Re: denial-of-service vulnerability in the Microsoft Malicious Software Removal Tool

[webDEViL <w3bd3vil () gmail com>]

All said and done, that doesn't make it a vulnerability.

On Sun, May 23, 2010 at 11:47 PM, lsi <stuart () cyberdelix net> wrote:

> On 23 May 2010 at 16:34, Thor (Hammer of God) wrote:
>
> From:                   "Thor (Hammer of God)" <Thor () hammerofgod com>
> To:                     "full-disclosure () lists grok org uk" <full-
> disclosure () lists grok org uk>
> Date sent:              Sun, 23 May 2010 16:34:24 +0000
> Subject:                Re: [Full-disclosure] denial-of-service
> vulnerability in the
>        Microsoft       Malicious Software Removal Tool
>
> > And where's the part where the system was rendered unbootable?
>
> The unbootable part comes when you replace NDIS.SYS.  Unless you know
> to replace the registry keys first, which is certainly not obvious
> from the MRT log.
>
> > And how did your users get infected with Cutwail?  Let me guess...
> > they are all still running XP and you've got them running as local
> > administrators right?  And they get to download codecs "willy nilly"
> > and are probably using Bittorrent to get illegal copies of software
> > pre-infected with cutwail, right?
>
> How do I know how they got infected?  These are all third-party
> companies (my customers), sometimes when they have cash problems,
> they don't call me, they try and do it themselves, or do nothing. I
> might not see them for months. They don't want to upgrade - they
> heard about Vista (LOL) and they don't have, or don't want to spend
> the money.
>
> This is reality, not some managed datacentre in Redmond.
>
> > local administrators
>
> Their apps needed it last I checked.  I didn't set up their machines.
> They have not asked me to look at that.  I have enough trouble
> getting work OK'd without putting my neck on the line suggesting a
> configuration change which I cannot guarantee will not cause
> instability, particularly with their legacy and unsupported software,
> of which there is plenty.
>
> Again, this is reality, not some managed datacentre in Redmond.
>
> > Bittorrent
>
> No, like this:
>
> "Stuart, need your help. My computer has a virus. Yesterday night I
> opened an email that I was expecting from a Bernice. It turned out
> that it was the wrong Bernice and it was a virus. It loaded Security
> Essentials 2010 which is a scarevirus to make the user believe that
> there are virus a pay for their software which does nothing anyway.
> It  has loaded a virus in the registry file. There is a lot about it
> on  the net. I then found a PC tools download to remove. However when
> I  turned mycomputer off it does not now allow me to log on. I have
> turned it off. I am without a PC now. Can you come tomorrow to
> resolve  it for me? Many thanks. Please let me know ad I need it
> urgently."
>
> > Regardless, let's see if we have your advisory correct.  In order to
> > be a victim of this "Denial of Service Vulnerability" we must first
> > get infected with something like Cutwail
>
> true
>
> > that runs with user interaction
>
> false.  Cutwail has no known infection vectors.  However, Cutwail is
> just an example.
>
> > interaction and also requires administrator privileges (you can see
> > that NDIS.SYS was altered).
>
> When I am logged in as Admin and try to replace NDIS.SYS, Windows
> File Protection replaces it.  Why did WFP fail to protect the file
> against Cutwail in the first place, and how can a virus replace
> NDIS.SYS using Administrative privs, if I cannot do it myself when
> Administrator?
>
> > Of course, your AV must be at least 2 years old too.
>
> false, it was up-to-date, although I am questioning its effectiveness
>
> >  Then, once we get infected with malware, we run MRT,
> > and see in the logs that it was successfully removed and requires a
> > reboot.
>
> Actually, AV found the virus in NDIS.SYS but could not remove it.  So
> I ran MRT because I thought that a Microsoft product would know this
> is a Windows file that cannot simply be deleted.  MRT says it's done
> and needs reboot, so I reboot... and the system is toast.
>
> To clarify, in this particular case, the first reboot, you can login
> in normal mode, but cannot use any network adapters (code 39 - driver
> corrupted or missing).  Reinstalling the drivers doesn't help.  So
> then you think, oh that's because NDIS was trashed by MRT, so I'll
> just replace NDIS.SYS....
>
> And thats when you get the BSOD on boot to normal mode.  So then you
> need to figure out that the cause of that BSOD is a missing registry
> key, then you need to figure out which keys (there are three, for
> each controlset), then you need to get the correct keys from a clean
> machine, then you need to figure out how to replace the keys (some of
> them cannot be imported with mere Administrative permissions).
>
> However, just last week I also fixed a problem with the userinit
> registry key, also mysteriously deleted - why would a virus trash its
> host?  Answer: it doesn't, I think it was MRT that trashed it.  A
> missing userinit key means instant logoff on logon, even in safe mode
> as Administrator.  I might be able to dig up the MRT log for that
> machine (would be interesting to see whether it was in fact MRT that
> did it).  Want to place bets now?
>
> > From a quick look at the web, MRT has also in the past deleted
> Internet Explorer (iexplore.exe).  Oh, the poetry....
>
> The point of my mail was that anyone can innocently run MRT and it
> may trash their box.  This is due to one or more design flaws in the
> MRT, and in Windows itself.  Are you saying I should just sit on this
> info?  If someone had told me MRT was going to trash my customer's
> machine, I would not have wasted most of last week fixing it.
>
> Stu
>
> > > -----Original Message-----
> > > From: full-disclosure-bounces () lists grok org uk [mailto:
> full-disclosure-
> > > bounces () lists grok org uk] On Behalf Of lsi
> > > Sent: Sunday, May 23, 2010 9:16 AM
> > > To: full-disclosure () lists grok org uk
> > > Subject: [Full-disclosure] denial-of-service vulnerability in the
> Microsoft
> > > Malicious Software Removal Tool
> > >
> > > denial-of-service vulnerability in the Microsoft Malicious Software
> Removal
> > > Tool
> > >
> > > platforms affected: Windows
> > > distribution: wide
> > > severity: high
> > >
> > > Description of the vulnerability:
> > >
> > > The Microsoft Malicious Software Removal Tool (MRT) is a program used to
> > > remove malware from infected Windows systems.  However, MRT does not
> > > always correctly repair the system.  In at least one case, the changes
> made by
> > > MRT can render the system unbootable (log below).
> > > Repair can be time-consuming and expensive, particularly as the error
> > > messages and log files of the software concerned are cryptic and
> > > uninformative, or non-existent.
> > >
> > > As MRT runs automatically in the background once a month, these changes
> to
> > > the system may be made without the knowledge of an Administrator (or
> even
> > > the user).
> > >
> > > Suspected cause:
> > >
> > > Missing logic in MRT to repair the system, rather than just deleting
> stuff willy-
> > > nilly.
> > >
> > > Recommendations:
> > >
> > > 1. Do not run MRT manually.
> > >
> > > 2. Disable MRT if possible, especially on mission-critical machines.
> > >
> > > 3. Do not use Windows.
> > >
> > > Details of notification to vendor:
> > >
> > > None.
> > >
> > > Sample of the fault:
> > >
> > > Microsoft Windows Malicious Software Removal Tool v3.7, May 2010 Started
> > > On Tue May 18 21:24:47 2010
> > >
> > > Quick Scan Results for XXXXXXXXXXXXXXXXXXXXX:
> > > ----------------
> > > Threat detected: VirTool:WinNT/Cutwail.L
> > >    driver://NDIS
> > >    file://C:\WINDOWS\system32\drivers\NDIS.sys
> > >        SigSeq: 0x00008A78910FD971
> > >        SHA1:   DEFB65309ABB3DD81F223ABA7CDB9EB26D66611A
> > >
> > > regkey://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETW
> > > ORK\NDIS
> > >
> > > safeboot://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NET
> > > WORK\NDIS
> > >    service://NDIS
> > >
> > > Quick Scan Removal Results
> > > ----------------
> > > Start 'remove' for
> > > regkey://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETW
> > > ORK\NDIS
> > > Operation succeeded !
> > >
> > > Start 'remove' for service://NDIS
> > > Operation was scheduled to be completed after next reboot.
> > >
> > > Start 'remove' for
> > > safeboot://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NET
> > > WORK\NDIS
> > > Operation succeeded !
> > >
> > > Start 'remove' for driver://NDIS
> > > Operation was scheduled to be completed after next reboot.
> > >
> > > Start 'remove' for file://\\?\C:\WINDOWS\system32\drivers\NDIS.sys
> > > Operation succeeded !
> > >
> > >
> > > Results Summary:
> > > ----------------
> > > For cleaning VirTool:WinNT/Cutwail.L, the system needs to be restarted.
> > > Microsoft Windows Malicious Software Removal Tool Finished On Tue May
> > > 18 21:31:29 2010
> > >
> > >
> > > Return code: 10 (0xa)
>
>
>
> ---
> Stuart Udall
> stuart at () cyberdelix dot net - http://www.cyberdelix.net/
>
> ---
>  * Origin: lsi: revolution through evolution (192:168/0.2)
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/