Microsoft today has releases a security advisory to give customers “guidance for the Windows kernel issue related to the Duqu malware”.

The advisory describes a vulnerability in TrueType font parsing that could allow elevation of privileges. Attackers who manage to exploit the vulnerability can run arbitrary code in kernel mode which would allow them to install programs, “view, change or delete data” and create new accounts with “full user rights”.

Microsoft confirms that targeted attacks are carried out currently that use the vulnerability. The overall impact is however rated as low.

Microsoft is offering a manual workaround for affected versions of Windows on the security advisory page:

On Windows XP and Windows Server 2003:

For 32-bit systems, enter the following command at an administrative command prompt:

Echo y| cacls “%windir%\system32\t2embed.dll” /E /P everyone:N

For 64-bit systems, enter the following command from an administrative command prompt:

Echo y| cacls “%windir%\system32\t2embed.dll” /E /P everyone:N

Echo y| cacls “%windir%\syswow64\t2embed.dll” /E /P everyone:N

On Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2:

For 32-bit systems, enter the following command at an administrative command prompt:
Takeown.exe /f “%windir%\system32\t2embed.dll”

Icacls.exe “%windir%\system32\t2embed.dll” /deny everyone:(F)

For 64-bit systems, enter the following command at an administrative command prompt:
Takeown.exe /f “%windir%\system32\t2embed.dll”

Icacls.exe “%windir%\system32\t2embed.dll” /deny everyone:(F)

Takeown.exe /f “%windir%\syswow64\t2embed.dll”

Icacls.exe “%windir%\syswow64\t2embed.dll” /deny everyone:(F)

The workaround may impact applications that “rely on embedded font technologies”.

The workaround can be undone again the following way:

On Windows XP and Windows Server 2003:

For 32-bit systems, enter the following command at an administrative command prompt:
cacls “%windir%\system32\t2embed.dll” /E /R everyone

For 64-bit systems, enter the following command at an administrative command prompt:
cacls “%windir%\system32\t2embed.dll” /E /R everyone

cacls “%windir%\syswow64\t2embed.dll” /E /R everyone

On Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2:

For 32-bit systems, enter the following command at an administrative command prompt:
Icacls.exe %WINDIR%\system32\t2embed.DLL /remove:d everyone

For 64-bit systems, enter the following command at an administrative command prompt:
Icacls.exe %WINDIR%\system32\t2embed.DLL /remove:d everyone

Icacls.exe %WINDIR%\syswow64\t2embed.DLL /remove:d everyone

Microsoft furthermore has released a fix it solution that users can run on their system to protect it from the security vulnerability

The fix it can be downloaded from the following Microsoft Knowledge Base article.

It is recommended to apply the workaround on computer systems until Microsoft releases a security patch that resolves the issue without side effects.

Please note that there is a fix-it for enabling and one for disabling the workaround.

Rootkit.Duqu.A is digitally signed (with a stolen and revoked certificate) which means that it targets not only 32-bit Windows systems but also 64-bit editions of the Microsoft Windows operating system. According to information posted by Bitdefender, Duqu runs for 36 days on a computer collecting information entered via the keyboard. This may include passwords, emails, conversations, logins on popular sites and even banking and credit card information.

Symantec has posted additional information about Duqu’s installer. According to Symantec’s information, Duqu is spread as a Microsoft Word document that exploits a Windows kernel vulnerability that allows code execution. When a user opens the Word document the malicious code is executed and Duqu is installed on the system.

Duqu infections have already been confirmed in countries such as France, Switzerland, India, the United Kingdom, Austria and the Netherlands.

Symantec has released a whitepaper in pdf format that contains all known details up to this point.

Windows users who want to make sure that their system is clean and not infected by the Duqu rootkit can use Bitdefender’s Removal Tool to scan the system and if necessary disinfect it.

The portable rootkit remover can be downloaded from an official Bitdefender website. All that Windows users need to do is to click on the Scan button to start the scan. The program will list any files that have been identified to be part of the Duqu rootkit. Please note that the program may require elevated rights on some machines.

Is there a way to protect your computer in the meantime? Yes, do not open Word documents locally. Use an online document viewer like Google Docs or Docs.com for that. (via)

While one could argue that the figures are also explainable by the factors time and the fact that most rootkits target 32-bit systems, it is undeniable that rootkits pose a serious security risk.

The two free rootkit scanners Avast aswMBR and Sophos Anti-Rootkit can be used to scan a PC system for rootkits. There are other tools that can be used for the purpose, like the previously reviewed Codewalker, AVG Anti-Rootkit Free or the incredibly useful TDSSKiller by Kaspersky.

Avast aswMBR is a portable program for Windows. The program offers to download the latest antivirus definitions from Avast servers on first start. Those definitions are then used to scan and identify potentially dangerous files that have been discovered by the rootkit scanner.

A click on the Scan button starts the scan of the system. Potentially dangerous files are highlighted in yellow and red colors on the screen. Suspicious or infected files are declared as those directly in the interface. The Fix or Fix MBR buttons are used to disinfect the system and remove the rootkit from it. Avast aswMBR can be downloaded directly from the Avast website. The rootkit module is part of all Avast antivirus solutions.

Sophos Anti-Rootkit is another portable rootkit scanner for Windows. The download becomes available after filling out a two page form on the Sophos website. The rootkit scanner comes as a rar archive that you need to unpack on the system. The program displays a minimalistic interface on startup. The Windows Registry and local hard drives are automatically selected for the scan next to the running processes. A click on Start Scan opens a new window that highlights the scan progress.

The anti-rootkit software lists all suspicious or unknown hidden files in the log. Not all those files are rootkits, and it pays to scan the listed files with another rootkit scanner or an online scanner such as Virus Total.

Both rootkit scanners are portable and free for personal use. This makes them ideal for a admin toolset on DVD or USB stick.

Using another security software to scan the system and verify that it is clean is therefor something that users should do regularly.

NoVirusThanks Anti-Rootkit Free is a free software program that scans for rootkits on the system. Rootkits are sneaky programs that try to hide their presence on the operating system, check Wikipedia for an in depth description. The program is only available for 32-bit systems. NoVirusThanks has created a free version and a paid version, which differ in four aspects. The paid version offers free technical support and product updates, smart process termination and commercial usage, everything else is offered in both the free and paid version.

The rootkit scanner offers a quick report scan on startup that lists potentially dangerous files. It leads to in depth information that are sorted in tabs.

This is highly technical and most users will probably rely on the quick report only to see if rootkits are installed on their system. The anti-rootkit software detects known and unknown threats, with the latter requiring some technical knowledge on where to look and how to interpret the results. The program tries to aid the user by highlighting potentially dangerous system files in red.

Anti-Rootkit is available for download at the NoVirusThanks website. The free edition is compatible with all 32-bit Windows systems.

The developers of the rootkit have improved it considerably since then, and managed to add the ability to infect 64-bit Windows systems. That’s a first, and security vendors are alarmed about that trend.

However, the authors of these attacks have not been resting. Just under a month ago, we became aware of a new variant of Alureon that infects the Master Boot Record (MBR) instead of an infected driver. While this new variant did not affect 64-bit machines, it had an inert file called ldr64 as part of its virtual file system. More recently, we discovered an updated variant that successfully infected 64-bit machines running Windows Vista or higher, while rendering 64-bit Windows XP and Server 2003 machines unbootable.

Many security companies have already added detection of the 64-bit variant to their security applications, Microsoft for instance added signatures to Microsoft Security Essentials in the beginning of August.

Still, Windows 64-bit owners may want to verify for themselves that the rootkit is not installed on their operating system. As the information above suggest, Windows XP and Windows Server 2003 owners will immediately notice that something is wrong, as their operating system will fail to boot. Windows Vista or Windows 7 64-bit users should read on.

There are at least two options to do that, all with tools already included in the operating system:

Open a command prompt, with Windows-R, entering cmd and enter.

Use the command diskpart to open Diskpart in a new command line window.

Enter lis dis in the new prompt, if it remains empty the computer is infected with the rootkit. If the disks display, it is not.

Good

windows 64 bit rootkit detection

Bad

diskpart

The second option to detect the 64-bit rootkit is the following: Launch Disk Management from the Computer Management pane.

If it does not show disks, it means the system is infected with the rootkit. If it shows disks, everything is fine.

Infected System

al64-2

Additional information are available at Technet and Symantec.

How to Remove the Rootkit if the system is infected:

Several programs are able to remove the rootkit and repair the MBR so that the system boots normally after the repair.

Hitman Pro Beta 112 and later can do it for instance.

Stuxnet uses the aforementioned .lnk technique to install additional malware components. It first injects a backdoor (Worm:Win32/Stuxnet.A) onto the compromised system, and then drops two drivers:

Trojan:WinNT/Stuxnet.A – hides the presence of the .lnk files
Trojan:WinNT/Stuxnet.B – injects (formerly) encrypted data blobs (.tmp files) into memory, each of which appear to serve different purposes as the Stuxnet deployment system infrastructure (drivers, .lnk files, propagation, etc.).

Stuxnet Rootkit Remover has been designed to detect and remove active infections on Windows systems. The software scans the system for infected files..

C:\WINDOWS\system32\drivers\mrxcls.sys
C:\WINDOWS\system32\drivers\mrxnet.sys
C:\WINDOWS\inf\mdmcpq3.PNF
C:\WINDOWS\inf\mdmeric3.PNF
C:\WINDOWS\inf\oem6C.PNF
C:\WINDOWS\inf\oem7A.PNF

and detects and removes malicious LNK and TMP files stored in removable media.

~WTR4132.tmp
“Copy of Copy of Copy of Copy of Shortcut to.lnk”
“Copy of Copy of Copy of Shortcut to.lnk”
“Copy of Copy of Shortcut to.lnk”
“Copy of Shortcut to.lnk”
~WTR4141.tmp

Stuxnet Remover

The program needs to be installed before it can be started. The Check Me Now button in the main interface scans the system for active infections, and removes infected files if any are found on the PC.

Many antivirus solutions detect Stuxnet variants by now, including the free Microsoft Security Essentials. Stuxnet Remover however is a handy tool if the computer has already been infected with the malicious software. It also serves the purpose of detecting the rootkit if it is already on the computer system.

Stuxnet Remover is available for download at the developer’s website. The rootkit scanner is compatible with all Microsoft operating systems from Windows XP to Windows 7. The project page states that it only supports 32-bit editions, but it tested fine on a 64-bit system.

Microsoft addressed the issue shortly after reports began to appear and revealed that the issues were linked to the patch MS10-015. The company did however mention at this time that it was not clear yet if the patch was the cause for the problems.

While that has not been ruled out completely the most likely cause for the BSOD after installing the updates is malware that is active on the affected computer systems.

Patrick W. Barnes found that malware was the cause of the BSOD. He first linked the infection to the Microsoft patch mentioned above by installing and uninstalling it with the help of the Windows Recovery Console.

Once the update is applied and the system rebooted, Windows will bluescreen at boot. When booted to Safe Mode, the system will freeze. Removing the update from the Windows Recovery Console or using live media will get the system booting again, at least until the update is reapplied.

He then discovered that the computer system was infected with the TDSS rootkit which infects the atapi.sys file in the operating system. The rootkit is very hard to spot and some security suites have failed until today to discover it and repair the system.

Cleaning TDSS from the computer system resulted in the computer system booting normally even after applying the security patch issued by Microsoft.

I have found that the root cause is an infection of %System32\drivers\atapi.sys, and that replacing this file with a clean version will get the system booting normally.

Microsoft’s Jerry Bryant has since then confirmed in a Twitter message that malware is one cause and that removing the malware will make the system boot normally. He did not want to rule out other causes at that time though.

Kaspersky has created a software called TDSS Killer which we reviewed a month ago that can be used to clean the affected operating system from the TDSS rootkit.

Patrick posted repair instructions in his blog post and mentioned the atapi.sys infection may not be the only cause of the blue screen.

An atapi.sys infection may not be the only cause of this blue screen. While it does seem to be the most common cause, other infected drivers or drivers that make incorrect references to the updated kernel bits may also cause blue screens after this update is applied. Make sure you scan any computer with up-to-date antivirus software that can detect rootkits and check for updated drivers for your computer before applying this update.

Windows users who are experiencing the blue screen of death after installing the patch should scan their computer system with an antivirus software that can detect rootkits.

Today’s reason for an unauthorized redirect is a rootkit that is commonly known as Rootkit.Win32.TDSS. The problem with a rootkit is that many security applications do not detect it even if they are updated with the latest virus definitions.

Security software that can detect the rootkit are for example Dr. Web’s CureIT or Kaspersky Internet Security 2010. From Kaspersky comes a tool that can be used to remove the TDSS rootkit right away. That’s the simplest solution if the cause of the unauthorized Google redirects is indeed the rootkit.

The program TDSSKiller can be downloaded from a Kaspersky support page. It will scan the system for traces of the rootkit and clean it if any are found.

# The registry is scanned for hidden services. The utility will remove the services identified as belonging to TDSS.
Otherwise, the user is prompted to eliminate the service.
The services are eliminated upon a reboot.

#System drivers are scanned for infection. In case an infection has been detected, the utility will search for an available backup copy of an infected file.
If an available backup copy of an infected file has been detected, the utility will restore the file from it. Otherwise, the utility will attempt to disinfect the file.

# By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule). The log is like UtilityName.Version_Date_Time_log.txt. for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

# When its work is over, the utility prompts for a reboot to complete the disinfection.
The driver will execute all scheduled operations and kill itself upon the next system reboot.

Another possible solution has been posted at the Remove Malware website. It is a thorough way that takes longer than just running the Kaspersky removal tool but it ensures that no rootkit or malware traces are left on the computer system.

Update: If the above troubleshooting tip did not work, I’d suggest the -> Google Redirect Removal Tool <-- which is a software the resolves the issue.

The portable software program is a rootkit scanner that scans for hidden files, registry entries, processes, drivers, and Master Boot Record (MBR) rootkits. The minimalistic interface makes program usage simple and straightforward. Users can either click directly on the scan button to perform a system scan for all forms of rootkits that can be detected by Trend Micro RootkitBuster or deselect some of the forms first before starting the scan.

Hidden objects will be displayed in the scan results in the program interface during the scan. It is possible to view the log file as well which contains additional information that are not displayed in the program itself. The difficulty part begins here. Users need to distinguish between harmless and dangerous files. Not every file that is listed in the program or log file is dangerous in nature. The best way to find out is to look at the suspicious file first and perform a search on the Internet afterwards.

The amount of information offered pales to that of other rootkit detection programs just as Rootkit Unhooker. That’s probably the biggest disappointment that Trend Micro has not changed the level of information that is presented to the user.

Trend Micro operates a service where users can submit suspicious files which are then analyzed by the Trend Micro team. Files that are not needed anymore can be deleted right from within the program’s interface. Trend Micro RootkitBuster is a portable software program for the Windows operating system which can be downloaded from the Trend Micro website. Users who want to test it extensively can download rootkits from the rootkit.com website.

Codewalker is a rootkit detection software that has been developed by a member of the Sysinternals forum. The current version that has been released today is 0.24b which clearly outlines that the software program is a work in progress. It is a portable software that can be run from the local drives or removable devices.

The security program suggests a deep scan of the computer system upon startup which takes a few minutes to complete. It is possible to avoid this deep scan which will lead directly to the main program interface. The main interface uses tabs to display various information including system processes, hidden code, kernelmode and usermode hacks.

The connected disk drives are displayed on the right side with the option to select some or all of them for a scan. The same scan that was suggested upon program start will then be performed. The results are shown in the various tabs after the scan has finished.

The developer explains his program:

For hidden driver detection, you can test it with some pretty well hidden driver PoC such as phide_ex and many builds of Rustock.B variants. Although you have to use the “Hardcore Scan” method to detect them.

For code hooking detection, the engine walks all the branches of scanned module i.e any execution path of it to detect modification (btw, that’s why i call it CodeWalker). IMHO, It can detect code hooking very well especially with rootkits that place abnormal hooks like Rustock.C (FF25 & FF15 – jmp/call dword ptr [abc]) tho there’re still some problems with false-positive hooks/modifications.

Codewalker is a viable alternative to already available rootkit detection programs like Gmer or AVG Anti-Rootkit. It is probably be best used in conjunction with these tools.

The manipulation was discovered using the highly acclaimed Wikiscanner which is a searchable database for all Wikipedia edits that have been made.

One has to ask if this was the doings of an individual or sanctioned by Sony and I would guess that it was done by an individual. By using a IP assigned to Sony however Sony is to blaim, again. Real Manipulation looks different and is not done from company computers at all.

You hire someone far away or use your home computer with dynamic IPs or proxies to manipulate which is much harder to spot. This time it was just the blunder of one single employee which happened to fall back on Sony because he was using their network to manipulate the entry.

Read More:

Wikiscanner proof

The sentenced that always reminds me of how amateurish Sony handled the whole affair went something in the line of “People who don’t know what rootkits do should not care about them”.

It seems Sony did it again. F-Secure is reporting that Sony is now selling a USB stick – the Sony MicroVault – which installs a hidden folder in c:\windows when installing the USB fingerprint software.

So, when enumerating files and subdirectories in the Windows directory, the directory and files inside it are not visible through Windows API. If you know the name of the directory, it is e.g. possible to enter the hidden directory using Command Prompt and it is possible to create new hidden files. There are also ways to run files from this directory. Files in this directory are also hidden from some antivirus scanners (as with the Sony BMG DRM case) — depending on the techniques employed by the antivirus software. It is therefore technically possible for malware to use the hidden directory as a hiding place.

F-Secure suspects that the hidden folder is used to protect the fingerprint authentication and strongly disagrees that this is the correct way to achieve a protection.

I think that Sony made a big mistake in using such a technology again even if it was intended to be of good use for the owner.

Read More:

F-Secure Blog

Let me explain my security concept and ask some questions about yours afterwards. The most important part in my security concept is my knowledge. I know what I should do and what I should not do on the Internet. I know how phishing emails look like, I know when I should be doubtful of files that I want to execute and I do know how to select passwords that can not be bruteforced in a short period of time.

Firewall:

I do rely on a hardware firewall that is properly configured keeping many attacks away from my computer. I do however run no software firewall because I think this is a) not necessary because of the hardware firewall and b) could lead to attacks that are not there without it. Every piece of software installed on my system is a potential way to hack my system.

Anti virus:

I use the free AntiVir as a virus scanner. This is probably not the best choice in the world but good free scanners are rare. I keep it running all the time with automatic updates. Nothing compared to commercial products that update once every 30 minutes but good enough to react on all threats that make it on my system. My Knowledge prevents most possible ways of attacking my system with viruses and trojans anyway.

Encryption:

I have two hard drives with more than 500 gigabytes of encrypted data using the excellent Open Source software True Crypt. This is important to prevent local access to my files as long as the hard drives have not been mounted.

Spyware:

Something that I feel is overrated. I tend to run Ad-Aware and Spybot every other week to scan my system but I normally find some tracking cookies, that is all.

Rootkits:

The same can be said for Rootkits. I tend to use Rootkit Revealer or other products to check my system for rootkits but only occasionally. I would never put a Sony CD into my Computer anway ;)

Browsing, Email:

No Microsoft products if possible. I do use Opera and Firefox for web surfing and Thunderbird as my main email client. Both browsers are more secure than Microsofts Internet Explorer and Outlook. Maybe because they are better products, maybe because hackers like to concentrate on Microsoft products because more users are using them.

Did I leave something out ? What is your security concept ? Let me know, I like to read about software or tips that I never thought about in first place.

I did write about some of them here at ghacks already but I guess only the die hard ghacks readers will know about this. I would like to start with a tool that I have been using for some time now. It is called Hamachi and the main benefit is that it is able to simulate a lan over internet. This is great if a game only offers lan play for instance. I do not suggest you use it for the following purpose but it is possible. Many games require serial numbers and those numbers are checked when you connect to a game server on the internet. They are not checked if you create a lan game.

System Tools:

Please insert the CD into the drive and restart the application. I hate this message. Forcing legit users to have the CD / DVD in drive to execute the program is something I never understood. Pirates crack those protections in seconds and legit users have the problems with methods that are supposed to make it harder for pirates. Something is wrong here. I do like Daemon Tools which emulates CDs on your hard drive. Create an image of the CD, mount it in Daemon Tools and you may use the software without the Cd.

That shitty movie is not playing. I don’t see a picture, I hear no sound. Have you ever witnessed something like that ? This could be due to a missing codec on your system. Gspot analyzed a movie file and displays the codecs it is using. Did I say that I hate the fact that there are billions of codecs out there ? Waste of time and energy.

Notepad 2 replaces Notepad which ships with every windows installation. It offers more features than Notepad like syntax highlighting.

Rbtray makes it possible to minimize every window into the system tray instead of the task bar. If you are like me and dislike crowded task bars this tool is for you.

I like my computers as silent as they can be. One method to achieve this is to use a software that is able to control the speed of the fans in your pc. Speedfan is my choice. It displays temperatures for important system components such as processor, motherboard and hard drives and lets you change the fan speed if that is supported on your system.

Vippy the writer friendly cursor changes the cursor into a eye-friendly one. This is great if you have troubles finding the cursor in a text document. Vippy changes the color of the cursor to red for instance.

Internet:

Ghacks is running on a dedicated server and I have to make the connection using a terminal program. I do use Putty for this, it is fast and clean and does exactly the things that I need it to do. I do use WinSCP to connect download backups that I made from the dedicated server. SFTP means secure file transfer.

I have a Skype account to talk to my friends and see who is online at the moment. There is no charge if both users are connected to the Skype network. I do prefer Teamspeak while gaming. Teamspeak has the advantage that more users may chat and talk at the same time while Skype has that limited I think. When I was playing WOW we were using Teamspeak with more than 40 people in one channel. Don’t worry, you can moderate everything.

If you want to view tv on the internet you should take a look at tvu player which offers some interesting channels to choose from. To name a few: ABC, ESPN, Comedy Channel, CBC, Fox and more. All free, with relative good quality. You need a broadband connection for good results.

You need some additional tools if you want to save video streams. Most providers hide the real url to the stream making it impossible to detect it by normal means. Url Snooper comes into play and detects the real address by analyzing all network traffic.

I need a local test installation of ghacks to test new features before I make the upgrade on the running site. XAMPP offers everything I need to have a local Apache installation with PHP and MYSQL support. It is great for learning and testing upgrades.

Security:

You might remember the Sony rootkit incident. They planted a rootkit on some of their CDs and users had a hard time getting rid of it. Rootkit Revealer is one of those tools that helps detecting and removing rootkits.

Other:

I do not buy lots of new CDs but sometimes I buy some used ones on Ebay or Amazon. I don’t have a CD player at all so I have to get the songs from the CD on my computer to be able to play them and transfer them to my Ipod. CDex is the tool I use for that purpose. It is fast, pulls all relevant information from the internet (author, title, songs..) and adds them automatically to the songs.