Sunday, July 18, 2010

CVE-2010-2568 (LNK vunerability) Zero Day Stuxnet-A Sample + PoC by Ivanlef0u + Links

CVE-2010-2568  -- Reserved --
Microsoft Security Advisory (2286198) Microsoft is investigating reports of limited, targeted attacks exploiting a vulnerability in Windows Shell, a component of Microsoft Windows. This advisory contains information about which versions of Windows are vulnerable as well as workarounds and mitigations for this issue.
The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the user clicks the displayed icon of a specially crafted shortcut. This vulnerability is most likely to be exploited through removable drives. For systems that have AutoPlay disabled, customers would need to manually browse to the root folder of the removable disk in order for the vulnerability to be exploited. For Windows 7 systems, AutoPlay functionality for removable disks is automatically disabled.

Download 74ddc49a7c121a61b8d06c03f92d0c13 Stuxnet-A ac as a password protected archive (please contact me for the password if you need it)

Collection of links (in no particular order)
  1. Ivanlef0u's Blog CVE-2010-2568 shorcut Lnk + PoC (Google translated to English)
  2. Exploitdb Microsoft Windows Automatic LNK Shortcut File Code Execution (PoC by Ivanf0u)
  3. Microsoft Security Advisory (2286198) Vulnerability in Windows Shell Could Allow Remote Code Execution
  4. Brian Krebs Experts Warn of New Windows Shortcut Flaw
  5. InReverse  About TmpHider/Stuxnet #1 by swirl
  6. Wilders Security Forums - Rootkit.TmpHider
  7. Microsoft Malware Protection Center - The Stuxnet Sting
  8. Microsoft Malware Protection Center - WinNT/Stuxnet.A
  9. Threatexpert - Win32/Stuxnet.A
  10. ESET (Windows) Shellshocked, Or Why Win32/Stuxnet Sux… by David Harley (with special thanks to Juraj Malcho, Aleksander Matrosov and their colleagues)
  11. Aleksander Matrosov "Rootkit.TmpHider is signed with signature of Realtek Corp"" /via @_MDL_ 
  12. Sophos Windows shortcut vulnerability with rootkit - detailed video demo 
  13. Mitigating .LNK Exploitation With Ariad — Didier Stevens 
  14. Internet Storm Center Vulnerability in Windows "LNK" files?  by Joel Esler and Bojan
  15. Windows zero-day attack works on all Windows systems by Chester Wisniewski
  16. Stuxnet is a directed attack -- 'hack of the century' by Ralph Langner (new)

 From Threatexpert
  * The following files were created in the system:
#    Filename(s)    File Size    File Hash    Alias
1     %Windir%\inf\mdmcpq3.PNF     6,623 bytes     

MD5: 0x0DD2AF5AFE93118073CB656D813435A4
SHA-1: 0x256AC5228427FCD03FB9EC1871B15FD76E4D0879     (not available)

2     %Windir%\inf\mdmeric3.PNF     90 bytes    

SHA-1: 0xF7B86531AD78EB283E59091A1C64B0C47D50E6C6     (not available)

3     %Windir%\inf\oem6C.PNF     323,848 bytes    

MD5: 0xFA4381DF1F7F89077439A596630D5647
SHA-1: 0x152B6830777E7F2B214708A21BA28F9D625E5E16     (not available)

4     %Windir%\inf\oem7A.PNF     498,176 bytes     

SHA-1: 0xBCFCC25C6D0F58D784D5B5A4C631E920F655F50E     (not available)

5     %System%\drivers\mrxcls.sys     26,616 bytes    

MD5: 0xF8153747BAE8B4AE48837EE17172151E
SHA-1: 0xCB0793029C60C0BD059FF85DE956619F7FDEB4FD     Trojan:WinNT/Stuxnet.A [Microsoft]

6     %System%\drivers\mrxnet.sys     17,400 bytes     

MD5: 0xCC1DB5360109DE3B857654297D262CA1
SHA-1: 0x758240613C362BB1FD13E07D3D19F357B7F8A6DA     Trojan:WinNT/Stuxnet.B [Microsoft]

7     [file and pathname of the sample #1]     517,632 bytes    

MD5: 0x74DDC49A7C121A61B8D06C03F92D0C13
SHA-1: 0x0CCBC128DD8BF73DC7B3922FB67D26BBCDBCAA89     Trojan.Gen [PCTools]
Trojan.Gen [Symantec]
TrojanDropper:Win32/Stuxnet.A [Microsoft]

016169ebebf1cec2aad6c7f0d0ee9026  received on 2010.07.16 11:55:58 (UTC)
Result: 25/41 (60.98%)
a-squared     2010.07.16     Trojan-Dropper.Win32.Stuxnet!IK
AhnLab-V3     2010.07.16.00     2010.07.15     Dropper/Win32.Stuxnet
AntiVir     2010.07.16     TR/Drop.Stuxnet.D
Avast     4.8.1351.0     2010.07.16     Win32:Trojan-gen
Avast5     5.0.332.0     2010.07.16     Win32:Trojan-gen
AVG     2010.07.16     SHeur3.XLI
BitDefender     7.2     2010.07.16     Win32.Worm.Stuxnet.A
Comodo     5446     2010.07.16     TrojWare.Win32.Rootkit.Stuxnet.a
DrWeb     2010.07.16     Trojan.Stuxnet.1
F-Secure     9.0.15370.0     2010.07.16     Trojan.Agent.AQCK
GData     21     2010.07.16     Win32.Worm.Stuxnet.A
Ikarus     T3.     2010.07.16     Trojan-Dropper.Win32.Stuxnet
Kaspersky     2010.07.16     Trojan-Dropper.Win32.Stuxnet.d
McAfee     5.400.0.1158     2010.07.16     Stuxnet
McAfee-GW-Edition     2010.1     2010.07.16     Heuristic.LooksLike.Win32.NewMalware.B
Microsoft     1.6004     2010.07.16     TrojanDropper:Win32/Stuxnet.A
NOD32     5283     2010.07.16     Win32/Stuxnet.A
nProtect     2010-07-16.01     2010.07.16     Trojan.Agent.AQCK
PCTools     2010.07.16     Rootkit.Stuxnet
Prevx     3.0     2010.07.16     Medium Risk Malware
Sophos     4.55.0     2010.07.16     Troj/Stuxnet-A
Sunbelt     6591     2010.07.16     Trojan.Win32.Generic!BT
Symantec     20101.1.1.7     2010.07.16     Trojan.Gen
VBA32     2010.07.16     Trojan-Spy.0485
VirusBuster     2010.07.16     Trojan.DR.Stuxnet.C
Additional information
File size: 517632 bytes
MD5   : 74ddc49a7c121a61b8d06c03f92d0c13

 Microsoft Malware Protection Center
      Win32/PcClient.ACH (CA)

Alert Level (?) Severe
Released: Jul 07, 2010
Trojan:WinNT/Stuxnet.A is a trojan component installed by TrojanDropper:Win32/Stuxnet.A that injects code into the running process LSASS.EXE.

System changes
The following system changes may indicate the presence of this malware:

      The presence of the following files:
      The presence of the following registry keys:

Technical Information (Analysis)
Trojan:WinNT/Stuxnet.A is a trojan component installed by TrojanDropper:Win32/Stuxnet.A that injects code into the running process LSASS.EXE.
Trojan:WinNT/Stuxnet.A may be present as the following file:


Note: refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.

The trojan component runs as a hidden service named "MRXCLS" via a registry modification as in the following example:

Sets value: "Description"
With data: "MRXCLS"
Sets value: "DisplayName"
With data: "MRXCLS"
Sets value: "ErrorControl"
With data: "0"
Sets value: "Group"
With data: "Network"
Sets value: "ImagePath"
With data: "\??\%windir%\system32\Drivers\mrxcls.sys"
Sets value: "Start"
With data: "1"
Sets value: "Type"
With data: "1"
Sets value: "Data"
With data: ""
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\MRxCls
Injects code
Trojan:WinNT/Stuxnet.A is capable of injecting malicious code into the running process "LSASS.EXE" based on data written in the registry or from other TrojanDropper:Win32/Stuxnet.A components such as the following:


Analysis by Francis Allan Tan Seng 

No comments:

Post a Comment