks recommended by Microsoft in its Advisory.

Much easier, safer protection measures have already been discussed in this thread.

----
rich

Dark Star 72 · Jul 19, 2010

Some tests here with the POC by our old *friend* SSJ100:

-http://ssj100.fullsubject.com/security-f7/vulnerability-in-windows-shell-could-allow-remote-code-execution-t187.htm#1302-

and Ilya's reply to the DefenseWall test

http://gladiator-antivirus.com/forum/index.php?showtopic=107368

Notice the result for the newly released Returnil System Safe 2011 RC

Rmus · Jul 19, 2010

Re: isc.sans.edu Raises Threat Level For LNK Vulnerability

UPDATE
http://isc.sans.edu/diary.html?storyid=9190

Update: Several readers recommended focusing on preventing unauthorized code from running by using approaches such as application whitelisting.

For instance, Richard and Erno mentioned AppLocker, which is an enterprise software control feature built into Windows 7.

Erno wrote, "My solution is standard user accounts and Software Restriction Policy or AppLocker in Group Policy. You can block execution of any files on removable drives or network drives, or actually pretty much anywhere except system folders. In my networks I only allow execution from Windows and Program Files. Remember to apply the software restriction policy for all executable files, including libraries (dlls)."
Click to expand...

CloneRanger · Jul 19, 2010

Quotes from Sans

* If autorun is disabled, when a USB device with malicious LNK files is inserted, the exploit will not be triggered automatically.
Click to expand...

Explains maybe why the POC didn't work for me ?

* The exploit is triggered every time a folder containing a malicious LNK files is opened (for example, with Windows Explorer). It does not matter where this folder is – it does not have to be on a USB device,
Click to expand...

The POC still didn't work from my desktop ?

but in order to execute to malicious binary, the attacker has to specify its location correctly.
Click to expand...

Ahh, could be why ?

What makes this vulnerability extremely serious is the fact that it can be opened from any place, including remote shares, for example. The victim just has to browse to the remote share in order to trigger the vulnerability. So double check permissions on any remote shares you use in your companies (you shouldn't allow users to write in root folders, for example).

http://isc.sans.edu/diary.html?storyid=9181
Click to expand...

*

Originally Posted by i_g

I think it's wrong.
Click to expand...

F-secure said this

From Microsoft's MSDN Library: "The countersignature method of time stamping … allows for signatures to be verified even after the signing certificate has expired or been revoked."
Click to expand...

So ?

@EraserHW

Sorry to say, even in HD mode i found it hard to view exactly what was happening Any chance you could give us a brief description ? TIA

@Dark Star 72

Thanks for the links

I didn't know ssj100 had branched out on his own

Good news about Returnil System Safe 2011 RC

@Rmus

Thanks for the updates

aigle · Jul 19, 2010

Dark Star 72 said:

Some tests here with the POC by our old *friend* SSJ100:

-http://ssj100.fullsubject.com/security-f7/vulnerability-in-windows-shell-could-allow-remote-code-execution-t187.htm#1302-

and Ilya's reply to the DefenseWall test

http://gladiator-antivirus.com/forum/index.php?showtopic=107368

Notice the result for the newly released Returnil System Safe 2011 RC
Click to expand...

thanks, very nice testing indeed.
Just two things i wil mention:
1. Regarding CIS, it can be configured to intercept it.
Post no. 125 of this thread.
2. PE gaurd seems to intercept it. Post no. 108 of this thread.

aigle · Jul 19, 2010

EraserHW said:

I had some free time so I published on my personal blog and on my personal youtube channel a video of the exploit I've built with my own dll

[noparse]http://www.youtube.com/watch?v=6304Q0YoiBg[/noparse]
Click to expand...

blog link pls? also can the POC be shared?

EraserHW · Jul 19, 2010

aigle said:

blog link pls? also can the POC be shared?
Click to expand...

my personal blog is in italian and it's located here: https://www.pcalsicuro.com

anyway I've written a similar blog post on Prevx blog at this address: http://www.prevx.com/blog/151/day-flaw-discovered-in-Microsoft-Windows.html (this time in english)

About the POC: I wouldn't share the sample outside the company at the moment, even though there's already a known PoC out there (personally I'd not have shared the PoC online, this allows attackers to better exploit the flaw. Anyway I saw someone else already did it). I'm sorry Anyway for any question, I'm here

Actually, as I've written in the blog post, I think Microsoft will have some trouble in fixing this flaw, because it is not a bug - it's a feature used inside Windows internals.

EraserHW · Jul 19, 2010

CloneRanger said:

@EraserHW

Sorry to say, even in HD mode i found it hard to view exactly what was happening Any chance you could give us a brief description ? TIA
Click to expand...

Sorry man I tried to do my best to record a good video

Actually the video just shows how the exploit is working. I've written a PoC exploit from scratch and showed how a fake malicious DLL is loaded as soon as system starts rendering the icon

ronjor · Jul 19, 2010

On July 17th, ESET identified a new malicious file related to the Win32/Stuxnet worm. This new driver is a significant discovery because the file was signed with a certificate from a company called "JMicron Technology Corp". This is different from the previous drivers which were signed with the certificate from Realtek Semiconductor Corp. It is interesting to note that both companies whose code signing certificates were used have offices in Hsinchu Science Park, Taiwan.
Click to expand...

ESET.....

CloneRanger · Jul 19, 2010

Right at the bottom of here - http://isc.sans.edu/diary.html?storyid=9181 - is this FIX

LinkIconShim

A simple shell extension that inserts itself in front of the original buggy lnk file handler and checks the incoming files. If a link to control panel item is found (the exploitable one), default 'blocked' icon is returned instead of trying to extract one by running arbitrary dll.

# All control panel (i.e. potentially dangerous) links now have the 'stop' icon, but still work as before.

http://code.google.com/p/linkiconshim
Click to expand...

CloneRanger · Jul 19, 2010

@EraserHW

Thanks for your blog post link on this exploit POC

This is not the case, because a new Windows security 0-day flaw has been discovered that is able to execute malware without user interaction.

After our initial analysis, it looks like the flaw is not exploiting any coding error. There is no buffer/heap overflow, null-pointer dereference or use-after-free errors that you would usually expect from a 0-day flaw. It is just exploiting a feature used in Windows to handle some kind of libraries, and it is actively used more times inside Windows internals.

This allow us to think it is more a feature that has not been correctly hardened and it has been abused than a security bug

http://www.prevx.com/blog/151/day-flaw-discovered-in-Microsoft-Windows.html
Click to expand...

*

Re video issue

This is just an example of part of the fullscreen HD video as it appears on my comp. Looks blurry to me.

See how it compares to your comp, could be just at my end ?

*

@Ronjor

The plot thickens !

This new information is important because it provides more information on the people behind Win32/Stuxnet. We rarely see such professional operations. They either stole the certificates from at least two companies or purchased them from someone who stole them. At this point, it isn't clear whether the attackers are changing their certificate because the first one was exposed or if they are using different certificates in different attacks, but this shows that they have significant resources.

http://blog.eset.com/2010/07/19/win32stuxnet-signed-binaries
Click to expand...

MrBrian · Jul 19, 2010

LNK vulnerability now with Metasploit module implementing the WebDAV method

Rmus · Jul 20, 2010

Hi MrBrian,

Do you have any idea what he's referring to in that Diary? (webDAV and how it relates to the exploit?)

thanks,

rich

CloneRanger · Jul 20, 2010

@MrBrian Good find

@Rmus

Re - WebDAV

Appears to be these sorts of OS's that are vulnerable, business types and not domestic etc comps.

Microsoft Windows 2000

Windows XP Professional

Windows Server

Microsoft Security Bulletin MS09-020 - Important
Vulnerabilities in Internet Information Services (IIS) Could Allow Elevation of Privilege

http://www.microsoft.com/technet/security/bulletin/MS09-020.mspx
Click to expand...

MS09-020 IIS6 WebDAV Unicode Auth Bypass
Simplified version of MS09-020 IIS6 WebDAV Unicode Auth Bypass scanner. It attempts to bypass authentication using the WebDAV IIS6 Unicode vulnerability discovered by Kingcope. The vulnerability appears to be exploitable where WebDAV is enabled on the IIS6 server, and any protected folder requires either Basic, Digest or NTLM authentication.

http://www.metasploit.com/modules/auxiliary/scanner/http/ms09_020_webdav_unicode_bypass
Click to expand...

So i'm ok on XP/SP2 by the looks of things The .lnk POC didn't work anyway when i tested it, so ?

Rmus · Jul 20, 2010

CloneRanger said:

So i'm ok on XP/SP2 by the looks of things The .lnk POC didn't work anyway when i tested it, so ?
Click to expand...

This is why I don't like PoCs - they often aren't a good indication of how a real exploit in the wild will work on various systems.

Even two different systems with the same OS version, etc, can react differently to a real exploit.

----
rich

MrBrian · Jul 20, 2010

Rmus said:

Do you have any idea what he's referring to in that Diary? (webDAV and how it relates to the exploit?)
Click to expand...

From http://en.wikipedia.org/wiki/WebDAV:

Web-based Distributed Authoring and Versioning, or WebDAV, is a set of extensions to the Hypertext Transfer Protocol (HTTP) that allows computer-users to edit and manage files collaboratively on remote World Wide Web servers.
Click to expand...

From the Microsoft advisory Workarounds section:

Disable the WebClient service

Disabling the WebClient service helps protect affected systems from attempts to exploit this vulnerability by blocking the most likely remote attack vector through the Web Distributed Authoring and Versioning (WebDAV) client service. After applying this workaround, it will still be possible for remote attackers who successfully exploited this vulnerability to cause Microsoft Office Outlook to run programs located on the targeted user's computer or the Local Area Network (LAN), but users will be prompted for confirmation before opening arbitrary programs from the Internet.

To disable the WebClient Service, follow these steps:

1. Click Start, click Run, type Services.msc and then click OK.
2. Right-click WebClient service and select Properties.
3. Change the Startup type to Disabled. If the service is running, click Stop.
4. Click OK and exit the management application.

Impact of workaround. When the WebClient service is disabled, Web Distributed Authoring and Versioning (WebDAV) requests are not transmitted. In addition, any services that explicitly depend on the Web Client service will not start, and an error message will be logged in the System log. For example, WebDAV shares will be inaccessible from the client computer.
Click to expand...

Use of WebDAV is another means of infection and propagation for the .LNK vulnerability.

Rmus · Jul 20, 2010

MrBrian said:

Use of WebDAV is another means of infection and propagation for the .LNK vulnerability.
Click to expand...

Thanks - I looked up WebDAV but didn't connect it with the Advisory!

----
rich

CloneRanger · Jul 20, 2010

This might prove useful in .lnk analysis ?

LinkInfo v1.51 Plugin for viewing all possible parameters of LNK-files, and changing them via right click.

Total Commander Plugins

Plugins are extensions of Total Commander with additional functions

http://www.ghisler.com/plugins.htm
Click to expand...

*

Found this which "could" have some bearing on the latest situation ?

Reading contents of Web Folders By Roman Koreshkov 28 Feb 2006

An analysis of the different ways of getting the list of files in a web folder (including SharePoint) programmatically, and a simple solution.

-

The Alternative Solution ? Web Folder Short Cuts

-

Inside, the appropriate shell extension (pre-installed with Windows) provides the necessary Folder and FolderItem objects, doing all the hard work of interacting with the web server through WebDAV/WEC for us ? we will just utilize their results.

-

So now, when one wants to get a list of files in a web folder, the algorithm will be as follows:

* We create a temporary shortcut to the web folder.
* We use Shell32 to read its contents.

-

Conclusion

The suggested solution seems to be quite simple and feasible for Windows or console applications. However, for server applications, use it with caution ? you may likely face some problems with security.

http://www.codeproject.com/KB/aspnet/ReadWebFolderContent.aspx
Click to expand...

*

Originally Posted by Rmus

Even two different systems with the same OS version, etc, can react differently to a real exploit.
Click to expand...

Ain't that the truth ! And how frustrating for the bad guys, and girls

KptnKork · Jul 20, 2010

Meriadoc said:

I known Frank is a member, so am I so if he doesn't see this and upload I will.

016169ebebf1cec2aad6c7f0d0ee9026
055a3421813caf77e1387ff77b2e2e28
Click to expand...

Many Thanks for your upload at offensivecomputing !

ace55 · Jul 20, 2010

aigle said:

I tried the POC. Just opening my USB stick in explorer.exe triggered laoding of dll.dll.

1- Regarding CIS, the problem is that POC is nothing but a dll loading. CIS and any other HIPS by default don,t intercept dll loading as it gives rise to hundreds of useless pop up alerts.

Infact CIS can be configured to give alert about dll.dll loading but it,s not practical at all as in this case CIS also gives dozens of other legit dll loading alerts.

So in case of real malware( that was not a dll I think), CIS will give a usuall execution alert.
Click to expand...

Assuming I am correctly concluding that this exploit/feature allows code execution as explorer only, a better way to protect yourself from this exploit using CIS is to remove the default rule for explorer. As explorer is handling untrusted data (link shortcuts, possibly other exploitable aspects of files) it makes sense that manually restricting its actions would lend a security benefit.

Doing so would not prevent the dll loading, but would prevent any actions taken by the malware through the compromised instance of explorer, and thus, prevent system compromise. However the compromised instance of explorer could, although it cannot make itself persistent on the system, attempt to escape the restriction of CIS using a shatter attack or keylog you.

Unless you want to terminate and restart explorer after plugging in any flash drives but before entering any sensitive information, there are better solutions to this particular problem: AppLocker comes to mind.

MrBrian · Jul 20, 2010

Mitigating .LNK Exploitation With SRP

CloneRanger · Jul 20, 2010

Not quite But could have been

CloneRanger · Jul 20, 2010

Ronjor just posted this - https://www.wilderssecurity.com/showthread.php?t=277360

http://www.microsoft.com/technet/security/advisory/2286198.mspx

So it looks like as im on XP/SP2 i'm not affected by this vulnerability/exploit No wonder it didn't work when i've tested it several times. Just goes to show, not updating to the latest patches etc SP3, "can" be a bonus Not recommending everyone does as i do though.

In an earlier MS advisory, it mentioned mainly only business type OS's that were vulnerable. So something must have changed in the malware samples out there for this latest revision ?

Log in or Sign up

Rootkit.TmpHider

EraserHW Malware Expert

Meriadoc Registered Member

Rmus Exploit Analyst

Dark Star 72 Registered Member

Rmus Exploit Analyst

CloneRanger Registered Member

aigle Registered Member

aigle Registered Member

EraserHW Malware Expert

EraserHW Malware Expert

ronjor Global Moderator

CloneRanger Registered Member

CloneRanger Registered Member

MrBrian Registered Member

Rmus Exploit Analyst

CloneRanger Registered Member

Rmus Exploit Analyst

MrBrian Registered Member

Rmus Exploit Analyst

CloneRanger Registered Member

KptnKork Registered Member

ace55 Registered Member

MrBrian Registered Member

CloneRanger Registered Member

CloneRanger Registered Member

Log in or Sign up

Rootkit.TmpHider

EraserHW Malware Expert

Meriadoc Registered Member

Rmus Exploit Analyst

Dark Star 72 Registered Member

Rmus Exploit Analyst

CloneRanger Registered Member

aigle Registered Member

aigle Registered Member

EraserHW Malware Expert

EraserHW Malware Expert

ronjor Global Moderator

CloneRanger Registered Member

CloneRanger Registered Member

MrBrian Registered Member

Rmus Exploit Analyst

CloneRanger Registered Member

Rmus Exploit Analyst

MrBrian Registered Member

Rmus Exploit Analyst

CloneRanger Registered Member

KptnKork Registered Member

ace55 Registered Member

MrBrian Registered Member

CloneRanger Registered Member

CloneRanger Registered Member

Useful Searches