A vulnerability for "BB without virtualization" (usp10.dll)

Comodo Internet Security - CIS News / Announcements / Feedback - CIS
1

http://valkyrie.comodo.com/Result.html?sha1=a8f846ae76bf1a1c350d08e657a007d955430ce8&&query=1&&filename=0943120.exe

http://camas.comodo.com/cgi-bin/submit?file=8a087d59c3aa2af47cbfb959a23ca26bf1ae1401eb315436fb6f08da8b6849e7

(1) I double clicked on the malware.

(2) It was sandboxed as “partially lmited”.

(3) Then it created the usp10.dll in many locations.

(4) ci72.png showed many usp10.dll in the list.

3.Problem:
If I run any application(trusted) beside the usp10.dll, the application will load the usp10.dll.
(CIS did not sandbox the trusted applications which load the usp10.dll.)

Then, the application executes a malware (comodo popups sandbox alerts)

2013-02-26 11:40:38 C:\DOCUME~1\Roger\LOCALS~1\Temp\09d6340.tmp Sandboxed As Partially Limited

2013-02-26 11:40:50 C:\Documents and Settings\Roger\Local Settings\Temp\Jn2SEVH1.pif Create Process, Block File C:\Documents and Settings\Roger\Local Settings\Temp\TuxYwz569.exe

4.Environment:
Windows XP Pro SP3 32bit

The behavior of the usp10.dll.
http://anubis.iseclab.org/?action=result&task_id=168fe0f2ecd17be045d42d3fe0e5701f4

After restarting the system, XP can not start.

[attachment deleted by admin]

2

If this thing will execute without user interaction
we have a worst case scenario.

Traditional: Blocked
Userfriendly: Burnt

3

This should be caught in future by COM restrictions were are told Comodo is planning - roughly that non-BB’d files cannot load unknown DLLs.

4

Does setting the BB to Untrusted block this?

Also, what about FV?

5
  1. If the sandbox level is set as limited or upper levels, the malware will not create the usp10.dll in many locations.

Please see the red line.

2013-02-27 09:48:36 C:\virus\qnxvsptqq\0943120.exe Sandboxed As Limited

2013-02-27 09:48:41 C:\Documents and Settings\Roger\Local Settings\Temp\32E26B10.temp Modify File C:\Documents and Settings\Roger\Local Settings\Temp\TuxYwz569.exe

2013-02-27 09:48:41 C:\Documents and Settings\Roger\Local Settings\Temp\32E26B10.temp Modify File C:\WINDOWS\system32\drivers\etc\hosts

2013-02-27 09:48:41 C:\virus\qnxvsptqq\0943120.exe Direct Disk Access C:\

2013-02-27 09:48:41 C:\virus\qnxvsptqq\0943120.exe DNS/RPC Client Access \RPC Control\DNSResolver

2013-02-27 09:48:41 C:\virus\qnxvsptqq\0943120.exe Direct Disk Access D:\

2013-02-27 09:48:41 C:\virus\qnxvsptqq\0943120.exe Modify File C:\WINDOWS\usp10.dll

2013-02-27 09:48:41 C:\virus\qnxvsptqq\0943120.exe Modify Key HKLM\SYSTEM\ControlSet001\Control\Session Manager\ExcludeFromKnownDlls

2013-02-27 09:48:42 C:\DOCUME~1\Roger\LOCALS~1\Temp\TuxYwz569.exe Sandboxed As Limited

2013-02-27 09:48:43 C:\WINDOWS\system32\conime.exe Sandboxed As Limited

2013-02-27 09:48:44 C:\WINDOWS\system32\dwwin.exe Sandboxed As Limited

  1. If the sandbox level is set as fully virtualized, the malware will create many usp10.dll in the location only.

C:\VTRoot*

6

Then, when you run a sandboxed (virtualised) trusted process will it load a usp10.dll?

7

Yes, the virtualized applications will load the usp10.dll.

D:\software\CLT2\clt.exe loaded
C:\VTRoot\HarddiskVolume2\software\CLT2\usp10.dll

trusted or untrusted → It is not important.
virtualized or “not virtualized” → It is important.

So, the unvirtualized applications will not load the usp10.dll in the location.

C:\VTRoot*

[attachment deleted by admin]

8

OK that’;s what I thought, R. Confirms that the new COM restrictions (except perhaps trusted DLL preference) are not in place yet, which is what my testing has indicated

9

I found same malware in “style-chart.com” (different malware “topbohum.co.kr”)
Some Comodo user’s Windows was brocken by this malware.
My friend used Avast+Comodo Firewall. But his Windows OS was brocken too. ;D ;D

[attachment deleted by admin]