[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] denial-of-service vulnerability in the Microsoft Malicious Software Removal Tool

To: "full-disclosure@xxxxxxxxxxxxxxxxx" <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] denial-of-service vulnerability in the Microsoft Malicious Software Removal Tool
From: "Thor (Hammer of God)" <Thor@xxxxxxxxxxxxxxx>
Date: Sun, 23 May 2010 16:34:24 +0000

And where's the part where the system was rendered unbootable?

And how did your users get infected with Cutwail?  Let me guess... they are all 
still running XP and you've got them running as local administrators right?  
And they get to download codecs "willy nilly" and are probably using Bittorrent 
to get illegal copies of software pre-infected with cutwail, right?  

Regardless, let's see if we have your advisory correct.  In order to be a 
victim of this "Denial of Service Vulnerability" we must first get infected 
with something like Cutwail that runs with user interaction and also requires 
administrator privileges (you can see that NDIS.SYS was altered).  Of course, 
your AV must be at least 2 years old too.  Then, once we get infected with 
malware, we run MRT, and see in the logs that it was successfully removed and 
requires a reboot.  

Very nice work indeed!!!  You're clients are fortunate to have you!

t

>-----Original Message-----
>From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx [mailto:full-disclosure-
>bounces@xxxxxxxxxxxxxxxxx] On Behalf Of lsi
>Sent: Sunday, May 23, 2010 9:16 AM
>To: full-disclosure@xxxxxxxxxxxxxxxxx
>Subject: [Full-disclosure] denial-of-service vulnerability in the Microsoft
>Malicious Software Removal Tool
>
>denial-of-service vulnerability in the Microsoft Malicious Software Removal
>Tool
>
>platforms affected: Windows
>distribution: wide
>severity: high
>
>Description of the vulnerability:
>
>The Microsoft Malicious Software Removal Tool (MRT) is a program used to
>remove malware from infected Windows systems.  However, MRT does not
>always correctly repair the system.  In at least one case, the changes made by
>MRT can render the system unbootable (log below).
>Repair can be time-consuming and expensive, particularly as the error
>messages and log files of the software concerned are cryptic and
>uninformative, or non-existent.
>
>As MRT runs automatically in the background once a month, these changes to
>the system may be made without the knowledge of an Administrator (or even
>the user).
>
>Suspected cause:
>
>Missing logic in MRT to repair the system, rather than just deleting stuff 
>willy-
>nilly.
>
>Recommendations:
>
>1. Do not run MRT manually.
>
>2. Disable MRT if possible, especially on mission-critical machines.
>
>3. Do not use Windows.
>
>Details of notification to vendor:
>
>None.
>
>Sample of the fault:
>
>Microsoft Windows Malicious Software Removal Tool v3.7, May 2010 Started
>On Tue May 18 21:24:47 2010
>
>Quick Scan Results for XXXXXXXXXXXXXXXXXXXXX:
>----------------
>Threat detected: VirTool:WinNT/Cutwail.L
>    driver://NDIS
>    file://C:\WINDOWS\system32\drivers\NDIS.sys
>        SigSeq: 0x00008A78910FD971
>        SHA1:   DEFB65309ABB3DD81F223ABA7CDB9EB26D66611A
>
>regkey://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETW
>ORK\NDIS
>
>safeboot://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NET
>WORK\NDIS
>    service://NDIS
>
>Quick Scan Removal Results
>----------------
>Start 'remove' for
>regkey://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETW
>ORK\NDIS
>Operation succeeded !
>
>Start 'remove' for service://NDIS
>Operation was scheduled to be completed after next reboot.
>
>Start 'remove' for
>safeboot://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NET
>WORK\NDIS
>Operation succeeded !
>
>Start 'remove' for driver://NDIS
>Operation was scheduled to be completed after next reboot.
>
>Start 'remove' for file://\\?\C:\WINDOWS\system32\drivers\NDIS.sys
>Operation succeeded !
>
>
>Results Summary:
>----------------
>For cleaning VirTool:WinNT/Cutwail.L, the system needs to be restarted.
>Microsoft Windows Malicious Software Removal Tool Finished On Tue May
>18 21:31:29 2010
>
>
>Return code: 10 (0xa)
>
>
>---
>Stuart Udall
>stuart at@xxxxxxxxxxxxxx net - http://www.cyberdelix.net/
>
>---
> * Origin: lsi: revolution through evolution (192:168/0.2)
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] denial-of-service vulnerability in the Microsoft Malicious Software Removal Tool
  - From: lsi

References:
- [Full-disclosure] denial-of-service vulnerability in the Microsoft Malicious Software Removal Tool
  - From: lsi

Prev by Date: [Full-disclosure] denial-of-service vulnerability in the Microsoft Malicious Software Removal Tool
Next by Date: [Full-disclosure] Sample videos for ENG++
Previous by thread: [Full-disclosure] denial-of-service vulnerability in the Microsoft Malicious Software Removal Tool
Next by thread: Re: [Full-disclosure] denial-of-service vulnerability in the Microsoft Malicious Software Removal Tool
Index(es):
- Date
- Thread