Threat Level: green Handler on Duty: Jim Clausing

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Dell PowerEdge R410 replacement motherboard firmware contains malware

Published: 2010-07-21
Last Updated: 2011-01-30 04:29:54 UTC
by Adrien de Beaupre (Version: 1)
1 comment(s)

A Dell support forum post confirms that PowerEdge R410 replacement motherboards contain malware. The posting is here en.community.dell.com/support-forums/servers/f/956/t/19339458.aspx. The embedded server management firmware in some motherboards contain the malicious code. The issue is not present on new servers and does not impact non-Windows based servers. No further information on the malware itself, mitigation techniques, the specific motherboards affected, nor the method of the original infection are yet available. Dell is sending snail mail and calling affected customers. Thanks Geoff and one other reader for bringing this to our attention!

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.

1 comment(s)

Adobe Reader Protected Mode

Published: 2010-07-21
Last Updated: 2011-01-30 04:19:53 UTC
by Adrien de Beaupre (Version: 1)
0 comment(s)

Adobe have announced that Reader will run in a sandbox called Protected Mode blogs.adobe.com/asset/2010/07/%20introducing-adobe-reader-protected-mode.html. It is based on Microsoft's  Practical Windows Sandboxing blogs.msdn.com/b/david_leblanc/archive/2007/07.aspx. This is good news as it will drastically reduce the attack surface of Adobe Reader and mitigate the impact of any vulnerabilities within the product.

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.

0 comment(s)

Update on .LNK vulnerability

Published: 2010-07-21
Last Updated: 2011-01-25 00:07:49 UTC
by Adrien de Beaupre (Version: 1)
2 comment(s)

Microsoft have updated their security advisory 'Vulnerability in Windows Shell Could Allow Remote Code Execution' 2286198 to describe further attack vectors for this vulnerability. The vulnerability can be exploited using .LNK files on removable drives, via WebDav and network shares, using .PIF files as well as .LNK, and documents that can have embedded shortcuts within them. The original discussion on this vulnerability is here isc.sans.edu/diary.html?storyid=9181

The ISC has previously raised the infocon isc.sans.edu/diary.html?storyid=9190 with regards to this issue, and will continue to monitor for any changes. Please let us know via our contact us page or by commenting below if you have any new information on the issue, have been affected by this vulnerability being exploited, or have a copy of malware taking advantage of it.

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.

2 comment(s)

autorun.inf and .lnk Malware (NOT 'Vulnerability in Windows Shell Could Allow Remote Code Execution' 2286198)

Published: 2010-07-21
Last Updated: 2011-01-24 23:43:47 UTC
by Adrien de Beaupre (Version: 1)
1 comment(s)

Note that this malware does NOT exploit 'Vulnerability in Windows Shell Could Allow Remote Code Execution' 2286198. It simply uses the autorun.inf to launch the executable, or waits for the user to double click the .LNK file. I wrote up this diary before fellow handler Bojan pointed that out to me.

Aaron wrote in the following:

"We had a user get infected ...  The symptoms we saw were as follows:

  1. The virus hides all folders on the root of any drive it has write access to.
  2. It then drops an LNK file named the same as all of the folders.  So you have a series of LNK files where your folders used to be.  This appears to only happen at the root of the drive(s) the user has write access to.
  3. Then the virus drops an autorun.inf, EXE, and SRC file at the root of the infected drives.

    One of the things we did to scan our server shares was to run robocopy in list-only mode.  We used a command similar to this:
    robocopy servershare c: *.lnk /MAXAGE:2 /L /S /R:3 /W:3 /NDL
    It scans for any LNK files created in the past 2 days.  The reasoning is that LNK files should not be created very often on shares, so a large number of them would be suspicious."

He also sent us a copy of the files found on the affected system. The virustotal results virustotal.com results yesterday were 11/36 (30.56%).

This is what the .LNK file looks like:

xxd Backup Drive.lnk
0000000: 4c00 0000 0114 0200 0000 0000 c000 0000  L...............
0000010: 0000 0046 cb00 0000 0700 0000 0000 0000  ...F............
0000020: 0000 0000 0000 0000 0000 0000 007b b54b  .............{.K
0000030: 7627 cb01 00c2 0100 0300 0000 0100 0000  v'..............
0000040: 0000 0000 0000 0000 0000 0000 7500 1400  ............u...
0000050: 1f50 e04f d020 ea3a 6910 a2d8 0800 2b30  .P.O. .:i.....+0
0000060: 309d 1900 2f43 3a5c 0000 0000 0000 0000  0.../C:........
0000070: 0000 0000 0000 0000 0000 0046 0032 0000  ...........F.2..
0000080: c201 00f3 3c87 9907 0066 6f65 7576 652e  ....<....foeuve.
0000090: 7363 7200 002c 0003 0004 00ef be00 0000  scr..,..........
00000a0: 0000 0000 0014 0000 0066 006f 0065 0075  .........f.o.e.u
00000b0: 0076 0065 002e 0073 0063 0072 0000 001a  .v.e...s.c.r....
00000c0: 0000 004a 0000 001c 0000 0002 0000 0000  ...J............
00000d0: 0000 0000 0000 001c 0000 003f 0000 0023  ...........?...#
00000e0: 0000 0003 0000 0014 0000 0020 0000 0000  ........... ....
00000f0: 00fe 7f5c 5c43 6c69 656e 745c 4324 0043  ...ClientC$.C
0000100: 3a00 666f 6575 7665 2e73 6372 000c 002e  :.foeuve.scr....
0000110: 005c 0066 006f 0065 0075 0076 0065 002e  ..f.o.e.u.v.e..
0000120: 0073 0063 0072 0021 0025 0073 0079 0073  .s.c.r.!.%.s.y.s
0000130: 0074 0065 006d 0072 006f 006f 0074 0025  .t.e.m.r.o.o.t.%
0000140: 005c 0073 0079 0073 0074 0065 006d 0033  ..s.y.s.t.e.m.3
0000150: 0032 005c 0073 0068 0065 006c 006c 0033  .2..s.h.e.l.l.3
0000160: 0032 002e 0064 006c 006c 0000 0000 00    .2...d.l.l.....

Here are md5sums of the files captured:

4514e6b0ebf1859bc06464cc86e6b0aa  994e7f70c6c8cfdc0d10.lnk
eb72f852dc417e5c1c500d777b763ff5  autorun.inf
4514e6b0ebf1859bc06464cc86e6b0aa  Backup Drive.lnk
4514e6b0ebf1859bc06464cc86e6b0aa  dellinks.lnk
4514e6b0ebf1859bc06464cc86e6b0aa  DELL.lnk
4514e6b0ebf1859bc06464cc86e6b0aa  Documents and Settings.lnk
7a86fc2e33f1853e56e87968554a4f23  Documents.lnk
4514e6b0ebf1859bc06464cc86e6b0aa  DOS.lnk
6c312fa82a83602bf4bac49c569dddba  foeuve.exe
6c312fa82a83602bf4bac49c569dddba  foeuve.scr
8dd2dbd509c9e30c9a481fb790521a2a  Music.lnk
4514e6b0ebf1859bc06464cc86e6b0aa  New Folder.lnk
62ed86349f7d418d67c0e4dbbf2b0b57  Pictures.lnk
4514e6b0ebf1859bc06464cc86e6b0aa  Program Files.lnk
4514e6b0ebf1859bc06464cc86e6b0aa  QUARANTINE.lnk
4514e6b0ebf1859bc06464cc86e6b0aa  RECYCLER.lnk
4514e6b0ebf1859bc06464cc86e6b0aa  Root_C.lnk
4514e6b0ebf1859bc06464cc86e6b0aa  System Volume Information.lnk
4514e6b0ebf1859bc06464cc86e6b0aa  temp.lnk
94ea35e7315ede1f3226b42e8a1197e9  Video.lnk
4514e6b0ebf1859bc06464cc86e6b0aa  Vision5.lnk
4514e6b0ebf1859bc06464cc86e6b0aa  VNCTEMP.lnk
4514e6b0ebf1859bc06464cc86e6b0aa  WINDOWS.lnk

The .LNK files affected all have the same hash value, the two dropped files as well (foeuve.*) share md5sums. Here is the contents of autorun.inf:

cat autorun.inf
[AUtoRUn]
aCTION=Open folder to view files
SHeLLEXECuTe=FOeUVE.EXE
IcoN=%syStEMRoOt%sySTEm32Shell32.dll,4

Today the virustotal.com results for foeuvre.scr are similar, 23/41 (56.1%).

Thanks Aaron!

So, in a nutshell, not the exploit or malware we were looking for, but interesting nonetheless.

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.

 

Keywords: malware analysis
1 comment(s)
Cisco Security Advisory: CDS Internet Streamer: Web Server Directory Traversal Vulnerability http://www.cisco.com/warp/public/707/cisco-sa-20100721-spcdn.shtml
Diary Archives