Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: denial-of-service vulnerability in the Microsoft Malicious Software Removal Tool
From: "lsi" <stuart () cyberdelix net>
Date: Sun, 23 May 2010 20:33:02 +0100

Just to followup on this, what worries me is that as time passes, 
more and more viruses will attack more and more files and/or registry 
keys, resulting in more and more destruction by MRT, and I will need 
to spend more and more time on it, finding solutions to increasingly 
obscure problems, for which there is no documentation anywhere, 
except that generated by forums such as this, fixing things that are 
clearly marked "no user serviceable parts inside" (if the permissions 
on the registry keys are to be a guide).

Something is clearly wrong when a BSOD is actually part of the repair 
process, indicating progress in this case, when I need to subvert WFP 
and other inbuilt security systems to effect the fix, and when a 
cleanup tool from the vendor, which is pushed onto all machines and 
run automatically, makes a problem worse.

The thing that annoys me, is that it's now up to me to either hand my 
customer a large bill, which will compensate me fairly for my time 
but is likely to exceed the cost of a new machine, OR I can take pity 
on him (it's not his fault his machine was infected or subsequently 
trashed by a repair tool) - and this means I need to discount my 
time, so I end up taking the hit.

But it's not my fault either, it's Microsoft's software that has the 
holes in it, and it's Microsoft's tool that trashed it after those 
holes were exploited.  But do you think I will get paid if I invoice 
Microsoft?

So basically someone needs to pay, and it ain't Bill, and if I want 
to keep my customer happy, it ain't my customer either.  That means I 
end up spending my life working for a pittance, cleaning up 
Microsoft's mess and at the same time, trying to explain to my 
customer that while the Windows packaging and advertising is all so 
slick, it's actually the biggest white elephant in the known 
universe, and they should consider migrating to unix, and I know you 
just spent a truckload on some lame-assed .NET dependency, I have 
some very bad news for you, and no, you can't fix it by getting a new 
IT guy, although you won't find that out until you try it, and I know 
it might be easier for you to buy some more sales pitch from the next 
IT guy, and drink the Microsoft Kool-Aid, than to believe me when I 
say that most the world's desktops are running a giant white 
elephant, so I am definitely going to discount my time, and take the 
hit, although I hope you won't mind if I post a couple of your logs 
onto the net, because this is wrong, that I am spending all my time 
for pittance, fixing things that should never have broken, while the 
megacorp responsible shoves the next load of tripe down my customer's 
throats and makes life even more difficult for me in the future.

Then I wonder, what is the long-term solution to this problem?  I 
already asked you this - I note you didn't reply....

Does this help explain things at all?

Stu

On 23 May 2010 at 19:17, lsi wrote:

From:                   "lsi" <stuart () cyberdelix net>
To:                     full-disclosure () lists grok org uk
Date sent:              Sun, 23 May 2010 19:17:13 +0100
Priority:               normal                                               
            
Subject:                Re: [Full-disclosure] denial-of-service 
vulnerability in the
        Microsoft Malicious Software Removal Tool
Send reply to:          stuart () cyberdelix net
        <full-disclosure.lists.grok.org.uk>                                  
      
        <mailto:full-disclosure-
request () lists grok org uk?subject=unsubscribe>     
        <mailto:full-disclosure-request () lists grok org uk?subject=subscribe> 
      

On 23 May 2010 at 16:34, Thor (Hammer of God) wrote:

From:                 "Thor (Hammer of God)" <Thor () hammerofgod com>
To:                   "full-disclosure () lists grok org uk" <full-
disclosure () lists grok org uk>
Date sent:            Sun, 23 May 2010 16:34:24 +0000
Subject:              Re: [Full-disclosure] denial-of-service 
vulnerability in the
      Microsoft       Malicious Software Removal Tool

And where's the part where the system was rendered unbootable?

The unbootable part comes when you replace NDIS.SYS.  Unless you know 
to replace the registry keys first, which is certainly not obvious 
from the MRT log.

And how did your users get infected with Cutwail?  Let me guess...
they are all still running XP and you've got them running as local
administrators right?  And they get to download codecs "willy nilly"
and are probably using Bittorrent to get illegal copies of software
pre-infected with cutwail, right?  

How do I know how they got infected?  These are all third-party 
companies (my customers), sometimes when they have cash problems, 
they don't call me, they try and do it themselves, or do nothing. I 
might not see them for months. They don't want to upgrade - they 
heard about Vista (LOL) and they don't have, or don't want to spend 
the money.

This is reality, not some managed datacentre in Redmond.

local administrators

Their apps needed it last I checked.  I didn't set up their machines. 
They have not asked me to look at that.  I have enough trouble 
getting work OK'd without putting my neck on the line suggesting a 
configuration change which I cannot guarantee will not cause 
instability, particularly with their legacy and unsupported software, 
of which there is plenty.

Again, this is reality, not some managed datacentre in Redmond.

Bittorrent

No, like this:

"Stuart, need your help. My computer has a virus. Yesterday night I  
opened an email that I was expecting from a Bernice. It turned out  
that it was the wrong Bernice and it was a virus. It loaded Security 
Essentials 2010 which is a scarevirus to make the user believe that  
there are virus a pay for their software which does nothing anyway. 
It  has loaded a virus in the registry file. There is a lot about it 
on  the net. I then found a PC tools download to remove. However when 
I  turned mycomputer off it does not now allow me to log on. I have  
turned it off. I am without a PC now. Can you come tomorrow to 
resolve  it for me? Many thanks. Please let me know ad I need it 
urgently."  

