Redirect to SMB--An Unresolved Windows Vulnerability Dating Back to 1997

[conceptualclarity]

Content source

http://www.makeuseof.com/tag/every-version-windows-vulnerability/

Excerpted from: http://www.makeuseof.com/tag/every-version-windows-vulnerability/
Every Version of Windows Is Affected By This Vulnerability – What You Can Do About It.

Christian Cawley
On 16th April, 2015

...SMB is the Server Message Block protocol, mostly used for sharing files, printers, and serial ports on a network. Various versions have been released over the years, (Samba is an open source implementation, although there is no suggestion that the vulnerability exists there) and it has long been a target, with real-time scanning demonstrating that SMB is one of the most popular attack vectors for online intruders. It was reported in December that the Sony Pictures hack was performed using an SMB vulnerability...

Software Affected by Re-Direct to SMB
Okay, it’s deep breath time. As well as every version of Windows the mid-1990s, Redirect to SMB also affects a wide selection of applications and system utilities (at least 31) from some of the biggest names in the industry. To begin, Microsoft and Apple.

Microsoft:

• Internet Explorer 11
• Windows Media Player
• Excel 2010
• Microsoft Baseline Security Analyzer

Apple:

• QuickTime
• Apple iTunes Software Update

Frustratingly for a vulnerability of this kind, security software is also affected.

• Symantec Norton Security Scan
• AVG Free
• BitDefender Free
• Comodo Antivirus

Productivity apps that are known to be vulnerable to Redirect to SMB:

• Adobe Reader
• Box Sync (the Box.net cloud client app)
• TeamView

These utilities and installers are also affected:

• .NET Reflector
• Maltego CE
• GitHub for Windows
• PyCharm
• IntelliJ IDEA
• PHP Storm
• Oracle JDK 8u31’s installer

...
Read more at http://www.makeuseof.com/tag/every-version-windows-vulnerability/


What do you think about his suggested fix and about Samba?

 

[hjlbx]

Hah... good to know.

It is easy to block ports 139 and 445 in Comodo.

Just create global rule to block both ports - TCP Out.

Same can be done in Kaspersky, Emsisoft, ESET, BitDefender (paid), etc, etc.

 

[Nico@FMA]

Also it should be noted that the SMB protocol received various overhauls since 2002, the latest security patches regarding this bug have all been NSA certified. The reason why i am saying this there has been a news article some years ago (Cannot find it anymore) and within this article it was written and (congressional approved as the US congress went NUTS over it) that the NSA certification process includes implanted vulnerabilities that could be targeted by the NSA itself in order to gain access to various platforms.
A few weeks later the TAO department of the NSA leaked a worm, which is pretty much exactly the same worm as we see in this article.
Pretty much the same specs, and pretty much the same capability.

The past 3 years it has been proven beyond the reasonable doubt that 70% of all vulnerabilities and the majority of the malware targeting these weaknesses are directly linked to US, Russia or Asian law enforcement roots.

So its not that Windows is full of leaks a holes (Well it is lol) but i mean it is a hell of a lot more secure without the added backdoors and law enforcement options then without it.
As to my knowledge there are more computers being hacked due to those loopholes that are being exploited, then direct successful attacks against a properly configured pc.

 

[bitbizket]

Also it should be noted that the SMB protocol received various overhauls since 2002, the latest security patches regarding this bug have all been NSA certified. The reason why i am saying this there has been a news article some years ago (Cannot find it anymore) and within this article it was written and (congressional approved as the US congress went NUTS over it) that the NSA certification process includes implanted vulnerabilities that could be targeted by the NSA itself in order to gain access to various platforms.
A few weeks later the TAO department of the NSA leaked a worm, which is pretty much exactly the same worm as we see in this article.
Pretty much the same specs, and pretty much the same capability.

The past 3 years it has been proven beyond the reasonable doubt that 70% of all vulnerabilities and the majority of the malware targeting these weaknesses are directly linked to US, Russia or Asian law enforcement roots.

So its not that Windows is full of leaks a holes (Well it is lol) but i mean it is a hell of a lot more secure without the added backdoors and law enforcement options then without it.
As to my knowledge there are more computers being hacked due to those loopholes that are being exploited, then direct successful attacks against a properly configured pc.

Something similar. Article sounds a little far fetched.
https://firstlook.org/theintercept/2014/03/12/nsa-plans-infect-millions-computers-malware/

Mikko Hypponen, an expert in malware who serves as chief research officer at the Finnish security firm F-Secure, calls the revelations “disturbing.” The NSA’s surveillance techniques, he warns, could inadvertently be undermining the security of the Internet.

“When they deploy malware on systems,” Hypponen says, “they potentially create new vulnerabilities in these systems, making them more vulnerable for attacks by third parties.”

Hypponen believes that governments could arguably justify using malware in a small number of targeted cases against adversaries. But millions of malware implants being deployed by the NSA as part of an automated process, he says, would be “out of control.”

 

[Nico@FMA]

If you block those ports in kaspersky or comodo does it rule out any legitimate windows functions?

No usually you can define which programs or processes should be allowed to connect. For example i am using SEP (Symantec Endpoint Protection) and i have all ports blocked by default. So not a single port is open, yet i manually assign each program and process to its designed port and force it to validate. While this takes a hour to set all the rules, i have never had any problems. Good luck to those script kiddies with me no play time.. lol

 

[hjlbx]

If you block those ports in kaspersky or comodo does it rule out any legitimate windows functions?

In Comodo, if you create global block rules for both source ports 139 and 445 TCP Out... select "Record as a firewall event if this rule is fired."

Every time an app attempts an outbound connection from source ports 139 and 445 will be recorded in the Firewall events log. Reviewing the logs occasionally you will be able to see if any legitimate apps really need access.

I only ever recall seeing an app use port 445 once or twice - so almost never. Can't recall port 139 ever being used.

Of course, this will change if you use local area network, file shares, shared printers, etc.

 

[hjlbx]

Ill check that out, when I can defeat my rootkit. Hands are tied right now, lol. I am currently enjoying process hacker notifying me in real time how fast this rootkit is in disabling hitman pro service driver and windows update modules.

Do you have an active thread in the Malware Removal sub-forum?

 

[hjlbx]

I do and i just sent a pm to twin headed eagle. I am having issues with far bar tool to send over. I sent over some other stuff but thats all ive been told to do so far. If I dont get this thing handled soon my system might be gone to the bone yard i have a feeling. Im on it now , and watching process hacker tell me my antivirus drivers are being terminated as we speak..

I know it is excruciatingly slow... just hang in there. Twin Headed Eagle will bring back your system from beyond the grave.

 

[Tony Cole]

How do you protect against this vulnerability using Kaspersky Internet Security 2015, and will putting such measures in place affect other software/installers?

 

[Tony Cole]

Thanks Danpitt, never had a rootkit infection, how do you know it's a rootkit? You could also try Bleeping Computer if you need help quicker, not too sure how long the wait is. Hope you get is sorted asap!

 

[hjlbx]

How do you protect against this vulnerability using Kaspersky Internet Security 2015, and will putting such measures in place affect other software/installers?

In Kaspersky go to the Firewall global\packet rules interface - you access it by selecting the "Firewall" tab with the toggle switch. You would have to add a block rule for ports 139 and 445 TCP Out.

I cannot remember if Kaspersky has the ability to record when the rule is fired.

If it doesn't then all you can do is try it... if the block rules break an updater then you can disable the rule - one at a time - if that fixes the issue then you know to create an application (updater) rule that allows source port 139 and\or 445 TCP Out access.

You create the updater rule by adding it to the Trusted zone and then going into the firewall rules pane and creating a port specific (139-445) TCP Out allow rule.

 

[Tony Cole]

Trend Micro states the following:

http://blog.trendmicro.com/trendlab...iving-dead-the-redirect-to-smb-vulnerability/

Conclusion

This is a very old vulnerability which has a new attack vector. Compared to the older (known) vector, this new vector is much easier to target as it doesn’t require user interaction. A man-in-the-middle attack can also exploit this vulnerability very easily. Microsoft has not released a patch for this vulnerability, although they stated in 2009 that an appropriate solution would be to block outbound traffic from ports 139 and 445, which would prevent any SMB connections from being made.

Trend Micro Deep Security protects users from attacks that may use this attack vector via the following rule:

• 1006631 – Identified File Protocol Handler In HTTP Location Header

 

[hjlbx]

Thanks for the positivity .. lol i needed the good word. I keep beating my head on my computer desk, thinking there has to be a way to isolate its administrative abilities.

I'm not a sanctioned malware removal expert so I cannot offer any specific advice other than it requires patience - whichever malware removal forum you use - MalwareTips, Bleeping Computer, etc.

The malware removal experts are a pretty tight-knit group. So if the solution isn't immediate they always reach out to their colleagues to find a solution.

 

[Tony Cole]

hjlbx that went straight over my head! I wish I had your knowledge and avatar. I meant to ask in Kaspersky TAM when enabled does it also work with application control, so if one fails then the other may catch it?

 

[hjlbx]

hjlbx that went straight over my head! I wish I had your knowledge and avatar. I meant to ask in Kaspersky TAM when enabled does it also work with application control, so if one fails then the other may catch it?

In this SMB Redirect Kaspersky TAM should theoretically block the install of any Unknown, Untrusted files (the worm file). If the user over-rides the install then Application Control would assign the file to Low or High Restricted - dependent upon how user's have rated the file in the Kaspersky Security Network. Only High Restricted blocks all firewall activity for an app.

Like I always say... with TAM it is best to disable "Trust digitally signed installers" and "Load application rules from KSN." IF Application Control works on your system with these settings then it is an anti-executable\default-deny configuration.

The least complicated, most direct solution is block rules for ports 139 and 445.

I am completely unsure if Kaspersky's Web Shield would identify the original attack as does Trend Micro.

 

[hjlbx]

Thats good news... Heres my thinking for example , in process hacker you got your tokens, handles, etc.. you can take them and change the rights for what they can do from the source its coming from so i just seen winnit 580 .exe on top of the process tree shutting down my windows update - for my troublefix in windows so it could fix what it just terminated to stop updates, so i can isolate it and stop it from preventing windows updates..I dont know if its a possiblity or not , what do you think?

You're not going to like this one bit... but any advice I give, if used, may interfere with Twin Headed Eagle's efforts to remove the rootkit. Plus, I am not a malware removal expert. Consequently, it would violate forum rules for me to offer any removal suggestions.

Playing with file permissions (terminate and block) has the potential to make matters worse than they already are... for example, you can unintentionally end up with an unbootable system.

I would not do anything until directed by Twin Headed Eagle.

 

[Tony Cole]

Is it just TCP 139, 445 and you go to packet rules and add them for both local and remote ports?

 

[hjlbx]

Is it just TCP 139, 445 and you go to packet rules?

Add "Block - TCP - Out" for both ports 139 and 445. This will require two separate rules in Kaspersky if I recall correctly - one for 139 and the other for 445.

Yes. You add it to the packet rules - as there is no way to add a port-only block rule in Application Control.

 

[marzametal]

http://hardenwindows7forsecurity.com/Harden Windows 7 Home Premium 64bit - Standalone.html
What else is needed...
Nothing.

 

[Nico@FMA]

In this SMB Redirect Kaspersky TAM should theoretically block the install of any Unknown, Untrusted files (the worm file). If the user over-rides the install then Application Control would assign the file to Low or High Restricted - dependent upon how user's have rated the file in the Kaspersky Security Network. Only High Restricted blocks all firewall activity for an app.

Like I always say... with TAM it is best to disable "Trust digitally signed installers" and "Load application rules from KSN." IF Application Control works on your system with these settings then it is an anti-executable\default-deny configuration.

The least complicated, most direct solution is block rules for ports 139 and 445.

I am completely unsure if Kaspersky's Web Shield would identify the original attack as does Trend Micro.

One needs to realize that programs like Kaspersky Internet Security, ESET Internet Security, and most other Internet security all in one packages are designed for the general public and more importantly home users.
And as such KSN rules, or TDS (Trust Digital Signed check systems) are mostly tuned towards home user environments.
Which means that the Internet Security solution from most vendors are configured to combat dangers that affect home users the most.
So that means that highly advanced attacks, or targeted attacks or any other attack that is slightly more advanced then the average drive by malware usually go pretty much unnoticed until you get infected or in some cases that the Internet Security config only catches a small part of the actual infection (Usually the decoy before the real payload is dropped)

Now while the home environment and industrial environment are exactly the same it does have a few significant differences that should be noted in order to understand why home user programs and industrial user programs are so different.

Its all about user interaction, and the dangers that directly target users.
A average home user will NEVER have the same routine as for example a office worker at some firm.
At home you can do whatever you like ...who cares, so your AV/IS program is designed more to combat user stupidity then actual malware.
(Yes i know this sounds funny but the raw fact is that 6 out of 10 users infected their own computer just by making wrong choices, not reading or just clicking for the sake of clicking) In the end of the day you are the one that downloaded that new flashplayer right?
But ask your self how many people here on MT do actually check if they got the flashplayer directly from adobe? just a small example.
It might not be a big issue, but keep in mind that if people do not track their behavior and do not monitor their actions then getting a infection is so much easier because you basically opened up the door, you are the one downloading, clicking/allowing what ever the program is going to do. If its just installing your new flashplayer then great, but if this installs a whole bunch of adware, and other ##### then who is the blame? your AV that did not give you a alert, or was it you that gave your approval when you did hit OPEN after download finishes in lets say google chrome which will trigger UAC and when you allow it even if your AV would see whats going on... your program just got admin rights... and can potentially send your Kaspersky (Or whatever brand you have) packing.
So internet Security software is mostly made for home users, and why? because industrial users do not have much use for it.
Within the industry using a computer is a science on its own, as the IT department has set a whole array of rules and protocols. That if done properly do not allow you to make "home" mistakes in the first place, and if set like at our company then a virus infection is not even possible as the very config required to infect a computer is not present on the client pc. (Afteral you are working with sessions)
And this all is being monitored by servers and control stations that focus 80% of their total security outwards, to combat the more advanced dangers. Because the network itself is unsuitable for mass infections.

So to summarize it :

Home packages are more tuned to combat user based infections and is tuned to block the most common malware, so what they do is keeping away the majority of the malware knowing that a typical home user never gets into the dangerous environment that industrial counterparts get themselves into.

Industrial packages have different objectives, making the most common attacks impossible, and logging the more advanced attacks (As they are usually unstoppable) so logging and damage control is the next best thing.
Continuity is the right word here saving money is the next best word and logging / repair options is the closing word here.

I know this is raw info obviously its more complex then this, but between the lines this is the easiest way i can explain it.
That said SMB attacks and other security flaws that are being targeted are in 8 out of 10 times, hacks that have been engineered.
During big hacker and security conferences and international meetings hacking a program has become big money.
Microsoft and others pay good money for people pointing out bug and hacks. So when a new hack is being revealed, or a old hack seems to be still working after a decade, or a old hack get engineered to overcome new security models and such then this makes big news.
Hack X leaves millions potentially unprotected. I say TRUE and Bullshit at the same time.
Yes hack X does provide attackers with a way to break your system, yet and here is where the BS enters the story.
BUT out of the 8 hacks that have been found at least 70% happens from within the OS itself. Which technically means that without sitting physically behind the victims pc, and without a vast array of hacking tools and the needed resources & knowledge this particular hack cannot happen in the first place as its a technical requirement to target the OS from the inside out.

Sure there are programs that can be packed with very nasty yet brilliant malware that do a large part of the work for you, but with the introduction of routers and security software deployed by most western ISP companies it becomes a whole different story to being able to target a machine directly like that. My point is that these hacks require hands on.

And to close this most home internet security software is just not up to the task or does not offer the needed configuration abilities to combat such attacks properly. One could say well Nico so you are saying Industrial software is better? No what i am saying is that Home software does the thinking for you in most cases or allows you to make a choice predefined by its config (Usually the lesser of 2 evils)
While industry software requires you to set the rules.

So hey nico why not hire a Admin that installs such software at home and sets it for me?
That would work only if you have a attitude change yourself. because Home software thinks for you right? Well industrial software does strictly what you tell it to do. And you deffo want to make sure that you just told it to do the right thing. Ones you have enforced a rule, it will be as foolproof as you allows it to be. Which means that if the system tells you you cannot do that due rule X..then this means you CAN't do it.
Or you might be responsible for that frontpage news article that tells the world that your company was victim of the largest hack in history.

Simple moral and habits nothing more.
At home when you stick your USB drive into the PC and your AV starts yelling you can't do that then people are like.
<facepalm> really? F windows, Slow pc F*ck this i am in control <hit ignore & allow> and still run the drive despite their security telling them not to or do a certain action first. Your security will in most cases respect your choice and move to a different config based upon the scenario you just created to counter act your stupid acts and tries to keep you as safe as possible keeping in mind that you ignored most of its protection.

Try that on a company network, if your supervisor does not murder you then your IT admin will.
No industrial software is NO better then home software, yet home software is using the lesser of multiple evils rule handling and leaving room for compromises.

Industrial software does not. It enforces rules strict, and NO change unless manually configured by the right people.
Company networks are often subject to a whole bible of rules. And while most of these rules are far fetched one needs to realize that due to the very same rules client mistakes are being made irrelevant and allows a company to focus on the outside
Most people do not know it but Kasperky is optimized to combat user action infections. It literally means that AV vendors fear your actions MORE then that occasional "real" infection you get.
And the plain and simple reason is user habit.. because if those habits are sound then getting a infection is pretty much impossible would be the wrong word, but ask your self the question you are using the pc lets say for 3 things: Watching Netflix, reading CNN and bank (I leave social media out of this for a second) then how many infections did you get from those 3 sites? Exactly ZERO.
Social media i will not mention here as the complexity of social media based infections and hacking goes way beyond the scope of this discussion and the capabilities of most internet security packages.

One other reason i am writing this, is because sifting trough the user comments it seems like people do have the wrong idea about KAV, NOD32 and other "favo" brands. Blocking within your IS package is not as secure as you might think, because it still is going to allow legit traffic (soft block) (And i mean fake legit) while blocking on industry level means literally BLOCK (Hard block)

And imo programs like CIS and Kasperky, Nod32, Qihoo they do not even offer hardblock options ask any computer tech here on the forum they all can tell you the difference between Softblock (Aka program makes the choice for you based upon the most favorable outcome or the lesser of multiple evils) Hardblock disregards everything. Block means block period. It does not think, it does not make a favorable tradeoff it does one thing (Within the firewalls mind or security applications mind) : Boss tells me to block protocol X, I will block protocol X or ill crash trying.

(Maybe this should be a different discussion MOD make this a topic if you think its worth it)