| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <AANLkTiloosF4KNxJhRIQDJuOa9ADauEhLaefeSwYArOF@mail.gmail.com>
Date: Sun, 23 May 2010 23:57:42 +0530
From: webDEViL <w3bd3vil@...il.com>
To: stuart@...erdelix.net
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: denial-of-service vulnerability in the
Microsoft Malicious Software Removal Tool
All said and done, that doesn't make it a vulnerability.
On Sun, May 23, 2010 at 11:47 PM, lsi <stuart@...erdelix.net> wrote:
> On 23 May 2010 at 16:34, Thor (Hammer of God) wrote:
>
> From: "Thor (Hammer of God)" <Thor@...merofgod.com>
> To: "full-disclosure@...ts.grok.org.uk" <full-
> disclosure@...ts.grok.org.uk>
> Date sent: Sun, 23 May 2010 16:34:24 +0000
> Subject: Re: [Full-disclosure] denial-of-service
> vulnerability in the
> Microsoft Malicious Software Removal Tool
>
> > And where's the part where the system was rendered unbootable?
>
> The unbootable part comes when you replace NDIS.SYS. Unless you know
> to replace the registry keys first, which is certainly not obvious
> from the MRT log.
>
> > And how did your users get infected with Cutwail? Let me guess...
> > they are all still running XP and you've got them running as local
> > administrators right? And they get to download codecs "willy nilly"
> > and are probably using Bittorrent to get illegal copies of software
> > pre-infected with cutwail, right?
>
> How do I know how they got infected? These are all third-party
> companies (my customers), sometimes when they have cash problems,
> they don't call me, they try and do it themselves, or do nothing. I
> might not see them for months. They don't want to upgrade - they
> heard about Vista (LOL) and they don't have, or don't want to spend
> the money.
>
> This is reality, not some managed datacentre in Redmond.
>
> > local administrators
>
> Their apps needed it last I checked. I didn't set up their machines.
> They have not asked me to look at that. I have enough trouble
> getting work OK'd without putting my neck on the line suggesting a
> configuration change which I cannot guarantee will not cause
> instability, particularly with their legacy and unsupported software,
> of which there is plenty.
>
> Again, this is reality, not some managed datacentre in Redmond.
>
> > Bittorrent
>
> No, like this:
>
> "Stuart, need your help. My computer has a virus. Yesterday night I
> opened an email that I was expecting from a Bernice. It turned out
> that it was the wrong Bernice and it was a virus. It loaded Security
> Essentials 2010 which is a scarevirus to make the user believe that
> there are virus a pay for their software which does nothing anyway.
> It has loaded a virus in the registry file. There is a lot about it
> on the net. I then found a PC tools download to remove. However when
> I turned mycomputer off it does not now allow me to log on. I have
> turned it off. I am without a PC now. Can you come tomorrow to
> resolve it for me? Many thanks. Please let me know ad I need it
> urgently."
>
> > Regardless, let's see if we have your advisory correct. In order to
> > be a victim of this "Denial of Service Vulnerability" we must first
> > get infected with something like Cutwail
>
> true
>
> > that runs with user interaction
>
> false. Cutwail has no known infection vectors. However, Cutwail is
> just an example.
>
> > interaction and also requires administrator privileges (you can see
> > that NDIS.SYS was altered).
>
> When I am logged in as Admin and try to replace NDIS.SYS, Windows
> File Protection replaces it. Why did WFP fail to protect the file
> against Cutwail in the first place, and how can a virus replace
> NDIS.SYS using Administrative privs, if I cannot do it myself when
> Administrator?
>
> > Of course, your AV must be at least 2 years old too.
>
> false, it was up-to-date, although I am questioning its effectiveness
>
> > Then, once we get infected with malware, we run MRT,
> > and see in the logs that it was successfully removed and requires a
> > reboot.
>
> Actually, AV found the virus in NDIS.SYS but could not remove it. So
> I ran MRT because I thought that a Microsoft product would know this
> is a Windows file that cannot simply be deleted. MRT says it's done
> and needs reboot, so I reboot... and the system is toast.
>
> To clarify, in this particular case, the first reboot, you can login
> in normal mode, but cannot use any network adapters (code 39 - driver
> corrupted or missing). Reinstalling the drivers doesn't help. So
> then you think, oh that's because NDIS was trashed by MRT, so I'll
> just replace NDIS.SYS....
>
> And thats when you get the BSOD on boot to normal mode. So then you
> need to figure out that the cause of that BSOD is a missing registry
> key, then you need to figure out which keys (there are three, for
> each controlset), then you need to get the correct keys from a clean
> machine, then you need to figure out how to replace the keys (some of
> them cannot be imported with mere Administrative permissions).
>
> However, just last week I also fixed a problem with the userinit
> registry key, also mysteriously deleted - why would a virus trash its
> host? Answer: it doesn't, I think it was MRT that trashed it. A
> missing userinit key means instant logoff on logon, even in safe mode
> as Administrator. I might be able to dig up the MRT log for that
> machine (would be interesting to see whether it was in fact MRT that
> did it). Want to place bets now?
>
> >From a quick look at the web, MRT has also in the past deleted
> Internet Explorer (iexplore.exe). Oh, the poetry....
>
> The point of my mail was that anyone can innocently run MRT and it
> may trash their box. This is due to one or more design flaws in the
> MRT, and in Windows itself. Are you saying I should just sit on this
> info? If someone had told me MRT was going to trash my customer's
> machine, I would not have wasted most of last week fixing it.
>
> Stu
>
> > >-----Original Message-----
> > >From: full-disclosure-bounces@...ts.grok.org.uk [mailto:
> full-disclosure-
> > >bounces@...ts.grok.org.uk] On Behalf Of lsi
> > >Sent: Sunday, May 23, 2010 9:16 AM
> > >To: full-disclosure@...ts.grok.org.uk
> > >Subject: [Full-disclosure] denial-of-service vulnerability in the
> Microsoft
> > >Malicious Software Removal Tool
> > >
> > >denial-of-service vulnerability in the Microsoft Malicious Software
> Removal
> > >Tool
> > >
> > >platforms affected: Windows
> > >distribution: wide
> > >severity: high
> > >
> > >Description of the vulnerability:
> > >
> > >The Microsoft Malicious Software Removal Tool (MRT) is a program used to
> > >remove malware from infected Windows systems. However, MRT does not
> > >always correctly repair the system. In at least one case, the changes
> made by
> > >MRT can render the system unbootable (log below).
> > >Repair can be time-consuming and expensive, particularly as the error
> > >messages and log files of the software concerned are cryptic and
> > >uninformative, or non-existent.
> > >
> > >As MRT runs automatically in the background once a month, these changes
> to
> > >the system may be made without the knowledge of an Administrator (or
> even
> > >the user).
> > >
> > >Suspected cause:
> > >
> > >Missing logic in MRT to repair the system, rather than just deleting
> stuff willy-
> > >nilly.
> > >
> > >Recommendations:
> > >
> > >1. Do not run MRT manually.
> > >
> > >2. Disable MRT if possible, especially on mission-critical machines.
> > >
> > >3. Do not use Windows.
> > >
> > >Details of notification to vendor:
> > >
> > >None.
> > >
> > >Sample of the fault:
> > >
> > >Microsoft Windows Malicious Software Removal Tool v3.7, May 2010 Started
> > >On Tue May 18 21:24:47 2010
> > >
> > >Quick Scan Results for XXXXXXXXXXXXXXXXXXXXX:
> > >----------------
> > >Threat detected: VirTool:WinNT/Cutwail.L
> > > driver://NDIS
> > > file://C:\WINDOWS\system32\drivers\NDIS.sys
> > > SigSeq: 0x00008A78910FD971
> > > SHA1: DEFB65309ABB3DD81F223ABA7CDB9EB26D66611A
> > >
> > >regkey://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETW
> > >ORK\NDIS
> > >
> > >safeboot://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NET
> > >WORK\NDIS
> > > service://NDIS
> > >
> > >Quick Scan Removal Results
> > >----------------
> > >Start 'remove' for
> > >regkey://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETW
> > >ORK\NDIS
> > >Operation succeeded !
> > >
> > >Start 'remove' for service://NDIS
> > >Operation was scheduled to be completed after next reboot.
> > >
> > >Start 'remove' for
> > >safeboot://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NET
> > >WORK\NDIS
> > >Operation succeeded !
> > >
> > >Start 'remove' for driver://NDIS
> > >Operation was scheduled to be completed after next reboot.
> > >
> > >Start 'remove' for file://\\?\C:\WINDOWS\system32\drivers\NDIS.sys
> > >Operation succeeded !
> > >
> > >
> > >Results Summary:
> > >----------------
> > >For cleaning VirTool:WinNT/Cutwail.L, the system needs to be restarted.
> > >Microsoft Windows Malicious Software Removal Tool Finished On Tue May
> > >18 21:31:29 2010
> > >
> > >
> > >Return code: 10 (0xa)
>
>
>
> ---
> Stuart Udall
> stuart at@...erdelix.dot net - http://www.cyberdelix.net/
>
> ---
> * Origin: lsi: revolution through evolution (192:168/0.2)
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists