Archive for April, 2007

Do Windows Vista Protected Processes = Rootkits?

Monday, April 16th, 2007

When Windows Vista  came along we were told that no Rootkits could run in Vista because of all the various security enhancements within. Then over the months since the Beta versions of Vista various people have come up with ways that may be able to install a rootkit ( see Microsoft Vista Kernel Protection is Cracked and MS Watches as Vista Gets ‘0wn3d’ by Rootkit).

Since the official release of Windows Vista earlier this year there has been a concerted effort by Security Researchers to come up with a ways to install rootkits or hide processes within Vista. 

Security researcher Alex Ionescu is one such researcher who has done a lot of work in the area of Protected Processes in Vista.

From Microsoft:

“The Microsoft® Windows Vistaâ„¢ operating system introduces a new type of process known as a protected process to enhance support for Digital Rights Management functionality in Windows Vista. These protected processes exist alongside other processes in Windows Vista.”

and

“Constraints on protected processes. A typical process cannot perform operations such as the following on a protected process:
· Inject a thread into a protected process
· Access the virtual memory of a protected process
· Debug an active protected process
· Duplicate a handle from a protected process
· Change the quota or working set of a protected process”

So it looks like a Protected Process has some immunity from being interfered with and thus checked for badness. This sounds very Rootkit like to me. Although a rootkit is designed to hide processes, among other things, the main reason is to avoid programs from seeing what it is up to. A rootkit may be hiding a Keylogger from being detected and the same could be said for a keylogger in Vista after it has become a protected process.

Alex Ionescu has released a tool called D-Pin Purr that can both Protect and Unprotect a Protected Process in Vista.

From Alex’s Blog:

“It’s based on the Microsoft documentation which says “Please don’t use a driver to bypass this”, which led me to believe that it would be possible to do this (which wouldn’t work on 64-bit Vista, of course).”

“Unforunately, it is trivial to make a process protected or unprotected by bypassing all the Code Integrity checks and sandbox in which protected processes are supposed to run. I wrote a small application which I called D-Pin Purr which does exactly this. I tried it on the only two protected processes I know on Vista (audiodg.exe and mfpmp.exe).”

“Being able to play with the PMP application isn’t really what I was interested in, since most of the high-level security is in the kernel anyway. The intersting thing is that I can make any application of my choosing protected, and thus undebuggable, uninjectable and with its address space secure.”

 

Well I’m off to have a good mess around Alex’s tool and I’ll report back some findings.

Keep Safe,
regards

Steo
www.antirootkit.com

 

References:

Why Protected Processes Are A Bad Idea

Introducting D-Pin Purr v1.0 – 32bit Edition

Microsoft Protected Process Whitepaper

Posted in Analysis, Debate, Microsoft, News, Vista | 2 Comments »

Forecast – Massive Storms clouded by Rootkits

Friday, April 13th, 2007

Update: July 9th 2007 - see Abnormal activity from your IP…yeah sure 

Over the last 2 days there has been what seems to be a massive Virus outbreak caused by the Storm Worm. The Storm worm was first introduced to us January when large storms were battering Europe a worm was spammed out disguised as important news on the storm with subject lines like “230 dead as storm batters europe”.
The next time the Storm Worm was unleashed was around Valentines Day when emails pretending to be from a lover were spammed out to millions of people across the Internet. Then last weekend a new Storm surge was spammed out as news of World War 3 starting against Iran and love related subjects like “A kiss so gentle” or “I dream of you”.

The latest Storm run was seen on the radar about 6 PM GMT on Thursday and within 24 hours over 55 million emails were sent out by the Worm according to Postini, an email security company. This is over 60 times the normal rate for a “normal” 24 hour period.

The subject lines currently being used are:
Worm Detected!
Virus Detected!ected!
Virus Activity Detected!
ATTN!
Spyware Alert!
Spyware Detected!
Warning!
Trojan Alert!
Trojan Detected!
Worm Activity Detected!
Virus Alert!

The Body of the email may look similar to the following:

From: Customer Support

Dear Customer,
Our robot has detected an abnormal activity from your IP address on sending e-mails.

Probably it is connected with the last epidemic of a worm which does not have official patches at the moment. We recommend you to install this patch to remove worm files and stop email sending, otherwise your account will be blocked. We had archived the patch because the worm can modify unpacked exe files. You should open the archive file, enter the password and run the patch immediately.

Password: {Random}

Customer Support Center Robot.

Attachment: Patch-{Random}.zip
Attachments:

It arrives with 2 attachments. One attachment is normally a gif, more about this later and the other attachment is a zip file with a password.

The format the zip files take is one of the following:
patch-[RANDOM 4 DIGITS].zip
removal-[5 RANDOM DIGITS].zip
hotfix-[5 RANDOM DIGITS].zip
bugfix-[5 RANDOM DIGITS].zip

The use of a password protected zip file is a new tactic used by the Storm Worm. Random numbers and letters are used for each attachment in the email that is sent out. The password for the attachment is given with the email. The file within the zip, when run, will install the Storm Worm on your PC and hide itself from Virus Scanners by using a Rootkit. The Rootkit component is wincom32.sys and from using anti rootkit software it can be seen to ensure its visibility by hooking the following:

Rootkit Elements: 

SSDT
ZwEnumerateKey
C:\WINDOWS\system32\wincom32.sys

SSDT
ZwEnumerateValueKey
C:\WINDOWS\system32\wincom32.sys

SSDT
ZwQueryDirectoryFile
C:\WINDOWS\system32\wincom32.sys

IRP
\Driver\Tcpip->IRP_MJ_DEVICE_CONTROL
\\??\C:\WINDOWS\system32\wincom32.sys

and it also hides registry entries pointing to the wincom32.sys.

Although Anti Virus Scanners will not “see” these files you can get a dedicated Anti-Rootkit program from our Anti-Rootkit Software Page.
Anubis have an extremely in-depth analysis of a sample submitted to them.
http://analysis.seclab.tuwien.ac.at/result.php?taskid=0ce16256cab3e414c180082fafc8d4b4&refresh=1&embedded=1

Tactics:

The reason this particular Storm Worm run has become so massive is that the authors have employed some new tactics and some old trustworthy tactics.The new tactics include using an image file which has the text of the message. This means that anti virus scanners can not scan an email for suspicious text. This tactic has been recently employed by spammers to bypass anti spam mechanisms.
The tactic of the password zip file is not new and has been used in the past by many worms including the infamous Bagle. What is new to the Storm Worm is the polymorphic features of the code. Each worm is going to be slightly different so as to better avoid detection by anti virus email scanners.
The tactic of informing people that they have malware on their PC is not new either but it is effective. This is especially effective because of the limited run a few days before. This run got the Storm Worm in the media and then the Thursday run with all its new mechanisms may have piggy backed on the fear people may have that they are infected.

 

Behind the Scenes:

So what and who is behind the Storm Worm. It is thought that the worm is originating from Eastern Europe and is spammed out so as to get as many victims to start the ball rolling initially. The worm the spreads from PC to PC via its own email program using addresses from the users email address book. Once on a users PC the worm joins the PC up to a massive Botnet comprised of thousands of unsuspecting users PC’s. The Botnet is then used to send out massive amount of what is called Pump and Dump Spam. This is where  Stock is advertised at low prices and it expectant value is very high. When unsuspecting users buy this stock they will help the price of the stock to go up. When the price of the stock goes up the Stock is sold off by the originator of the Pump and Dump spam at emmense profits.

The Storm Worm runs on Windows 98, ME, NT, 2000, XP, and Windows Server 2003.

The fact that this Storm run is so massive just goes to show that PC users all over the world are opening up encrypted zipped attachments from strangers and running the code. :-(

Keep Safe
regards

Steo
www.antirootkit.com

References:

The Eye of the Storm

Storm Worm blows up, breaks records

WORM_NUWAR.AOP

Consumer alert: Massive virus outbreak

Massive spam shot of ‘Storm Trojan’ reaches record proportions

Posted in Analysis, New Rootkits, News, Underground, peacomm, wincom32 | 4 Comments »

AVG Anti-Rootkit Free – The Verdict

Wednesday, April 11th, 2007

Grisoft has released AVG Anti-Rootkit Free to the general public. The company well known for leading the way in free Anti Virus and Spyware software has had a beta available for a few months and it looks like they have it ready for general release. The verdict is below, but first lets have a look at the program and look at what it failed at later.

AVG Anti-Rootkit Free Frontend

 

 

 

 

 

 

 

 

 

 

I always wonder whether it is a good idea to give users a choice of scans. AVG Anti-Rootkit gives users a choice of “Search for Rootkits” or “Perform in-depth Search”. Surely if I think I have a rootkit then I would like to look everywhere for it.

Grisoft have made a few changes since the first beta like generating a random window name for the software when it is run.

The name it gives is not visible within the window but you can see it in the Taskbar.

AVG Anti Rootkit Free Taskbar Name

It also creates a new instance of an executable with a different executable name from the original and runs this new executable.

Before:
AVG File List 1
After:
AVG File List 2

We can see here that the Program avgarkt.exe has created a new program called 87A.exe. Anything to protect itself from being noticed from Rootkits is always a good thing.
AVG Anti-Rootkit Beta Frontend

 

 

 

 

 

 

 

 

 The beta version had the name AVG Anti-Rootkit Beta as the window title and this could have led the way for rootkit writers to disallow the program from running.

One item missing from the first Beta version is the “Save results in Log” option. This should have been left in so users could use the log to find out more about the rootkit, where it possibly came from and what defences need to increased.

There is no support with AVG Anti-Rootkit Free so if something goes wrong you are not going to get any help from Grisoft. If you do have a problem you can ask a question in our AVG Anti-Rootkit Forum.

AVG Anti-Rootkit Free is only available in English.

Details about AVG Anti-Rootkit Free from Grisoft.

  • Powerful cleaning due to advanced cleaning driver
  • Easy to use interface
  • Fast and efficient detection (even for NTFS-ADS objects)
  • Special interface for visually impaired people

System Requirements:

  • MS Windows 2000 (32-Bit) or MS Windows XP (32-Bit)

    •  

    The Verdict…….

    I ran BadRKDemo from Cardmagic on an XP SP2 PC ( not a virtual machine ) and here we can see it sending output which can be viewed in DebugView. An entry can be seen ——-Rootkit is alive!——-

    BadRKDemo Debugview

    Then I ran AVG Anti-Rootkit Free after rebooting the PC and the scan showed up nothing. I say what else can it not find?

    We also tried BadRKDemo with Rootkit Unhooker and Icesword among other from our software page which was able to “see” it.

    Update: 22 April 2007
    Some people say BadRKDemo is not a “real” Rootkit and that therefore AVG Antirootkit should not find it. I’d say that if a Program like Rootkit Unhooker can find a hidden driver called BadRKDemo.sys I would have more trust in it than one that doesn’t see it. Maybe this is a very simplistic way of looking at it but programs that find hidden things on computers should try and find all hidden things.

    I am very short of time at the moment but I do owe it to the guys and gals over at AVG Antirootkit to give this a really good test and compare it to other anti rootkit programs. Check back soon.

    Keep Safe
    regards

    Steo
    www.antirootkit.com

    Posted in AVG Anti-Rootkit Free, News, Rootkit Scanners | 2 Comments »

    Looking at Britney Spears can get you a Rootkit

    Wednesday, April 4th, 2007

    On the 28th March details of a Windows Vulnerability involving ANI files were posted on the Internet. This vulnerability started out as just another vulnerability but it wasnt long before it was obvious that it was different, public exploit code had already been published and the hole was being attacked.

    There was a lot of activity from Internet Security companies who had found that the vulnerability was being exploited on web sites dotted around the world but mainly in China. A specially crafted ANI file ( An Animated Cursor File ) could be embedded within a hacked or dubvious website and when a user visited the page their PC would become infected without them knowing anything. You might say well I dont visit dodgy websites so I’m ok but tell that to the surfers who recently got infected via the Superbowl Site by a Keylogger / Backdoor.

    As of the 3rd of April Websense were tracking 450 Unique websites that are serving out the code to unsuspecting users. The bogus code was found on every webpage within these sites.

    When a user visits one of these sites the bogus Animated Cursor file is loaded which in turn can run any program it wants. Currently there are various payloads being sent out via the exploit. The payloads include Keyloggers for stealing Credit Card details from users, Botnet host software which makes the users PC part of a Botnet ( a centrally controlled network of computers) which are probably sending out Spam, more dodgy Animated Cursors or being used in DDoS attacks.

    Britney SpearsSince the vulnerability became public hackers are are trying to come up with new ways of fooling people into downloading a malicious ANI file and recently spam emails with subject lines like “Hot pictures of Britiney Speers” have been sent out hoping to fool users into clicking on a link in the email that would bring the user to a hacked PHP site which would serve up the malicious code. Explabs have also reported that along with the malicious payload a rootkit is also being used to hide any trace of infection from the user. The Rustock Rootkit is an example of a rootkit being used.

    The following Video shows how a specially created toolkit creates a malicious ANI file and runs the dir command using the file.

    Public PoC ( Proof Of Concept ) Code has been released by jamikazu which will allow Calc.exe to run. Again, calc.exe could easily be replaced by a malicious piece of code.

    All Microsoft users should go to Microsoft Windows Update and get this dangerous hole patched quickly. If you have Automatic Update enabled then you more than likely had your system updated on Tuesday 3rd April.

    This vulnerability also affects Windows Vista. Determina have put together a nice viseo that shows how an attacker might take over a Windows Vista PC using the ANI file vulnerability.

    http://www.determina.com/security.research/flash/ani.html

    If you have recently received an email enticing you to click on a link and see new photos of Britney Spears and you ”mistakingly” clicked on the link then I think you should download one of the FREE Antirootkit scanners from http://www.antirootkit.com/software/index.htm and check your system for the presence of a Rootkit.

    Keep Safe

    regards

    Steo
    http://www.antirootkit.com/

    References:

    Microsoft Security Advisory (935423) – Vulnerability in Windows Animated Cursor Handling

    Download the ANI File patch from Microsoft

    Britney fears: troubled pop star exploited by Microsoft ANI vulnerability

    Public PoC Code Disclosure (Code Execution – Calc.exe)

    Large scale compromise with ANI exploit code

    Posted in New Rootkits, News, Other Malware, Rootkit Scanners, Vista | 4 Comments »

    Panda Antirootkit Officially Released

    Monday, April 2nd, 2007

    Panda Software, one of the world’s leading Internet Security companies has officially released it’s Anti Rootkit Product called Panda Antirootkit. It was released in Beta in December 2005 and has had over 20000 downloads to date.

    Panda Antirootkit finding Rootkits

    “Panda AntiRootkit is a free utility that performs in-depth scans of your computer in search for hidden resources, identifying and disinfecting known and unknown rootkits. Unlike other rootkit utilities which merely “reveal” hidden objects, Panda AntiRootkit positively identifies known and unknown rootkits and gives the option of removing them, including their associated registry entries, processes and files.

    In addition Panda AntiRootkit has an Exhaustive Scan Monitor (requires reboot) capable of monitoring drivers and processes loading at boot time. It’s unique technology does this at a lower level than any other AntiRootkit utility, therefore revealing all hiding techniques used by the latest generation rootkits.

    Panda AntiRootkit discovers hidden files, registry entries, drivers, processes, modules, SDT modifications, EAT hooks, modifications to IDT, non-standard INT2E, non-standard SYSENTER, IRP hooks, and much more. Among many things we have added an extended .CSV report which can be exported for consulting detailed information of hidden objects found, and some interface process refinements.

    Panda AntiRootkit runs on Windows 2000 SP4 and Windows XP and above. For a version that runs on servers please contact your local Panda Technical Support office. Keep in mind that Panda AntiRootkit is not an antivirus solution nor does it provide real-time protection. If Panda AntiRootkit has detected and disinfected a rootkit from your system, we still recommend that you run a complete AV scan afterwards to delete any malicious files that might be left over.”

    Panda Antirootkit can also be run from a commandline with certain switches so that it can be run from Login Scripts across the corporate network.

    Antirootkit.com – Panda Antirootkit
    Panda Research Blog

    regards
    Steo
    www.antirootkit.com

    Posted in News, Panda, Rootkit Scanners | 2 Comments »