Regardless, let's see if we have your advisory correct.  In order to
be a victim of this "Denial of Service Vulnerability" we must first
get infected with something like Cutwail

true

that runs with user interaction

false.  Cutwail has no known infection vectors.  However, Cutwail is 
just an example.

interaction and also requires administrator privileges (you can see
that NDIS.SYS was altered).

When I am logged in as Admin and try to replace NDIS.SYS, Windows 
File Protection replaces it.  Why did WFP fail to protect the file 
against Cutwail in the first place, and how can a virus replace 
NDIS.SYS using Administrative privs, if I cannot do it myself when 
Administrator?

Of course, your AV must be at least 2 years old too.

false, it was up-to-date, although I am questioning its effectiveness

 Then, once we get infected with malware, we run MRT,
and see in the logs that it was successfully removed and requires a
reboot.  

Actually, AV found the virus in NDIS.SYS but could not remove it.  So 
I ran MRT because I thought that a Microsoft product would know this 
is a Windows file that cannot simply be deleted.  MRT says it's done 
and needs reboot, so I reboot... and the system is toast.

To clarify, in this particular case, the first reboot, you can login 
in normal mode, but cannot use any network adapters (code 39 - driver 
corrupted or missing).  Reinstalling the drivers doesn't help.  So 
then you think, oh that's because NDIS was trashed by MRT, so I'll 
just replace NDIS.SYS....

And thats when you get the BSOD on boot to normal mode.  So then you 
need to figure out that the cause of that BSOD is a missing registry 
key, then you need to figure out which keys (there are three, for 
each controlset), then you need to get the correct keys from a clean 
machine, then you need to figure out how to replace the keys (some of 
them cannot be imported with mere Administrative permissions).

However, just last week I also fixed a problem with the userinit 
registry key, also mysteriously deleted - why would a virus trash its 
host?  Answer: it doesn't, I think it was MRT that trashed it.  A 
missing userinit key means instant logoff on logon, even in safe mode 
as Administrator.  I might be able to dig up the MRT log for that 
machine (would be interesting to see whether it was in fact MRT that 
did it).  Want to place bets now?

From a quick look at the web, MRT has also in the past deleted 
Internet Explorer (iexplore.exe).  Oh, the poetry....

The point of my mail was that anyone can innocently run MRT and it 
may trash their box.  This is due to one or more design flaws in the 
MRT, and in Windows itself.  Are you saying I should just sit on this 
info?  If someone had told me MRT was going to trash my customer's 
machine, I would not have wasted most of last week fixing it.

Stu

-----Original Message-----
From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-
bounces () lists grok org uk] On Behalf Of lsi
Sent: Sunday, May 23, 2010 9:16 AM
To: full-disclosure () lists grok org uk
Subject: [Full-disclosure] denial-of-service vulnerability in the Microsoft
Malicious Software Removal Tool

denial-of-service vulnerability in the Microsoft Malicious Software Removal
Tool

platforms affected: Windows
distribution: wide
severity: high

Description of the vulnerability:

The Microsoft Malicious Software Removal Tool (MRT) is a program used to
remove malware from infected Windows systems.  However, MRT does not
always correctly repair the system.  In at least one case, the changes made by
MRT can render the system unbootable (log below).
Repair can be time-consuming and expensive, particularly as the error
messages and log files of the software concerned are cryptic and
uninformative, or non-existent.

As MRT runs automatically in the background once a month, these changes to
the system may be made without the knowledge of an Administrator (or even
the user).

Suspected cause:

Missing logic in MRT to repair the system, rather than just deleting stuff willy-
nilly.

Recommendations:

1. Do not run MRT manually.

2. Disable MRT if possible, especially on mission-critical machines.

3. Do not use Windows.

Details of notification to vendor:

None.

Sample of the fault:

Microsoft Windows Malicious Software Removal Tool v3.7, May 2010 Started
On Tue May 18 21:24:47 2010

Quick Scan Results for XXXXXXXXXXXXXXXXXXXXX:
----------------
Threat detected: VirTool:WinNT/Cutwail.L
   driver://NDIS
   file://C:\WINDOWS\system32\drivers\NDIS.sys
       SigSeq: 0x00008A78910FD971
       SHA1:   DEFB65309ABB3DD81F223ABA7CDB9EB26D66611A

regkey://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETW
ORK\NDIS

safeboot://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NET
WORK\NDIS
   service://NDIS

Quick Scan Removal Results
----------------
Start 'remove' for
regkey://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETW
ORK\NDIS
Operation succeeded !

Start 'remove' for service://NDIS
Operation was scheduled to be completed after next reboot.

Start 'remove' for
safeboot://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NET
WORK\NDIS
Operation succeeded !

Start 'remove' for driver://NDIS
Operation was scheduled to be completed after next reboot.

Start 'remove' for file://\\?\C:\WINDOWS\system32\drivers\NDIS.sys
Operation succeeded !


Results Summary:
----------------
For cleaning VirTool:WinNT/Cutwail.L, the system needs to be restarted.
Microsoft Windows Malicious Software Removal Tool Finished On Tue May
18 21:31:29 2010


Return code: 10 (0xa)




---
Stuart Udall
stuart at () cyberdelix dot net - http://www.cyberdelix.net/

--- 
 * Origin: lsi: revolution through evolution (192:168/0.2)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault