Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: denial-of-service vulnerability in the Microsoft Malicious Software Removal Tool
From: "Thor (Hammer Of God)" <thor () hammerofgod com>
Date: Sun, 23 May 2010 12:03:36 -0700

Of course it doesn't.  It just shows how stupid some companies are.



On May 23, 2010, at 11:27 AM, webDEViL <w3bd3vil () gmail com> wrote:

All said and done, that doesn't make it a vulnerability.

On Sun, May 23, 2010 at 11:47 PM, lsi <stuart () cyberdelix net> wrote:
On 23 May 2010 at 16:34, Thor (Hammer of God) wrote:

From:                   "Thor (Hammer of God)" <Thor () hammerofgod com>
To:                     "full-disclosure () lists grok org uk" <full-
disclosure () lists grok org uk>
Date sent:              Sun, 23 May 2010 16:34:24 +0000
Subject:                Re: [Full-disclosure] denial-of-service
vulnerability in the
       Microsoft       Malicious Software Removal Tool

> And where's the part where the system was rendered unbootable?

The unbootable part comes when you replace NDIS.SYS.  Unless you know
to replace the registry keys first, which is certainly not obvious
from the MRT log.

> And how did your users get infected with Cutwail?  Let me guess...
> they are all still running XP and you've got them running as local
> administrators right?  And they get to download codecs "willy nilly"
> and are probably using Bittorrent to get illegal copies of software
> pre-infected with cutwail, right?

How do I know how they got infected?  These are all third-party
companies (my customers), sometimes when they have cash problems,
they don't call me, they try and do it themselves, or do nothing. I
might not see them for months. They don't want to upgrade - they
heard about Vista (LOL) and they don't have, or don't want to spend
the money.

This is reality, not some managed datacentre in Redmond.

> local administrators

Their apps needed it last I checked.  I didn't set up their machines.
They have not asked me to look at that.  I have enough trouble
getting work OK'd without putting my neck on the line suggesting a
configuration change which I cannot guarantee will not cause
instability, particularly with their legacy and unsupported software,
of which there is plenty.

Again, this is reality, not some managed datacentre in Redmond.

> Bittorrent

No, like this:

"Stuart, need your help. My computer has a virus. Yesterday night I
opened an email that I was expecting from a Bernice. It turned out
that it was the wrong Bernice and it was a virus. It loaded Security
Essentials 2010 which is a scarevirus to make the user believe that
there are virus a pay for their software which does nothing anyway.
It  has loaded a virus in the registry file. There is a lot about it
on  the net. I then found a PC tools download to remove. However when
I  turned mycomputer off it does not now allow me to log on. I have
turned it off. I am without a PC now. Can you come tomorrow to
resolve  it for me? Many thanks. Please let me know ad I need it
urgently."

> Regardless, let's see if we have your advisory correct.  In order to
> be a victim of this "Denial of Service Vulnerability" we must first
> get infected with something like Cutwail

true

> that runs with user interaction

false.  Cutwail has no known infection vectors.  However, Cutwail is
just an example.

> interaction and also requires administrator privileges (you can see
> that NDIS.SYS was altered).

When I am logged in as Admin and try to replace NDIS.SYS, Windows
File Protection replaces it.  Why did WFP fail to protect the file
against Cutwail in the first place, and how can a virus replace
NDIS.SYS using Administrative privs, if I cannot do it myself when
Administrator?

> Of course, your AV must be at least 2 years old too.

false, it was up-to-date, although I am questioning its effectiveness

>  Then, once we get infected with malware, we run MRT,
> and see in the logs that it was successfully removed and requires a
> reboot.

Actually, AV found the virus in NDIS.SYS but could not remove it.  So
I ran MRT because I thought that a Microsoft product would know this
is a Windows file that cannot simply be deleted.  MRT says it's done
and needs reboot, so I reboot... and the system is toast.

To clarify, in this particular case, the first reboot, you can login
in normal mode, but cannot use any network adapters (code 39 - driver
corrupted or missing).  Reinstalling the drivers doesn't help.  So
then you think, oh that's because NDIS was trashed by MRT, so I'll
just replace NDIS.SYS....

And thats when you get the BSOD on boot to normal mode.  So then you
need to figure out that the cause of that BSOD is a missing registry
key, then you need to figure out which keys (there are three, for
each controlset), then you need to get the correct keys from a clean
machine, then you need to figure out how to replace the keys (some of
them cannot be imported with mere Administrative permissions).

However, just last week I also fixed a problem with the userinit
registry key, also mysteriously deleted - why would a virus trash its
host?  Answer: it doesn't, I think it was MRT that trashed it.  A
missing userinit key means instant logoff on logon, even in safe mode
as Administrator.  I might be able to dig up the MRT log for that
machine (would be interesting to see whether it was in fact MRT that
did it).  Want to place bets now?

>From a quick look at the web, MRT has also in the past deleted
Internet Explorer (iexplore.exe).  Oh, the poetry....

The point of my mail was that anyone can innocently run MRT and it
may trash their box.  This is due to one or more design flaws in the
MRT, and in Windows itself.  Are you saying I should just sit on this
info?  If someone had told me MRT was going to trash my customer's
machine, I would not have wasted most of last week fixing it.

Stu

> >-----Original Message-----
> >From: full-disclosure-bounces () lists grok org uk [mailto:full- disclosure-
> >bounces () lists grok org uk] On Behalf Of lsi
> >Sent: Sunday, May 23, 2010 9:16 AM
> >To: full-disclosure () lists grok org uk
> >Subject: [Full-disclosure] denial-of-service vulnerability in the Microsoft
> >Malicious Software Removal Tool
> >
> >denial-of-service vulnerability in the Microsoft Malicious Software Removal
> >Tool
> >
> >platforms affected: Windows
> >distribution: wide
> >severity: high
> >
> >Description of the vulnerability:
> >
> >The Microsoft Malicious Software Removal Tool (MRT) is a program used to > >remove malware from infected Windows systems. However, MRT does not > >always correctly repair the system. In at least one case, the changes made by
> >MRT can render the system unbootable (log below).
> >Repair can be time-consuming and expensive, particularly as the error
> >messages and log files of the software concerned are cryptic and
> >uninformative, or non-existent.
> >
> >As MRT runs automatically in the background once a month, these changes to > >the system may be made without the knowledge of an Administrator (or even
> >the user).
> >
> >Suspected cause:
> >
> >Missing logic in MRT to repair the system, rather than just deleting stuff willy-
> >nilly.
> >
> >Recommendations:
> >
> >1. Do not run MRT manually.
> >
> >2. Disable MRT if possible, especially on mission-critical machines.
> >
> >3. Do not use Windows.
> >
> >Details of notification to vendor:
> >
> >None.
> >
> >Sample of the fault:
> >
> >Microsoft Windows Malicious Software Removal Tool v3.7, May 2010 Started
> >On Tue May 18 21:24:47 2010
> >
> >Quick Scan Results for XXXXXXXXXXXXXXXXXXXXX:
> >----------------
> >Threat detected: VirTool:WinNT/Cutwail.L
> >    driver://NDIS
> >    file://C:\WINDOWS\system32\drivers\NDIS.sys
> >        SigSeq: 0x00008A78910FD971
> >        SHA1:   DEFB65309ABB3DD81F223ABA7CDB9EB26D66611A
> >
> >regkey://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETW
> >ORK\NDIS
> >
> >safeboot://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NET
> >WORK\NDIS
> >    service://NDIS
> >
> >Quick Scan Removal Results
> >----------------
> >Start 'remove' for
> >regkey://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETW
> >ORK\NDIS
> >Operation succeeded !
> >
> >Start 'remove' for service://NDIS
> >Operation was scheduled to be completed after next reboot.
> >
> >Start 'remove' for
> >safeboot://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NET
> >WORK\NDIS
> >Operation succeeded !
> >
> >Start 'remove' for driver://NDIS
> >Operation was scheduled to be completed after next reboot.
> >
> >Start 'remove' for file://\\?\C:\WINDOWS\system32\drivers\NDIS.sys
> >Operation succeeded !
> >
> >
> >Results Summary:
> >----------------
> >For cleaning VirTool:WinNT/Cutwail.L, the system needs to be restarted. > >Microsoft Windows Malicious Software Removal Tool Finished On Tue May
> >18 21:31:29 2010
> >
> >
> >Return code: 10 (0xa)



---
Stuart Udall
stuart at () cyberdelix dot net - http://www.cyberdelix.net/

---
 * Origin: lsi: revolution through evolution (192:168/0.2)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault