| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 23 May 2010 17:16:29 +0100
From: "lsi" <stuart@...erdelix.net>
To: full-disclosure@...ts.grok.org.uk
Subject: denial-of-service vulnerability in the Microsoft
Malicious Software Removal Tool
denial-of-service vulnerability in the Microsoft Malicious Software
Removal Tool
platforms affected: Windows
distribution: wide
severity: high
Description of the vulnerability:
The Microsoft Malicious Software Removal Tool (MRT) is a program used
to remove malware from infected Windows systems. However, MRT does
not always correctly repair the system. In at least one case, the
changes made by MRT can render the system unbootable (log below).
Repair can be time-consuming and expensive, particularly as the error
messages and log files of the software concerned are cryptic and
uninformative, or non-existent.
As MRT runs automatically in the background once a month, these
changes to the system may be made without the knowledge of an
Administrator (or even the user).
Suspected cause:
Missing logic in MRT to repair the system, rather than just deleting
stuff willy-nilly.
Recommendations:
1. Do not run MRT manually.
2. Disable MRT if possible, especially on mission-critical machines.
3. Do not use Windows.
Details of notification to vendor:
None.
Sample of the fault:
Microsoft Windows Malicious Software Removal Tool v3.7, May 2010
Started On Tue May 18 21:24:47 2010
Quick Scan Results for XXXXXXXXXXXXXXXXXXXXX:
----------------
Threat detected: VirTool:WinNT/Cutwail.L
driver://NDIS
file://C:\WINDOWS\system32\drivers\NDIS.sys
SigSeq: 0x00008A78910FD971
SHA1: DEFB65309ABB3DD81F223ABA7CDB9EB26D66611A
regkey://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\NDIS
safeboot://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\NDIS
service://NDIS
Quick Scan Removal Results
----------------
Start 'remove' for
regkey://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\NDIS
Operation succeeded !
Start 'remove' for service://NDIS
Operation was scheduled to be completed after next reboot.
Start 'remove' for
safeboot://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETWORK\NDIS
Operation succeeded !
Start 'remove' for driver://NDIS
Operation was scheduled to be completed after next reboot.
Start 'remove' for file://\\?\C:\WINDOWS\system32\drivers\NDIS.sys
Operation succeeded !
Results Summary:
----------------
For cleaning VirTool:WinNT/Cutwail.L, the system needs to be
restarted.
Microsoft Windows Malicious Software Removal Tool Finished On Tue May
18 21:31:29 2010
Return code: 10 (0xa)
---
Stuart Udall
stuart at@...erdelix.dot net - http://www.cyberdelix.net/
---
* Origin: lsi: revolution through evolution (192:168/0.2)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists