Author Topic: A vulnerability for "BB without virtualization" (usp10.dll)  (Read 4657 times)

Offline a256886572008

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 963
A vulnerability for "BB without virtualization" (usp10.dll)
« on: February 25, 2013, 11:04:46 PM »
1.
https://www.virustotal.com/en/file/8a087d59c3aa2af47cbfb959a23ca26bf1ae1401eb315436fb6f08da8b6849e7/analysis/1361850168/

http://valkyrie.comodo.com/Result.html?sha1=a8f846ae76bf1a1c350d08e657a007d955430ce8&&query=1&&filename=0943120.exe

http://camas.comodo.com/cgi-bin/submit?file=8a087d59c3aa2af47cbfb959a23ca26bf1ae1401eb315436fb6f08da8b6849e7

2.
(1) I double clicked on the malware.

(2) It was sandboxed as "partially lmited".

(3) Then it created the usp10.dll in many locations.

(4) ci72.png showed many usp10.dll in the list.

3.Problem:
If I run any application(trusted) beside the usp10.dll, the application will load the usp10.dll.
(CIS did not sandbox the trusted applications which load the usp10.dll.)

Then, the application executes a malware (comodo popups sandbox alerts)

Quote
2013-02-26 11:40:38   C:\DOCUME~1\Roger\LOCALS~1\Temp\09d6340.tmp   Sandboxed As   Partially Limited  
  
2013-02-26 11:40:50   C:\Documents and Settings\Roger\Local Settings\Temp\Jn2SEVH1.pif   Create Process, Block File   C:\Documents and Settings\Roger\Local Settings\Temp\TuxYwz569.exe  

4.Environment:
Windows XP Pro SP3 32bit

5.
The behavior of the usp10.dll.
http://anubis.iseclab.org/?action=result&task_id=168fe0f2ecd17be045d42d3fe0e5701f4

After restarting the system, XP can not start.



[attachment deleted by admin]
« Last Edit: February 26, 2013, 04:12:36 AM by a256886572008 »

Offline clockwork

  • Comodo's Hero
  • *****
  • Posts: 2219
  • Oxygen requires Chuck Norris to live
Re: A vulnerability for "BB without virtualization" (usp10.dll)
« Reply #1 on: February 26, 2013, 05:14:19 AM »
If this thing will execute without user interaction
we have a worst case scenario.

Traditional: Blocked
Userfriendly: Burnt
"If there is a problem, it`s something interesting. Try to circumvent or fix it.
In the old ages there has been no support. That`s why we got the brain we have today.
Otherwise we would only be able to call a number and listen.
But there was no phone...."

Offline mouse1

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11856
Re: A vulnerability for "BB without virtualization" (usp10.dll)
« Reply #2 on: February 26, 2013, 06:27:31 AM »
This should be caught in future by COM restrictions were are told Comodo is planning - roughly that non-BB'd files cannot load unknown DLLs.

Offline Chiron

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11951
Re: A vulnerability for "BB without virtualization" (usp10.dll)
« Reply #3 on: February 26, 2013, 08:18:40 PM »
Does setting the BB to Untrusted block this?

Also, what about FV?

Offline a256886572008

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 963
Re: A vulnerability for "BB without virtualization" (usp10.dll)
« Reply #4 on: February 26, 2013, 08:53:27 PM »
Does setting the BB to Untrusted block this?

Also, what about FV?

1. If the sandbox level is set as limited or upper levels, the malware will not create the usp10.dll in many locations.

Please see the red line.

Quote
2013-02-27 09:48:36   C:\virus\qnxvsptqq\0943120.exe   Sandboxed As   Limited  

2013-02-27 09:48:41   C:\Documents and Settings\Roger\Local Settings\Temp\32E26B10.temp   Modify File   C:\Documents and Settings\Roger\Local Settings\Temp\TuxYwz569.exe  

2013-02-27 09:48:41   C:\Documents and Settings\Roger\Local Settings\Temp\32E26B10.temp   Modify File   C:\WINDOWS\system32\drivers\etc\hosts  

2013-02-27 09:48:41   C:\virus\qnxvsptqq\0943120.exe   Direct Disk Access   C:\  

2013-02-27 09:48:41   C:\virus\qnxvsptqq\0943120.exe   DNS/RPC Client Access   \RPC Control\DNSResolver  

2013-02-27 09:48:41   C:\virus\qnxvsptqq\0943120.exe   Direct Disk Access   D:\  

2013-02-27 09:48:41   C:\virus\qnxvsptqq\0943120.exe   Modify File   C:\WINDOWS\usp10.dll  

2013-02-27 09:48:41   C:\virus\qnxvsptqq\0943120.exe   Modify Key   HKLM\SYSTEM\ControlSet001\Control\Session Manager\ExcludeFromKnownDlls  

2013-02-27 09:48:42   C:\DOCUME~1\Roger\LOCALS~1\Temp\TuxYwz569.exe   Sandboxed As   Limited  

2013-02-27 09:48:43   C:\WINDOWS\system32\conime.exe   Sandboxed As   Limited  

2013-02-27 09:48:44   C:\WINDOWS\system32\dwwin.exe   Sandboxed As   Limited  

2. If the sandbox level is set as fully virtualized, the malware will create many usp10.dll in the location only.

C:\VTRoot\*
« Last Edit: March 04, 2013, 08:10:44 AM by a256886572008 »

Offline mouse1

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11856
Re: A vulnerability for "BB without virtualization" (usp10.dll)
« Reply #5 on: February 27, 2013, 02:12:17 AM »
1. If the sandbox level is set as limited or upper levels, the malware will not create the usp10.dll in many locations.

Please the red line.

2. If the sandbox level is set as fully virtualized, the malware will create many usp10.dll in the location only.

C:\VTRoot\*

Then, when you run a sandboxed (virtualised) trusted process will it load a usp10.dll?

Offline a256886572008

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 963
Re: A vulnerability for "BB without virtualization" (usp10.dll)
« Reply #6 on: February 27, 2013, 04:53:51 AM »
Then, when you run a sandboxed (virtualised) trusted process will it load a usp10.dll?

Yes, the virtualized applications will load the usp10.dll.

D:\software\CLT2\clt.exe   loaded
C:\VTRoot\HarddiskVolume2\software\CLT2\usp10.dll

--------------------------
trusted or untrusted --> It is not important.
virtualized or "not virtualized" --> It is important.

So, the unvirtualized applications will not load the usp10.dll in the location.

C:\VTRoot\*


[attachment deleted by admin]
« Last Edit: February 27, 2013, 05:05:02 AM by a256886572008 »

Offline mouse1

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11856
Re: A vulnerability for "BB without virtualization" (usp10.dll)
« Reply #7 on: February 27, 2013, 05:09:17 AM »
Yes, the virtualized applications will load the usp10.dll.

D:\software\CLT2\clt.exe   loaded
C:\VTRoot\HarddiskVolume2\software\CLT2\usp10.dll

--------------------------
trusted or untrusted --> It is not important.
virtualized or "not virtualized" --> It is important.

So, the unvirtualized applications will not load the usp10.dll in the location.

C:\VTRoot\*


OK that';s what I thought, R. Confirms that the new COM restrictions (except perhaps trusted DLL preference) are not in place yet, which is what my testing has indicated

Offline Gaige

  • Comodo Loves me
  • ****
  • Posts: 160
Re: A vulnerability for "BB without virtualization" (usp10.dll)
« Reply #8 on: March 01, 2013, 11:45:42 PM »
I found same malware in "style-chart.com" (different malware "topbohum.co.kr")
Some Comodo user's Windows was brocken by this malware.
My friend used Avast+Comodo Firewall. But his Windows OS was brocken too. ;D ;D


[attachment deleted by admin]
« Last Edit: March 02, 2013, 01:16:15 PM by Gaige »

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek