dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
7876

Stem Bolt
Ancient Astronaut Theorist
Premium Member
join:2002-11-08
Metropolis

Stem Bolt

Premium Member

Rootkit-TmpHider - USB infector without usage of Autorun.inf

»anti-virus.by/en/tempo.shtml

Also they are talking about this at Wilders in some depth.

»www.wilderssecurity.com/ ··· t=276994

This malware appears to be exploiting an unpatched vulnerability in processing LNK files.

It looks like this malware could infect even if you have 'Autorun' disabled on your computer. Simply accessing the infected USB device with Windows Explorer or another file manager could execute this malware.
quote:
You should take into consideration that virus infects Operation System in unusual way through vulnerability in processing lnk-files (without usage of autorun.inf file).

So you just have to open infected USB storage device using Microsoft Explorer or any other file manager which can display icons (for i.e. Total Commander) to infect your Operating System and allow execution of the malware.

Malware installs two drivers: mrxnet.sys and mrxcls.sys. They are used to inject code into systems processes and hide malware itself. That's the reason why you can't see malware files on the infected USB storage device

Note that both drivers are signed with digital signature of Realtek Semiconductor Corp. (www.realtek.com).

swhx7
Premium Member
join:2006-07-23
Elbonia

swhx7

Premium Member

After reading several articles, the Wilders thread and the pdf I'm still not quite clear on how this is initially triggered.

Specifically, maybe a Windows expert can explain: Exactly what "processing" of .lnk files is done by Windows Explorer, when the user merely looks at a directory, without clicking on anything?

It seems that until this is patched, when looking at USB drives that have been out of one's chain of possession, one must use dir on a command line.
garofede624
join:2009-12-04

1 edit

garofede624 to Stem Bolt

Member

to Stem Bolt
More information on Softpedia and Krebs on Security.
quote:
Shortcut files — or those ending in the “.lnk” extension — are Windows files that link (hence the “lnk” extension) easy-to-recognize icons to specific executable programs, and are typically placed on the user’s Desktop or Start Menu. Ideally, a shortcut doesn’t do anything until a user clicks on its icon. But VirusBlokAda found that these malicious shortcut files are capable of executing automatically if they are written to a USB drive that is later accessed by Windows Explorer.

“So you just have to open infected USB storage device using [Windows] Explorer or any other file manager which can display icons (for i.e. Total Commander) to infect your Operating System and allow execution of the malware,” wrote Sergey Ulasen, an anti-virus expert with the company, in an advisory published this month...

Independent security researcher Frank Boldewin said he had an opportunity to dissect the malware samples, and observed that they appeared to be looking for Siemens WinCC SCADA systems, or machines responsible for controlling the operations of large, distributed systems, such as manufacturing and power plants.

“Looks like this malware was made for espionage,” Boldewin said.
It would be extremely interesting to view the parameters for the exploit .lnk file. But, accessibility to that information would increase the frequency of such infections in the wild, wouldn't it?

Stem Bolt
Ancient Astronaut Theorist
Premium Member
join:2002-11-08
Metropolis

Stem Bolt

Premium Member

Interesting, it looks like this malware was intended for espionage. At least according to an expert mentioned on Krebs on Security:

»krebsonsecurity.com/2010 ··· ut-flaw/
quote:
Independent security researcher Frank Boldewin said he had an opportunity to dissect the malware samples, and observed that they appeared to be looking for Siemens WinCC SCADA systems, or machines responsible for controlling the operations of large, distributed systems, such as manufacturing and power plants.

“Looks like this malware was made for espionage,” Boldewin said.

trparky
Premium Member
join:2000-05-24
Cleveland, OH

trparky

Premium Member

How are they signed with Realtek Semiconductor's digital signature? Sounds like Realtek Semiconductor's certificate needs to be revoked.

swhx7
Premium Member
join:2006-07-23
Elbonia

swhx7 to Stem Bolt

Premium Member

to Stem Bolt
Trying to address my own question of how "shortcuts" can be auto-executed - - Windows Explorer will put a little red question mark icon on top of the icon for the .lnk file if the target is unavailable. This means Explorer must have some handler that parses them upon display, even if they're not clicked.

But the description says the code defect that's exploited here has to do with the icons. If that's correct, then the command-line workaround is sound.

Does anyone know how to turn off icons in Windows (leaving items in a directory listing with only text labels)?

tempnexus
Premium Member
join:1999-08-11
Boston, MA

tempnexus to Stem Bolt

Premium Member

to Stem Bolt
One solution that pops into my mind is the so far only sane way to run windows solutions...aka non admin user with UAC enabled.

I believe in order to be rooted the infector would require Admin rights...ergo if you plug in USB drive and it asks for ADMIN rights then voila.

trparky
Premium Member
join:2000-05-24
Cleveland, OH
·AT&T U-Verse

trparky

Premium Member

said by tempnexus:

One solution that pops into my mind is the so far only sane way to run windows solutions...aka non admin user with UAC enabled.
This has been something that has been preached for quite some time but nobody has listened.

Personally, my user is an Administrator on Windows 7 but UAC is still enabled so in reality my user isn't really an Administrator until I respond to that UAC prompt.

tempnexus
Premium Member
join:1999-08-11
Boston, MA

tempnexus

Premium Member

I run it as standard and luckily 85% of the time I can run windows and all the software I have without the Admin Prompt.

I am not taking any chances and accidently pressing OK...if I need to press OK I will need to type in a password...this adds the precious few seconds for my brain to catch up to my hands and say: "Ok hmm why does AngelinaJolieNaked.jpg needs admin rights?"

therube
join:2004-11-11
Randallstown, MD

1 edit

therube to garofede624

Member

to garofede624
Would think you should be able to open a .LNK file with a text editor without incident. It is after all, only a file (though not textual).

Problem appears to be how that "file" is interpreted - by the OS or otherwise (like Windows Explorer).
OZO
Premium Member
join:2003-01-17

OZO to Stem Bolt

Premium Member

to Stem Bolt
1. Until someone explain the magic of "unusual way of processing .lnk files on USB drive" in details - I think it's total BS. There is no such thing (neither giving control to .lnk file nor a "special way" with regards to USB).

2. Does they silently presume that two drivers (mrxnet.sys and mrxcls.sys) are somehow installed prior to observing the "unusual way of processing" and they are actually providing that "way"? Or to get them user should click on "ClickMe" icon (.lnk file) on USB drive first?

3. The best way to hype it even more (and divert from a substance) is to use "spying" aspect... Yea, lets talk about evil China or Russia intentions and I'll start to believe everything.

Until then I know that shortcuts are not auto-executed and icons are not executed neither... Meaning there is no way that something will be executed on background when I insert USB drive without my consent.

trparky
Premium Member
join:2000-05-24
Cleveland, OH

trparky

Premium Member

Probably a remote-code execution flaw in the system that handles LNK files.

therube
join:2004-11-11
Randallstown, MD

therube to OZO

Member

to OZO

Link Properties Dialog
 

Link

Link w/Fancy icons

Line w/Simple icons
Not that I know how this may or may not affect things, but ...

shell32.dll may perform all kinds of processing on .LNK's.

offline files/client side caching, drop handler, icon handler, shell link (ansi/unicode), infotip's, thumbnails ...


(from Nirsoft: ShellExView - Shell Extensions Manager)

Different utilities Explorer vs say Servant Salamander may have different modes in which they may display/process entries.

Like salamander may display "simple icons" in its' directory listing, or not. The or not I assume then reverts to Explorer's method to traverse the link to its' "Target:" & obtains its icon from there (or from IconCache.db)?
mysec
Premium Member
join:2005-11-29

mysec to Stem Bolt

Premium Member

to Stem Bolt
Does this "vulnerability" exist only in Windows 7?

In WinXP and Win2K I cannot get .lnk files to run automatically when viewing a USB drive in Windows Explorer.

However, as an exploit, the payload is easily blocked. I put a non-whitelisted executable, firehole.exe, and its shortcut on a USB drive and clicked on the shortcut:





----
rich
amungus
Premium Member
join:2004-11-26
America

amungus to Stem Bolt

Premium Member

to Stem Bolt
If Windows Explorer "sees" a file, it tries to gather info on it, produce an image associated with the file, and enumerate its properties, regardless of extension.

If one were to run regmon while simply opening a folder, you'd see quite a bit of "action" in the background.

It could even be part of how thumbnails are processed that causes this, who knows.

That they use what should be a legit cert is strange. I guess that's proof that such a scheme is mostly irrelevant.

Surely this is more to do with how Explorer handles files than anything else. Makes me wonder if it has anything to do with some kind of ActiveX (or similar) integration.
BosstonesOwn
join:2002-12-15
Wakefield, MA

BosstonesOwn

Member

It's a good possibility that the cert could be any one, just used to push code to locations to be executable or possibly an overflow in how it handles "signed" lnk's ?
The Snowman
Premium Member
join:2007-05-20

The Snowman to Stem Bolt

Premium Member

to Stem Bolt

Nope the sky is not falling.............so whats all the fuss about ?
Most AV's scan files before excution.....an if the AV has the Sig to this exploit it will block it........now just how long will it take for all the popular AV's to have that Sig.
Also,what about those "other" programs so many people use..........is anyone saying that this exploit is invisible an wont be seen and detected by those "other" programs ?
An what about those Virtual Programs....is this exploit just going to slice through them like they don't exist ?

Every time a new exploit comes out people should not hide in the shadows.....either a computer is as secure as it can be...or, it isn't.

joako
Premium Member
join:2000-09-07
/dev/null

joako to trparky

Premium Member

to trparky
said by trparky:
said by tempnexus:

One solution that pops into my mind is the so far only sane way to run windows solutions...aka non admin user with UAC enabled.
This has been something that has been preached for quite some time but nobody has listened.

Personally, my user is an Administrator on Windows 7 but UAC is still enabled so in reality my user isn't really an Administrator until I respond to that UAC prompt.
It's impossible to be real administrator in Windows 7.

Stem Bolt
Ancient Astronaut Theorist
Premium Member
join:2002-11-08
Metropolis

Stem Bolt to The Snowman

Premium Member

to The Snowman
said by The Snowman:
Nope the sky is not falling.............so whats all the fuss about ?

Most AV's scan files before excution.....an if the AV has the Sig to this exploit it will block it........now just how long will it take for all the popular AV's to have that Sig.
The whole point of disabling autorun was to prevent new undetected malware from running. Incase your anti-virus software didn't have a signature for the malware yet. Disabling autorun protected users from unknown, 0-day malware threats. That's what the fuss.
quote:
Also,what about those "other" programs so many people use..........is anyone saying that this exploit is invisible an wont be seen and detected by those "other" programs ?
What "other" programs are you talking about?
quote:
An what about those Virtual Programs....is this exploit just going to slice through them like they don't exist ?
The number users who are knowledgeable enough to use Virtual machines and sandboxes (or even know they exist) are very small compared to the average number of computer users in the world.

Majority of people use an AV or AV suite as their sole means of protection(excluding router/firewall, Windows firewall). The people who read this forum and other security sites my be more knowledgeable then the average computer user. So they may know how to better protect themselves using other security software.
quote:
Every time a new exploit comes out people should not hide in the shadows.....either a computer is as secure as it can be...or, it isn't.

You can make a computer as secure as possible but you can't predict future unknown vulnerabilities in OS's, ect. Or new advanced techniques that malware may use to circumvent current security software.

Khaine
join:2003-03-03
Australia

Khaine to garofede624

Member

to garofede624
Its pretty interesting, although not unexpected that malware is being used to spy on companies, governments and individuals. Malware writers are simply moving to where the money is to be made.

trparky
Premium Member
join:2000-05-24
Cleveland, OH
·AT&T U-Verse

1 edit

trparky to joako

Premium Member

to joako
said by joako:

It's impossible to be real administrator in Windows 7.
Oh, it's possible but it's completely stupid to do so. You turn UAC completely off, reboot, and then login as an Administrator account. Tada! Now you too can enjoy having your machine pwn3d like the rest of the people running Windows XP.
OZO
Premium Member
join:2003-01-17

OZO

Premium Member

said by trparky:

Now you too can enjoy having your machine pwn3d like the rest of the people running Windows XP.
Exactly the same way as the rest of the people running any other Windows OS... The problem is with 'people' allowing to run all those viruses.

tempnexus
Premium Member
join:1999-08-11
Boston, MA

tempnexus

Premium Member

Well in all honesty Win7 x64bit has extra few security steps that are beyond win xp.

To get a drive by download in IE8 on win7 x64 takes skill over getting one on winXP

swhx7
Premium Member
join:2006-07-23
Elbonia

2 recommendations

swhx7 to Stem Bolt

Premium Member

to Stem Bolt
Microsoft put out a bulletin about this vulnerability, and it identifies a Registry change to "Disable the displaying of icons for shortcuts", as a workaround until there is a patch: »www.microsoft.com/techne ··· 198.mspx

It doesn't really disable icons - in fact it replaces them with a generic icon. But apparently it disables the handler that goes looking for an icon for the shortcut, and thereby prevents the exploit.
OZO
Premium Member
join:2003-01-17

OZO

Premium Member

Thank you, swhx7 See Profile
Reading, that should push one to think about what's going on...
said by 2286198 :

What causes this threat?
When attempting to load the icon of a shortcut, the Windows Shell does not correctly validate specific parameters of the shortcut.
...
An attacker who successfully exploited this vulnerability could run arbitrary code as the logged-on user.
It means that eventually an attacker could take complete control of your system... In other words, they execute an icon!!! Who would think about it even for a sec... And what parameters? Icon size? Number of colors? What else?

