D+ Engine could not able to intercept malware properly

[Guest]

[harsha_mic]

Hi,

I have an malicious sample which i believe it is bypassing D+ execution engine partially. Pls. find the steps to re-create the issue -

1. double-click install.exe (new variant of Antivirus Pro)
2. D+ prompts stating that "install.exe wants to run you computer". and clicked "ALLOW".
3. From the second prompt onwards, i have clicked "BLOCK" for all the follow-up prompts.

Result: Rogue program could able to modify host file successfully but luckily could not able to start.

Note: I have run above malware sample under Sandboxie 3.38 version. So, luckily it couldn't harm my system.

CIS 3.9 Proactive Mode
XP SP3
NOD32 v4

If anyone really finds this as an bug wants to further look into the issue, then i can provide the malware sample.

Thanks,
Harsha.

[OmeletGuy]

Can you PM me a link to the malware please   thanks

Also what Security mode did you use? proative or internet security?

It does, the problem is you hit allow on the first one!

[languy99]

proactive security should block the host file from being modified.

[harsha_mic]

OmeletGuy, pls. check you pm folder. sent you the sample. password is infected

languy99, thats the problem. i guess it needs to be fixed.

i'm using proactive internet security and more importantly i could able to see below entry under D+ --> My Protected Files = %windir%\system32\*. So, logically i guess an alert or entry should be blocked. or else am i missing some thing??

Can any mods look into this....

Thanks,
Harsha.

[OmeletGuy]

I got it harsha_mic thx i will start testing soon and post results if i can copy this!

[OmeletGuy]

Yup the same thing happens, i will also submit this rouge to AV analysts should be added soon!


Some dev please look into this.

[harsha_mic]

thanks friend. but the important thing is the D+ bug(probably) should be rectified...

[OmeletGuy]

thanks friend. but the important thing is the D+ bug(probably) should be rectified...

Yes it should

[J2897]

Has anyone tried it in a VM (without 'Sandboxie')?

PM it to me if not, thanks.

[egemen]

Can you please send me PM me the link for the malware? Also can you please try without Sandboxie inside a virtual machine? IT is quite possible that Sandboxie redirects the file system requests and the actual file modification is not really the hosts file but something else. This might be the reason.

However lets be sure. Pls PM me the link and let me test.


Thanks,
Egemen

[harsha_mic]

Can you please send me PM me the link for the malware? Also can you please try without Sandboxie inside a virtual machine? IT is quite possible that Sandboxie redirects the file system requests and the actual file modification is not really the hosts file but something else. This might be the reason.

However lets be sure. Pls PM me the link and let me test.


Thanks,
Egemen

I have sent you the link for the malware sample and password is infected

Thanks,
Harsha.

[egemen]

I have sent you the link for the malware sample and password is infected

Thanks,
Harsha.

Thanks Harsha.

I have tested in a VM and CIS produced expected popups. I think it is related to Sandboxie.

Interestingly, CIS reported many buffer overflow attacks in this malware too.

[LaserWraith]

Thanks Harsha.

I have tested in a VM and CIS produced expected popups. I think it is related to Sandboxie.

Interestingly, CIS reported many buffer overflow attacks in this malware too.

CIS may have alerted, but if you block the alerts was the host file still modified?


BTW, it looks like you have CIS 3.10.   

(See attached.)

[languy99]

yeah what is that about  what do I have to do to get it      jk

[egemen]

CIS may have alerted, but if you block the alerts was the host file still modified?


BTW, it looks like you have CIS 3.10.   

(See attached.)

Yep. Thats our bug fixed version to be released soon. It will address some of the issues with antivirus engine.

[Tags:]