F
Frazer Jolly Goodfellow
A patch is needed to fix the configuration option.
http://www.itworld.com/windows/63219/after-cert-warning-microsoft-delivers-autorun-fix
Yes.
A patch is needed to fix the configuration option.
http://www.itworld.com/windows/63219/after-cert-warning-microsoft-delivers-autorun-fix
F
FromTheRafters
Frazer Jolly Goodfellow said:
Location of file.
F
FromTheRafters
Frazer Jolly Goodfellow said:
True, but it is still an abuse of function rather than a software flaw
that needed to be patched.
In the above analogy, it is like setting the option not to boot from
floppy and yet still being able to boot from the floppy. If the
suggested option was to change the boot device order to make the floppy
the last option chosen - you could still get infected if the other
devices were not bootable for some reason. Changing the CMOS Setup
program to allow "disabling" of boot devices would be the equivalent of
the patch.
I think you place too much emphasis on detecting this fragment of the
worm.
V
Virus Guy
FromTheRafters said:
If that mess was the actual contents of the autorun.inf file, well then
either there's a flaw in how Windows processes the INF file and it
allows it to be constructed / formatted in such a non-documented way as
to resemble a binary file, or it's leveraging an exploit in how the
autorun.inf handler works.
Can anyone point to material that describes how or why autorun.inf would
be able to execute the contents of that file?
How did it get there? Did your AV program put it there? What does your
AV log file say?
It should still be on the USB stick, unless it was deleted from there.
Is it still in the recycler? If so, temporarily turn of your AV program
and submit the file to Virus Total. Then turn your AV back on.
V
Virus Guy
Virus said:
Ok, I see why:
------------------
Typical Autorun.inf files are very small in size.
The Downadup worm inflates the size of its autorun.inf in an attempt to
avoid detection by antivirus signature scanners. Binary characters are
used to inflate the file size. These binary characters are ignored by
the Windows operating system.
Windows will find the following command:
• Open=RUNDLL32.EXE .\RECYCLER\jwgvsq.vmx
This command executes a DLL called jwgvsq.vmx from a hidden folder on
the removable drive containing the malicious autorun.inf.
-------------------
Now why would Microsoft have designed their autorun.inf handler such
that it strips non-printable characters?
Why not just barf and ignore the file if it contains such characters?
What were they anticipating such that they built that behavior into the
autorun handler?
So the file is located in a hidden folder on the usb memory stick.
Submit that file to virus total. Change the properties on the folder if
necessary to make it visible.
F
Frazer Jolly Goodfellow
Spot on. There is evidence of it having been on the memory stick: the
folders E:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665 are still
there. Unfortunately the payload file itself, jwgkvsq.vmx, wasn't there any
more. I ran an undelete program and it found remnants of that file, but I
suspect it was corrupted because of other file activity on the drive since
the deletion. VirusTotal reported 0/39 hits for the recovered jwgkvsq.vmx
file, which is inconclusive.
F
FromTheRafters
Virus Guy said:
Fault tolerance?
You may be interested in the way comfiles and batfiles can exhibit this
behaviour. Check out the functioning of the batman186 virus or mimail.
I thought it was just a bad idea at the outset - but Microsoft has had a
history of giving the people what they want as opposed to what they need
securitywise.
Yes, as opposed to the 'exploit' and 'download from server' vector in
which it installs as you mentioned elsewhere.
That's the bugger where the danger lies (and the way to "identify"
rather than just detect a fragment).
F
FromTheRafters
I know that you know, but to be clear the autorun.inf file does not
execute the file's contents. The shell extension uses the information in
the autorun.inf file to determine what desired action to take (i.e.
which executable to execute or what to present to the user interface).
K
kurt wismer
Frazer said:
you realize, of course, that the autorun.inf file *isn't* the actual
malware, it's just the tool the malware uses to get automatically
executed...
most probably if you submitted what the autorun.inf file pointed to you
would have gotten better results...
[snip]
there are a number of reasons why virustotal can't be used as a measure
of an av product's effectiveness... they aren't always using the most
up-to-date version, they only run the command line scanner component and
thus miss out on the more advanced detection capabilities, etc...
K
kurt wismer
Frazer said:
autorun.inf files are too generic and they're used by too many
legitimate things... the only thing it will have in it is a filename of
the real malware and since malware can't be identified by filename the
autorun.inf file is insufficient...
K
kurt wismer
Virus said:
it's the former - autorun.inf files can be obfuscated by inserting junk...
i can't remember who it was i saw write about this before but i have
heard about it before...
J
jen
Virus Guy said:
An easier way to find the random name of the DLL...
1. In Registry Editor, locate and then click the following registry
subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
2. In the details pane, right-click the netsvcs entry, and then click
Modify.
3. Scroll down to the bottom of the list. If the computer is infected
with Conficker.b, a random service name will be listed. For example, in
this procedure, we will assume the name of the malware service is
"gzqmiijz". Note the name of the malware service. You will need this
information later in this procedure.
4. Delete the line that contains the reference to the malware service.
Make sure that you leave a blank line feed under the last legitimate
entry that is listed, and then click OK.
http://support.microsoft.com/kb/962007
-jen
G
Gaz
1PW said:
But the mechanism and the method of operation are the same. The writing of
an autorun file to a flash disk would be a rare to non existant legitimate
activity, and a prety likely behaviour of a a virus.
All antivirus software should now be scanning removable media for autorun
files on the root, as a matter of routine and flagging up suspicious
behaviour.
Gaz
V
Virus Guy
Gaz said:
Even more.
If malicious autorun.inf files are randomly padded with binary
characters to evade AV detection, then why don't the AV programs do what
the windows autorun.inf handler does - which is to remove the binary
characters? That way, different autorun.inf files can be boiled down to
the same file to make for easier detection. The AV programs would know
to handle specific files that way - autorun.inf specifically, perhaps
others (like *.bat, *.vbs, etc).
I still want to know why microsoft anticipated the presence of binary
characters in an autorun.inf file, to the extent that they developed
this mechanism to handle them. Even if it was a form of
error-correction, what confidence would you have in a script file that
had to have characters stripped out of it? What confidence would you
have that the result would be a coherent and funcational script?
If I replaced some of the text in my config.sys or autoexec.bat with
binary characters, and then stripped them out, the result would be
useless.
K
kurt wismer
Gaz wrote:
[snip]
just because it doesn't happen a lot in your environment doesn't mean
it's rare in other environments... virtually every software developer
that distributes their product on optical media uses autorun.inf files...
i think folks are getting a little hysterical about autorun.inf files...
while i agree that autorun is a braindead feature that should absolutely
be killed, scanning autorun.inf files is retarded - you might as well
scan autoexec.bat files while you're at it... there's nothing bad in the
autorun.inf file...
[snip]
just because it doesn't happen a lot in your environment doesn't mean
it's rare in other environments... virtually every software developer
that distributes their product on optical media uses autorun.inf files...
i think folks are getting a little hysterical about autorun.inf files...
while i agree that autorun is a braindead feature that should absolutely
be killed, scanning autorun.inf files is retarded - you might as well
scan autoexec.bat files while you're at it... there's nothing bad in the
autorun.inf file...
K
kurt wismer
Virus said:
what makes you think that's why they're padded? an autorun.inf file with
absolutely no crud in it would also have nothing in it to indicate
malicious intent and thus be necessarily invisible to a scanner...
frankly, the more crud you put in an autorun.inf file the more sense it
makes to create a heuristic to look for crud in autorun.inf files...
it's far more likely that the padding is to stymie casual visual
inspection by unskilled users...
1
1PW
But Kurt, I wonder if that was _the_ possible attack vector that took
down a portion of the French Air Force for a few days and raised hob
with portions of bt.com as well?
I know this may be unanswerable.
USB thumb drives and laptops, brought from the outside world, were some
of the primary sources for our attacks at my previous place of employment.
Warm regards,
Pete
F
FromTheRafters
1PW said:
You would think that sneakernet was a new development after reading
about the USB autorun vector. What security professional doesn't already
know that attaching foreign devices to a system can lead to malware
problems?
1
1PW
Hi All:
Mentioning sneakernet - I guess I'll load up some of my thumb drives
with all the legitimate Conficker removal tools to be found, gas up our
cars, and be prepared to make a few house calls late in the week...
Pete
F
Frazer Jolly Goodfellow
Hope they're write protectable, otherwise you risk becoming a carrier.
