Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

zero-day -- Windows vulnerability


  • Please log in to reply
29 replies to this topic

#1 buddy215

buddy215

  • Moderator
  • 13,134 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:10:06 AM

Posted 17 July 2010 - 06:33 AM

http://www.techweb.com/article/showArticle...mp;section=news

...Security experts are warning of never-before-seen malware, dubbed Stuxnet, that spreads via USB drives, infecting PCs via an unknown -- aka zero-day -- Windows vulnerability. Unfortunately, the attack works even with AutoRun and AutoPlay disabled, and affects at least Windows 7 Enterprise Edition x86 operating systems......

.........Interestingly, the DLL is disguised as a device driver, which is what allows it to auto-load, thanks to the malware having a valid digital signature from Realtek Semiconductor, a legitimate company. Security researchers are anxious to learn how attackers got their hands on the digital signature, since such signatures are critical for differentiating good software from bad.

As that suggests, "digitally signed malware is a nightmare for antivirus developers," said Aleks Gostev, a security expert at antivirus vendor Kaspersky Lab, in a blog post.

Patching the vulnerability or vulnerabilities exploited by Stuxnet will likely require an operating system fix from Microsoft, rather than simply recalling Realtek's digital signature. "Recalling a certificate from a company like this simply isn't feasible -- it would cause an enormous amount of the software which they've released to become unusable," said Gostev. ........

EDIT:
http://blogs.technet.com/b/mmpc/archive/20...xnet-sting.aspx
Stuxnet uses the aforementioned .lnk technique to install additional malware components. It first injects a backdoor (Worm:Win32/Stuxnet.A) onto the compromised system, and then drops two drivers:

* Trojan:WinNT/Stuxnet.A - hides the presence of the .lnk files
* Trojan:WinNT/Stuxnet.B - injects (formerly) encrypted data blobs (.tmp files) into memory, each of which appear to serve different purposes as the Stuxnet deployment system infrastructure (drivers, .lnk files, propagation, etc.).

These drivers are signed with a digital certificate belonging to a well-known hardware manufacturer called Realtek Semiconductor Corp., which is unusual because it would imply that the malware authors somehow had access to Realtek’s private key. Microsoft MMPC has been working with Verisign to revoke this certificate, and did so at 08:05:42 PM UTC with the agreement and support of Realtek.

Edited by buddy215, 17 July 2010 - 07:11 AM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

BC AdBot (Login to Remove)

 


#2 Judicandus

Judicandus

    Bleepin' Pasta


  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Around the world
  • Local time:12:06 PM

Posted 17 July 2010 - 06:38 AM

Complementing the news:

http://www.wilderssecurity.com/showthread.php?t=276994
http://www.wilderssecurity.com/attachment....mp;d=1279012965
http://krebsonsecurity.com/2010/07/experts...-shortcut-flaw/
http://anti-virus.by/en/tempo.shtml
http://www.threatexpert.com/report.aspx?md...8d06c03f92d0c13
http://www.virustotal.com/ru/analisis/1635...555c-1278661251
http://www.virustotal.com/ru/analisis/0d8c...9198-1278584497

#3 Romeo29

Romeo29

    Learning To Bleep


  • Members
  • 3,194 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:10:06 AM

Posted 18 July 2010 - 07:22 PM

wow now malware come digitally signed. I always trusted digitally signed executables before.

EDIT:

Microsoft has released workaround : http://www.microsoft.com/technet/security/...ry/2286198.mspx


Edited by Romeo29, 18 July 2010 - 07:52 PM.


#4 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:06:06 PM

Posted 19 July 2010 - 04:46 PM

Check this out too: (related to windows shell vulnerability) :thumbsup:

http://ssj100.fullsubject.com/security-f7/...n-t187.htm#1302


Regards,
G.

cXfZ4wS.png


#5 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,259 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:08:06 AM

Posted 19 July 2010 - 06:02 PM

Quick and dirty batch script to implement the workarounds:

@echo off

for /f "Tokens=*" %%a in ('net localgroup administrators^|find /i "%username%"') DO GOTO isAdmin
echo Is NOT Admin!
Pause
Exit
:isAdmin
if "%1"=="restore" GOTO RESTORE
echo This script will apply the necessary workarounds to protect against the Window Shortcut Vulnerability (CVE-2010-2568)
echo Disabling Icon Handler...
reg delete HKEY_CLASSES_ROOT\lnkfile\shellex\IconHandler /ve /f
reg delete HKEY_CLASSES_ROOT\piffile\shellex\IconHandler /ve /f
echo Done.
echo Disabling WebClient Service...
net stop webclient
sc config webclient start= disabled
echo Done.
echo Re-run this script with the 'restore' argument to undo these changes
GOTO askReboot
:RESTORE
echo Restoring Icon Handler
reg add HKEY_CLASSES_ROOT\lnkfile\shellex\IconHandler /ve /d {00021401-0000-0000-C000-000000000046} /f
reg add HKEY_CLASSES_ROOT\piffile\shellex\IconHandler /ve /d {00021401-0000-0000-C000-000000000046} /f
echo Done.
echo Do you wish to enable the Web Client Service(Y/N)?
set /p enableWC=
if /i %enableWC%== N GOTO askReboot
if /i %enableWC%== NO GOTO askReboot
echo Re-enabling the WebClient Service
sc config webclient start= auto
net start webclient
echo Done
:askReboot
echo Windows needs to be rebooted in order for the changes to take effect. Reboot Now(Y/N)?
set /p reBoot=
if /i %reBoot%== Y GOTO rebooter
if /i %reBoot%== YES GOTO rebooter
echo Not Rebooting
exit
:rebooter
shutdown -r -t 60 -c "Rebooting to apply changes"
exit

Pass the "restore" argument to undo the changes.

Edited by Andrew, 22 July 2010 - 12:04 PM.
Updated with suggestions from n2fc and Romeo


#6 buddy215

buddy215
  • Topic Starter

  • Moderator
  • 13,134 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:10:06 AM

Posted 20 July 2010 - 10:32 AM

http://blog.eset.com/2010/07/19/win32stuxnet-signed-binaries
On July 17th, ESET identified a new malicious file related to the Win32/Stuxnet worm. This new driver is a significant discovery because the file was signed with a certificate from a company called "JMicron Technology Corp". This is different from the previous drivers which were signed with the certificate from Realtek Semiconductor Corp. It is interesting to note that both companies whose code signing certificates were used have offices in Hsinchu Science Park, Taiwan.

The malicious file, named jmidebs.sys, has functions very similar to those originally noted in the system drivers used by Win32/Stuxnet.

I'm using a different "work around"---Ubuntu
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#7 teamo

teamo

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 21 July 2010 - 12:21 AM

lol i was infected with this. everything on my usb turned into shorcuts and i would not be able to use anything on that usb. had to format it and lose all data :thumbsup:

#8 Romeo29

Romeo29

    Learning To Bleep


  • Members
  • 3,194 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:10:06 AM

Posted 21 July 2010 - 06:12 AM

lol i was infected with this. everything on my usb turned into shorcuts and i would not be able to use anything on that usb. had to format it and lose all data :thumbsup:


There is nothing LOL about it. It installs rootkits on your computer. If you do not already know, rootkits are hardest to remove and sometimes the only solution left is to format the hard disk.

I suggest you report in Am I Infected section.

#9 n2fc

n2fc

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:11:06 AM

Posted 21 July 2010 - 11:03 PM

Quick and dirty batch script to implement the workarounds:

Pass the "restore" argument to undo the changes.


two minor nits...
1) Need to run as admin for permissions...
2) In addition to lnkfile entry in registry, should also change and restore piffile entry as well

#10 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,259 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:08:06 AM

Posted 22 July 2010 - 12:33 AM

Quick and dirty batch script to implement the workarounds:

Pass the "restore" argument to undo the changes.


two minor nits...
1) Need to run as admin for permissions...
2) In addition to lnkfile entry in registry, should also change and restore piffile entry as well

Fixed

#11 Romeo29

Romeo29

    Learning To Bleep


  • Members
  • 3,194 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:10:06 AM

Posted 22 July 2010 - 09:33 AM

Andrew, you can reload the registry quickly by quitting explorer.exe and then restarting it.
Do this before you start editing the registry : taskkill /f /im /explorer.exe
After you are done editing the registry do this : explorer.exe

Without reloading the registry it is no use editing it. Or you may have to restart the computer.

#12 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,259 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:08:06 AM

Posted 22 July 2010 - 11:38 AM

Yes, restarting Windows or restarting explorer.exe is required. I said it was quick and dirty! :thumbsup:

#13 Romeo29

Romeo29

    Learning To Bleep


  • Members
  • 3,194 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:10:06 AM

Posted 22 July 2010 - 12:38 PM

Yes, restarting Windows or restarting explorer.exe is required. I said it was quick and dirty! :thumbsup:


Restarting is not quick. If you kill explorer and then restart it, it takes 1 second. That's why I posted my last post. The following works without restarting :

Script to apply workaround :
@echo off
taskkill /f /im explorer.exe
REG ADD HKCR\lnkfile\shellex\IconHandler /ve /t REG_SZ /d "" /f
REG ADD HKCR\piffile\shellex\IconHandler /ve /t REG_SZ /d "" /f
SC config WebClient start= disabled
SC stop WebClient
explorer.exe

Script to undo the workaround :
@echo off
taskkill /f /im explorer.exe
REG ADD HKCR\lnkfile\shellex\IconHandler /ve /t REG_SZ /d "{00021401-0000-0000-C000-000000000046}" /f
REG ADD HKCR\piffile\shellex\IconHandler /ve /t REG_SZ /d "{00021401-0000-0000-C000-000000000046}" /f
SC config WebClient start= auto
SC start WebClient
explorer.exe

Edited by Romeo29, 22 July 2010 - 12:42 PM.


#14 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,259 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:08:06 AM

Posted 22 July 2010 - 03:06 PM

True, but (at least on my machines running XP) killing and starting explorer.exe breaks some of the minimize/maximize functionality of the taskbar, which is annoying.

#15 Romeo29

Romeo29

    Learning To Bleep


  • Members
  • 3,194 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:10:06 AM

Posted 22 July 2010 - 11:25 PM

Andrew you are right, restarting Windows is the authentic Microsoft way :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users