lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 23 May 2010 16:34:24 +0000
From: "Thor (Hammer of God)" <Thor@...merofgod.com>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: denial-of-service vulnerability in the
 Microsoft	Malicious Software Removal Tool

And where's the part where the system was rendered unbootable?

And how did your users get infected with Cutwail?  Let me guess... they are all still running XP and you've got them running as local administrators right?  And they get to download codecs "willy nilly" and are probably using Bittorrent to get illegal copies of software pre-infected with cutwail, right?  

Regardless, let's see if we have your advisory correct.  In order to be a victim of this "Denial of Service Vulnerability" we must first get infected with something like Cutwail that runs with user interaction and also requires administrator privileges (you can see that NDIS.SYS was altered).  Of course, your AV must be at least 2 years old too.  Then, once we get infected with malware, we run MRT, and see in the logs that it was successfully removed and requires a reboot.  

Very nice work indeed!!!  You're clients are fortunate to have you!

t

>-----Original Message-----
>From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-disclosure-
>bounces@...ts.grok.org.uk] On Behalf Of lsi
>Sent: Sunday, May 23, 2010 9:16 AM
>To: full-disclosure@...ts.grok.org.uk
>Subject: [Full-disclosure] denial-of-service vulnerability in the Microsoft
>Malicious Software Removal Tool
>
>denial-of-service vulnerability in the Microsoft Malicious Software Removal
>Tool
>
>platforms affected: Windows
>distribution: wide
>severity: high
>
>Description of the vulnerability:
>
>The Microsoft Malicious Software Removal Tool (MRT) is a program used to
>remove malware from infected Windows systems.  However, MRT does not
>always correctly repair the system.  In at least one case, the changes made by
>MRT can render the system unbootable (log below).
>Repair can be time-consuming and expensive, particularly as the error
>messages and log files of the software concerned are cryptic and
>uninformative, or non-existent.
>
>As MRT runs automatically in the background once a month, these changes to
>the system may be made without the knowledge of an Administrator (or even
>the user).
>
>Suspected cause:
>
>Missing logic in MRT to repair the system, rather than just deleting stuff willy-
>nilly.
>
>Recommendations:
>
>1. Do not run MRT manually.
>
>2. Disable MRT if possible, especially on mission-critical machines.
>
>3. Do not use Windows.
>
>Details of notification to vendor:
>
>None.
>
>Sample of the fault:
>
>Microsoft Windows Malicious Software Removal Tool v3.7, May 2010 Started
>On Tue May 18 21:24:47 2010
>
>Quick Scan Results for XXXXXXXXXXXXXXXXXXXXX:
>----------------
>Threat detected: VirTool:WinNT/Cutwail.L
>    driver://NDIS
>    file://C:\WINDOWS\system32\drivers\NDIS.sys
>        SigSeq: 0x00008A78910FD971
>        SHA1:   DEFB65309ABB3DD81F223ABA7CDB9EB26D66611A
>
>regkey://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETW
>ORK\NDIS
>
>safeboot://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NET
>WORK\NDIS
>    service://NDIS
>
>Quick Scan Removal Results
>----------------
>Start 'remove' for
>regkey://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETW
>ORK\NDIS
>Operation succeeded !
>
>Start 'remove' for service://NDIS
>Operation was scheduled to be completed after next reboot.
>
>Start 'remove' for
>safeboot://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NET
>WORK\NDIS
>Operation succeeded !
>
>Start 'remove' for driver://NDIS
>Operation was scheduled to be completed after next reboot.
>
>Start 'remove' for file://\\?\C:\WINDOWS\system32\drivers\NDIS.sys
>Operation succeeded !
>
>
>Results Summary:
>----------------
>For cleaning VirTool:WinNT/Cutwail.L, the system needs to be restarted.
>Microsoft Windows Malicious Software Removal Tool Finished On Tue May
>18 21:31:29 2010
>
>
>Return code: 10 (0xa)
>
>
>---
>Stuart Udall
>stuart at@...erdelix.dot net - http://www.cyberdelix.net/
>
>---
> * Origin: lsi: revolution through evolution (192:168/0.2)
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists