Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: denial-of-service vulnerability in the Microsoft Malicious Software Removal Tool
From: "Thor (Hammer of God)" <Thor () hammerofgod com>
Date: Sun, 23 May 2010 16:34:24 +0000

And where's the part where the system was rendered unbootable?

And how did your users get infected with Cutwail?  Let me guess... they are all still running XP and you've got them 
running as local administrators right?  And they get to download codecs "willy nilly" and are probably using Bittorrent 
to get illegal copies of software pre-infected with cutwail, right?  

Regardless, let's see if we have your advisory correct.  In order to be a victim of this "Denial of Service 
Vulnerability" we must first get infected with something like Cutwail that runs with user interaction and also requires 
administrator privileges (you can see that NDIS.SYS was altered).  Of course, your AV must be at least 2 years old too. 
 Then, once we get infected with malware, we run MRT, and see in the logs that it was successfully removed and requires 
a reboot.  

Very nice work indeed!!!  You're clients are fortunate to have you!

t

-----Original Message-----
From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-
bounces () lists grok org uk] On Behalf Of lsi
Sent: Sunday, May 23, 2010 9:16 AM
To: full-disclosure () lists grok org uk
Subject: [Full-disclosure] denial-of-service vulnerability in the Microsoft
Malicious Software Removal Tool

denial-of-service vulnerability in the Microsoft Malicious Software Removal
Tool

platforms affected: Windows
distribution: wide
severity: high

Description of the vulnerability:

The Microsoft Malicious Software Removal Tool (MRT) is a program used to
remove malware from infected Windows systems.  However, MRT does not
always correctly repair the system.  In at least one case, the changes made by
MRT can render the system unbootable (log below).
Repair can be time-consuming and expensive, particularly as the error
messages and log files of the software concerned are cryptic and
uninformative, or non-existent.

As MRT runs automatically in the background once a month, these changes to
the system may be made without the knowledge of an Administrator (or even
the user).

Suspected cause:

Missing logic in MRT to repair the system, rather than just deleting stuff willy-
nilly.

Recommendations:

1. Do not run MRT manually.

2. Disable MRT if possible, especially on mission-critical machines.

3. Do not use Windows.

Details of notification to vendor:

None.

Sample of the fault:

Microsoft Windows Malicious Software Removal Tool v3.7, May 2010 Started
On Tue May 18 21:24:47 2010

Quick Scan Results for XXXXXXXXXXXXXXXXXXXXX:
----------------
Threat detected: VirTool:WinNT/Cutwail.L
   driver://NDIS
   file://C:\WINDOWS\system32\drivers\NDIS.sys
       SigSeq: 0x00008A78910FD971
       SHA1:   DEFB65309ABB3DD81F223ABA7CDB9EB26D66611A

regkey://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETW
ORK\NDIS

safeboot://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NET
WORK\NDIS
   service://NDIS

Quick Scan Removal Results
----------------
Start 'remove' for
regkey://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETW
ORK\NDIS
Operation succeeded !

Start 'remove' for service://NDIS
Operation was scheduled to be completed after next reboot.

Start 'remove' for
safeboot://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NET
WORK\NDIS
Operation succeeded !

Start 'remove' for driver://NDIS
Operation was scheduled to be completed after next reboot.

Start 'remove' for file://\\?\C:\WINDOWS\system32\drivers\NDIS.sys
Operation succeeded !


Results Summary:
----------------
For cleaning VirTool:WinNT/Cutwail.L, the system needs to be restarted.
Microsoft Windows Malicious Software Removal Tool Finished On Tue May
18 21:31:29 2010


Return code: 10 (0xa)


---
Stuart Udall
stuart at () cyberdelix dot net - http://www.cyberdelix.net/

---
* Origin: lsi: revolution through evolution (192:168/0.2)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]