Full Disclosure mailing list archives
Re: denial-of-service vulnerability in the Microsoft Malicious Software Removal Tool
From: "Thor (Hammer of God)" <Thor () hammerofgod com>
Date: Sun, 23 May 2010 16:34:24 +0000
And where's the part where the system was rendered unbootable? And how did your users get infected with Cutwail? Let me guess... they are all still running XP and you've got them running as local administrators right? And they get to download codecs "willy nilly" and are probably using Bittorrent to get illegal copies of software pre-infected with cutwail, right? Regardless, let's see if we have your advisory correct. In order to be a victim of this "Denial of Service Vulnerability" we must first get infected with something like Cutwail that runs with user interaction and also requires administrator privileges (you can see that NDIS.SYS was altered). Of course, your AV must be at least 2 years old too. Then, once we get infected with malware, we run MRT, and see in the logs that it was successfully removed and requires a reboot. Very nice work indeed!!! You're clients are fortunate to have you! t
-----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure- bounces () lists grok org uk] On Behalf Of lsi Sent: Sunday, May 23, 2010 9:16 AM To: full-disclosure () lists grok org uk Subject: [Full-disclosure] denial-of-service vulnerability in the Microsoft Malicious Software Removal Tool denial-of-service vulnerability in the Microsoft Malicious Software Removal Tool platforms affected: Windows distribution: wide severity: high Description of the vulnerability: The Microsoft Malicious Software Removal Tool (MRT) is a program used to remove malware from infected Windows systems. However, MRT does not always correctly repair the system. In at least one case, the changes made by MRT can render the system unbootable (log below). Repair can be time-consuming and expensive, particularly as the error messages and log files of the software concerned are cryptic and uninformative, or non-existent. As MRT runs automatically in the background once a month, these changes to the system may be made without the knowledge of an Administrator (or even the user). Suspected cause: Missing logic in MRT to repair the system, rather than just deleting stuff willy- nilly. Recommendations: 1. Do not run MRT manually. 2. Disable MRT if possible, especially on mission-critical machines. 3. Do not use Windows. Details of notification to vendor: None. Sample of the fault: Microsoft Windows Malicious Software Removal Tool v3.7, May 2010 Started On Tue May 18 21:24:47 2010 Quick Scan Results for XXXXXXXXXXXXXXXXXXXXX: ---------------- Threat detected: VirTool:WinNT/Cutwail.L driver://NDIS file://C:\WINDOWS\system32\drivers\NDIS.sys SigSeq: 0x00008A78910FD971 SHA1: DEFB65309ABB3DD81F223ABA7CDB9EB26D66611A regkey://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETW ORK\NDIS safeboot://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NET WORK\NDIS service://NDIS Quick Scan Removal Results ---------------- Start 'remove' for regkey://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETW ORK\NDIS Operation succeeded ! Start 'remove' for service://NDIS Operation was scheduled to be completed after next reboot. Start 'remove' for safeboot://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NET WORK\NDIS Operation succeeded ! Start 'remove' for driver://NDIS Operation was scheduled to be completed after next reboot. Start 'remove' for file://\\?\C:\WINDOWS\system32\drivers\NDIS.sys Operation succeeded ! Results Summary: ---------------- For cleaning VirTool:WinNT/Cutwail.L, the system needs to be restarted. Microsoft Windows Malicious Software Removal Tool Finished On Tue May 18 21:31:29 2010 Return code: 10 (0xa) --- Stuart Udall stuart at () cyberdelix dot net - http://www.cyberdelix.net/ --- * Origin: lsi: revolution through evolution (192:168/0.2) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- denial-of-service vulnerability in the Microsoft Malicious Software Removal Tool lsi (May 23)
- Re: denial-of-service vulnerability in the Microsoft Malicious Software Removal Tool Thor (Hammer of God) (May 23)
- Re: denial-of-service vulnerability in the Microsoft Malicious Software Removal Tool lsi (May 23)
- Re: denial-of-service vulnerability in the Microsoft Malicious Software Removal Tool webDEViL (May 23)
- Re: denial-of-service vulnerability in the Microsoft Malicious Software Removal Tool Thor (Hammer Of God) (May 23)
- Re: denial-of-service vulnerability in the Microsoft Malicious Software Removal Tool lsi (May 23)
- Re: denial-of-service vulnerability in the Microsoft Malicious Software Removal Tool Christian Sciberras (May 23)
- Re: denial-of-service vulnerability in theMicrosoft Malicious Software Removal Tool Larry Seltzer (May 23)
- Re: denial-of-service vulnerability in theMicrosoft Malicious Software Removal Tool Thor (Hammer of God) (May 23)
- Re: denial-of-service vulnerability in theMicrosoft Malicious Software Removal Tool Christian Sciberras (May 23)
- Re: denial-of-service vulnerability in the Microsoft Malicious Software Removal Tool lsi (May 23)
- Re: denial-of-service vulnerability in the Microsoft Malicious Software Removal Tool Thor (Hammer of God) (May 23)
- Re: denial-of-service vulnerability in the Microsoft Malicious Software Removal Tool lsi (May 23)