Stem BoltAncient Astronaut Theorist Premium Member join:2002-11-08 Metropolis |
Stem Bolt
Premium Member
2010-Jul-15 10:40 am
Rootkit-TmpHider - USB infector without usage of Autorun.inf» anti-virus.by/en/tempo.shtmlAlso they are talking about this at Wilders in some depth. » www.wilderssecurity.com/ ··· t=276994This malware appears to be exploiting an unpatched vulnerability in processing LNK files. It looks like this malware could infect even if you have 'Autorun' disabled on your computer. Simply accessing the infected USB device with Windows Explorer or another file manager could execute this malware. quote: You should take into consideration that virus infects Operation System in unusual way through vulnerability in processing lnk-files (without usage of autorun.inf file).
So you just have to open infected USB storage device using Microsoft Explorer or any other file manager which can display icons (for i.e. Total Commander) to infect your Operating System and allow execution of the malware.
Malware installs two drivers: mrxnet.sys and mrxcls.sys. They are used to inject code into systems processes and hide malware itself. That's the reason why you can't see malware files on the infected USB storage device
Note that both drivers are signed with digital signature of Realtek Semiconductor Corp. (www.realtek.com).
|
|
swhx7 Premium Member join:2006-07-23 Elbonia |
swhx7
Premium Member
2010-Jul-15 11:07 am
After reading several articles, the Wilders thread and the pdf I'm still not quite clear on how this is initially triggered.
Specifically, maybe a Windows expert can explain: Exactly what "processing" of .lnk files is done by Windows Explorer, when the user merely looks at a directory, without clicking on anything?
It seems that until this is patched, when looking at USB drives that have been out of one's chain of possession, one must use dir on a command line. |
|
1 edit |
to Stem Bolt
More information on Softpedia and Krebs on Security. quote: Shortcut files or those ending in the .lnk extension are Windows files that link (hence the lnk extension) easy-to-recognize icons to specific executable programs, and are typically placed on the users Desktop or Start Menu. Ideally, a shortcut doesnt do anything until a user clicks on its icon. But VirusBlokAda found that these malicious shortcut files are capable of executing automatically if they are written to a USB drive that is later accessed by Windows Explorer.
So you just have to open infected USB storage device using [Windows] Explorer or any other file manager which can display icons (for i.e. Total Commander) to infect your Operating System and allow execution of the malware, wrote Sergey Ulasen, an anti-virus expert with the company, in an advisory published this month...
Independent security researcher Frank Boldewin said he had an opportunity to dissect the malware samples, and observed that they appeared to be looking for Siemens WinCC SCADA systems, or machines responsible for controlling the operations of large, distributed systems, such as manufacturing and power plants.
Looks like this malware was made for espionage, Boldewin said.
It would be extremely interesting to view the parameters for the exploit .lnk file. But, accessibility to that information would increase the frequency of such infections in the wild, wouldn't it? |
|
Stem BoltAncient Astronaut Theorist Premium Member join:2002-11-08 Metropolis |
Stem Bolt
Premium Member
2010-Jul-15 12:02 pm
Interesting, it looks like this malware was intended for espionage. At least according to an expert mentioned on Krebs on Security: » krebsonsecurity.com/2010 ··· ut-flaw/quote: Independent security researcher Frank Boldewin said he had an opportunity to dissect the malware samples, and observed that they appeared to be looking for Siemens WinCC SCADA systems, or machines responsible for controlling the operations of large, distributed systems, such as manufacturing and power plants.
Looks like this malware was made for espionage, Boldewin said.
|
|
trparky Premium Member join:2000-05-24 Cleveland, OH |
trparky
Premium Member
2010-Jul-15 12:23 pm
How are they signed with Realtek Semiconductor's digital signature? Sounds like Realtek Semiconductor's certificate needs to be revoked. |
|
swhx7 Premium Member join:2006-07-23 Elbonia |
to Stem Bolt
Trying to address my own question of how "shortcuts" can be auto-executed - - Windows Explorer will put a little red question mark icon on top of the icon for the .lnk file if the target is unavailable. This means Explorer must have some handler that parses them upon display, even if they're not clicked.
But the description says the code defect that's exploited here has to do with the icons. If that's correct, then the command-line workaround is sound.
Does anyone know how to turn off icons in Windows (leaving items in a directory listing with only text labels)? |
|
tempnexus Premium Member join:1999-08-11 Boston, MA |
to Stem Bolt
One solution that pops into my mind is the so far only sane way to run windows solutions...aka non admin user with UAC enabled.
I believe in order to be rooted the infector would require Admin rights...ergo if you plug in USB drive and it asks for ADMIN rights then voila. |
|
trparky Premium Member join:2000-05-24 Cleveland, OH ·AT&T U-Verse
|
trparky
Premium Member
2010-Jul-15 1:12 pm
said by tempnexus:One solution that pops into my mind is the so far only sane way to run windows solutions...aka non admin user with UAC enabled. This has been something that has been preached for quite some time but nobody has listened. Personally, my user is an Administrator on Windows 7 but UAC is still enabled so in reality my user isn't really an Administrator until I respond to that UAC prompt. |
|
tempnexus Premium Member join:1999-08-11 Boston, MA |
I run it as standard and luckily 85% of the time I can run windows and all the software I have without the Admin Prompt.
I am not taking any chances and accidently pressing OK...if I need to press OK I will need to type in a password...this adds the precious few seconds for my brain to catch up to my hands and say: "Ok hmm why does AngelinaJolieNaked.jpg needs admin rights?" |
|
|
therube join:2004-11-11 Randallstown, MD 1 edit |
to garofede624
Would think you should be able to open a .LNK file with a text editor without incident. It is after all, only a file (though not textual).
Problem appears to be how that "file" is interpreted - by the OS or otherwise (like Windows Explorer). |
|
OZO Premium Member join:2003-01-17 |
to Stem Bolt
1. Until someone explain the magic of "unusual way of processing .lnk files on USB drive" in details - I think it's total BS. There is no such thing (neither giving control to .lnk file nor a "special way" with regards to USB). 2. Does they silently presume that two drivers (mrxnet.sys and mrxcls.sys) are somehow installed prior to observing the "unusual way of processing" and they are actually providing that "way"? Or to get them user should click on "ClickMe" icon (.lnk file) on USB drive first? 3. The best way to hype it even more (and divert from a substance) is to use "spying" aspect... Yea, lets talk about evil China or Russia intentions and I'll start to believe everything. Until then I know that shortcuts are not auto-executed and icons are not executed neither... Meaning there is no way that something will be executed on background when I insert USB drive without my consent. |
|
trparky Premium Member join:2000-05-24 Cleveland, OH |
trparky
Premium Member
2010-Jul-15 3:13 pm
Probably a remote-code execution flaw in the system that handles LNK files. |
|
therube join:2004-11-11 Randallstown, MD |
to OZO
Link Properties Dialog | | Link | Link w/Fancy icons | Line w/Simple icons |
Not that I know how this may or may not affect things, but ...
shell32.dll may perform all kinds of processing on .LNK's.
offline files/client side caching, drop handler, icon handler, shell link (ansi/unicode), infotip's, thumbnails ...(from Nirsoft: ShellExView - Shell Extensions Manager) Different utilities Explorer vs say Servant Salamander may have different modes in which they may display/process entries. Like salamander may display "simple icons" in its' directory listing, or not. The or not I assume then reverts to Explorer's method to traverse the link to its' "Target:" & obtains its icon from there (or from IconCache.db)? |
|
mysec Premium Member join:2005-11-29 |
to Stem Bolt
Does this "vulnerability" exist only in Windows 7? In WinXP and Win2K I cannot get .lnk files to run automatically when viewing a USB drive in Windows Explorer. However, as an exploit, the payload is easily blocked. I put a non-whitelisted executable, firehole.exe, and its shortcut on a USB drive and clicked on the shortcut:
---- rich
|
|
amungus Premium Member join:2004-11-26 America |
to Stem Bolt
If Windows Explorer "sees" a file, it tries to gather info on it, produce an image associated with the file, and enumerate its properties, regardless of extension.
If one were to run regmon while simply opening a folder, you'd see quite a bit of "action" in the background.
It could even be part of how thumbnails are processed that causes this, who knows.
That they use what should be a legit cert is strange. I guess that's proof that such a scheme is mostly irrelevant.
Surely this is more to do with how Explorer handles files than anything else. Makes me wonder if it has anything to do with some kind of ActiveX (or similar) integration. |
|
|
It's a good possibility that the cert could be any one, just used to push code to locations to be executable or possibly an overflow in how it handles "signed" lnk's ? |
|
|
to Stem Bolt
Nope the sky is not falling.............so whats all the fuss about ? Most AV's scan files before excution.....an if the AV has the Sig to this exploit it will block it........now just how long will it take for all the popular AV's to have that Sig. Also,what about those "other" programs so many people use..........is anyone saying that this exploit is invisible an wont be seen and detected by those "other" programs ? An what about those Virtual Programs....is this exploit just going to slice through them like they don't exist ?