That's the beauty of proprietary (closed source) code in its full extent. You never know where the next trap is. It could be a viewing an icon or reading a .TXT file, or simply inserting a new media... Everything could be dangerous. What a bunch of idiots who does this to us

Or, perhaps, not? Other alternative is - they do it thinking about their perspective bottom line. How? Here is a simple strategy. They think they want customers to discard their old OS in a while. And to help that they say - we'll stop supporting this product in ... years. And BTW, old version may "accidentally" execute ... (insert anything here)."

That's the way to do it? I mean - make money on selling new OS's? Is this the strategy for big corporation to increase its profits? If it is - you can do nothing about it, or eventually move to an open source OS...

Or may be I'm wrong here and they actually are just a bunch of idiots who don't know basics in security and any difference between executing a program and an icon?
Mele20
Premium Member
join:2001-06-05
Hilo, HI

1 edit

1 recommendation

Mele20 to Stem Bolt

Premium Member

to Stem Bolt
Well, well. Finally a POC that ProcessGuard fails. It fails both tests.
But many other HIPS fail at least one, if not both tests, so I don't feel too bad. Even Online Armor and Malware Defender fail the first test.

Hmm...will I change my mind and install SP3 so I can get the patch for this next month? I doubt it, but I'll think about it. Ozo, you hit the nail on the head with your comments about Microsoft.

You can get the POC and instructions, plus a list of HIPS that have been tested and the results:

»ssj100.fullsubject.com/s ··· htm#1302
Mele20

Mele20

Premium Member

I configured ProcessGuard to ask about rundll32.exe so I can now block the second POC test.

On Vista, with Online Armor ++, I configured it the same way and OA continues to fail both tests. It should pass the second test since I configured it to ask about rundll32.exe. I don't know if I am doing something wrong with OA or what.

Stem Bolt
Ancient Astronaut Theorist
Premium Member
join:2002-11-08
Metropolis

1 edit

Stem Bolt

Premium Member

said by Mele20:

On Vista, with Online Armor ++, I configured it the same way and OA continues to fail both tests. It should pass the second test since I configured it to ask about rundll32.exe. I don't know if I am doing something wrong with OA or what.
Do you have OA configured to use it's own whitelist? If you do, try disabling that. Other then that I have no other suggestions. Perhaps you may get more help over at Wilders.

Edit:

»www.wilderssecurity.com/ ··· t=277316

I don't know if it's related or not.
Mele20
Premium Member
join:2001-06-05
Hilo, HI

Mele20

Premium Member

No, I don't use a white list. I rebooted Vista (virtual machine) thinking maybe OA needed that. Before I rebooted, I took the opportunity to finally install the latest Avast version as I knew it would insist on rebooting the computer. When it rebooted, I got 7 popups (in a gigantic size) from ProcessGuard on the host machine about rundll32.exe. I figured this would happen because I can't put just a particular rundll32.exe on "ask"...all rundll32.exe are now on ask and these were all legit Microsoft processes. So, I finally got Vista rebooted and then OA gave me 12 popups regarding Avast processes that were new (I didn't put OA in installation mode before upgrading Avast). So, OA is working fine it would appear.

But when I opened explorer.exe with the debugview window open (intending to click on the suckme file...it ran the first test just by my opening Explorer. I then double clicked on the suckme file and again OA did not pop up. OA though popped up three more alerts about Avast and was really upset because it said Avast wanted to access drive 0 and that was highly unusual...well duh...of course Avast wanted to do that! Anyhow, I can't see why OA is not alerting on runddl32.exe like I set it to do.

I can't leave Processguard with this on ask as it will drive me nuts and could conceivably, at some point, cause a f**kup with Windows if runddl32.exe needs to run and PG, for some reason, doesn't pop the alert on my screen. I just wanted to see if my HIPS programs would alert and PG does but OA doesn't.
daveinpoway
Premium Member
join:2006-07-03
Poway, CA

1 recommendation

daveinpoway to Mele20

Premium Member

to Mele20
Since you are obviously concerned about PC security, I am surprised that you wish to continue to use the (unsupported) SP2 version of Windows XP. Even fully-patched versions of Windows can be vulnerable to various exploits; running a version that won't receive any further patches seems more than slightly risky.

Upgrading to SP3 may be inconvenient for one reason or another, but it is best to bite the bullet and get this done. This service pack has been out long enough such that pretty much all of the problems have been identified and fixed, so you need not be concerned that it will crash your PC.