Every time a new exploit comes out people should not hide in the shadows.....either a computer is as secure as it can be...or, it isn't.
|
|
joako Premium Member join:2000-09-07 /dev/null |
to trparky
said by trparky:said by tempnexus:One solution that pops into my mind is the so far only sane way to run windows solutions...aka non admin user with UAC enabled. This has been something that has been preached for quite some time but nobody has listened. Personally, my user is an Administrator on Windows 7 but UAC is still enabled so in reality my user isn't really an Administrator until I respond to that UAC prompt. It's impossible to be real administrator in Windows 7. |
|
Stem BoltAncient Astronaut Theorist Premium Member join:2002-11-08 Metropolis |
to The Snowman
said by The Snowman: Nope the sky is not falling.............so whats all the fuss about ?
Most AV's scan files before excution.....an if the AV has the Sig to this exploit it will block it........now just how long will it take for all the popular AV's to have that Sig.
The whole point of disabling autorun was to prevent new undetected malware from running. Incase your anti-virus software didn't have a signature for the malware yet. Disabling autorun protected users from unknown, 0-day malware threats. That's what the fuss. quote: Also,what about those "other" programs so many people use..........is anyone saying that this exploit is invisible an wont be seen and detected by those "other" programs ?
What "other" programs are you talking about? quote: An what about those Virtual Programs....is this exploit just going to slice through them like they don't exist ?
The number users who are knowledgeable enough to use Virtual machines and sandboxes (or even know they exist) are very small compared to the average number of computer users in the world. Majority of people use an AV or AV suite as their sole means of protection(excluding router/firewall, Windows firewall). The people who read this forum and other security sites my be more knowledgeable then the average computer user. So they may know how to better protect themselves using other security software. quote: Every time a new exploit comes out people should not hide in the shadows.....either a computer is as secure as it can be...or, it isn't.
You can make a computer as secure as possible but you can't predict future unknown vulnerabilities in OS's, ect. Or new advanced techniques that malware may use to circumvent current security software. |
|
Khaine join:2003-03-03 Australia |
to garofede624
Its pretty interesting, although not unexpected that malware is being used to spy on companies, governments and individuals. Malware writers are simply moving to where the money is to be made. |
|
trparky Premium Member join:2000-05-24 Cleveland, OH ·AT&T U-Verse
1 edit |
to joako
said by joako:It's impossible to be real administrator in Windows 7. Oh, it's possible but it's completely stupid to do so. You turn UAC completely off, reboot, and then login as an Administrator account. Tada! Now you too can enjoy having your machine pwn3d like the rest of the people running Windows XP. |
|
OZO Premium Member join:2003-01-17 |
OZO
Premium Member
2010-Jul-16 1:58 pm
said by trparky:Now you too can enjoy having your machine pwn3d like the rest of the people running Windows XP. Exactly the same way as the rest of the people running any other Windows OS... The problem is with 'people' allowing to run all those viruses. |
|
tempnexus Premium Member join:1999-08-11 Boston, MA |
Well in all honesty Win7 x64bit has extra few security steps that are beyond win xp.
To get a drive by download in IE8 on win7 x64 takes skill over getting one on winXP |
|
swhx7 Premium Member join:2006-07-23 Elbonia
2 recommendations |
to Stem Bolt
Microsoft put out a bulletin about this vulnerability, and it identifies a Registry change to "Disable the displaying of icons for shortcuts", as a workaround until there is a patch: » www.microsoft.com/techne ··· 198.mspxIt doesn't really disable icons - in fact it replaces them with a generic icon. But apparently it disables the handler that goes looking for an icon for the shortcut, and thereby prevents the exploit. |
|
OZO Premium Member join:2003-01-17 |
OZO
Premium Member
2010-Jul-17 5:53 pm
Thank you, swhx7 Reading, that should push one to think about what's going on... said by 2286198 :What causes this threat? When attempting to load the icon of a shortcut, the Windows Shell does not correctly validate specific parameters of the shortcut. ... An attacker who successfully exploited this vulnerability could run arbitrary code as the logged-on user. It means that eventually an attacker could take complete control of your system... In other words, they execute an icon!!! Who would think about it even for a sec... And what parameters? Icon size? Number of colors? What else? That's the beauty of proprietary (closed source) code in its full extent. You never know where the next trap is. It could be a viewing an icon or reading a .TXT file, or simply inserting a new media... Everything could be dangerous. What a bunch of idiots who does this to us Or, perhaps, not? Other alternative is - they do it thinking about their perspective bottom line. How? Here is a simple strategy. They think they want customers to discard their old OS in a while. And to help that they say - we'll stop supporting this product in ... years. And BTW, old version may "accidentally" execute ... (insert anything here)." That's the way to do it? I mean - make money on selling new OS's? Is this the strategy for big corporation to increase its profits? If it is - you can do nothing about it, or eventually move to an open source OS... Or may be I'm wrong here and they actually are just a bunch of idiots who don't know basics in security and any difference between executing a program and an icon? |
|
Mele20 Premium Member join:2001-06-05 Hilo, HI 1 edit
1 recommendation |
to Stem Bolt
Well, well. Finally a POC that ProcessGuard fails. It fails both tests. But many other HIPS fail at least one, if not both tests, so I don't feel too bad. Even Online Armor and Malware Defender fail the first test. Hmm...will I change my mind and install SP3 so I can get the patch for this next month? I doubt it, but I'll think about it. Ozo, you hit the nail on the head with your comments about Microsoft. You can get the POC and instructions, plus a list of HIPS that have been tested and the results: » ssj100.fullsubject.com/s ··· htm#1302 |
|
Mele20 |
Mele20
Premium Member
2010-Jul-20 4:13 am
I configured ProcessGuard to ask about rundll32.exe so I can now block the second POC test. On Vista, with Online Armor ++, I configured it the same way and OA continues to fail both tests. It should pass the second test since I configured it to ask about rundll32.exe. I don't know if I am doing something wrong with OA or what. |
|
Stem BoltAncient Astronaut Theorist Premium Member join:2002-11-08 Metropolis 1 edit |
said by Mele20:On Vista, with Online Armor ++, I configured it the same way and OA continues to fail both tests. It should pass the second test since I configured it to ask about rundll32.exe. I don't know if I am doing something wrong with OA or what. Do you have OA configured to use it's own whitelist? If you do, try disabling that. Other then that I have no other suggestions. Perhaps you may get more help over at Wilders. Edit: » www.wilderssecurity.com/ ··· t=277316I don't know if it's related or not. |
|
Mele20 Premium Member join:2001-06-05 Hilo, HI |
Mele20
Premium Member
2010-Jul-20 8:56 am
No, I don't use a white list. I rebooted Vista (virtual machine) thinking maybe OA needed that. Before I rebooted, I took the opportunity to finally install the latest Avast version as I knew it would insist on rebooting the computer. When it rebooted, I got 7 popups (in a gigantic size) from ProcessGuard on the host machine about rundll32.exe. I figured this would happen because I can't put just a particular rundll32.exe on "ask"...all rundll32.exe are now on ask and these were all legit Microsoft processes. So, I finally got Vista rebooted and then OA gave me 12 popups regarding Avast processes that were new (I didn't put OA in installation mode before upgrading Avast). So, OA is working fine it would appear.
But when I opened explorer.exe with the debugview window open (intending to click on the suckme file...it ran the first test just by my opening Explorer. I then double clicked on the suckme file and again OA did not pop up. OA though popped up three more alerts about Avast and was really upset because it said Avast wanted to access drive 0 and that was highly unusual...well duh...of course Avast wanted to do that! Anyhow, I can't see why OA is not alerting on runddl32.exe like I set it to do.
I can't leave Processguard with this on ask as it will drive me nuts and could conceivably, at some point, cause a f**kup with Windows if runddl32.exe needs to run and PG, for some reason, doesn't pop the alert on my screen. I just wanted to see if my HIPS programs would alert and PG does but OA doesn't. |
|
1 recommendation |
to Mele20
Since you are obviously concerned about PC security, I am surprised that you wish to continue to use the (unsupported) SP2 version of Windows XP. Even fully-patched versions of Windows can be vulnerable to various exploits; running a version that won't receive any further patches seems more than slightly risky.
Upgrading to SP3 may be inconvenient for one reason or another, but it is best to bite the bullet and get this done. This service pack has been out long enough such that pretty much all of the problems have been identified and fixed, so you need not be concerned that it will crash your PC. |
|