Defence+ failed against malware

[Guest]

[aigle]

On my system Defence+ failed against SSDT unhooker rootkit( rootkit EZ). I allowed execution and denied all other behaviouirs of rootkit but it is able to destroy CFP, install hidedden drivers and CDP doesn,t give alerts about execution of any new executables after this.

I allowed execution of Sohand IM worm and denied all other actions of this malware but it was able to bypass Defence+ making Task Manager and RegEdit disabled.

Pretty disappointing. I have the samples. Anyone needs, PM me.

Thanks

[00hmh]

What behaviours did you block that you expected to prevent the harm?

Rootkits by nature have powerful abilities inherent in that status.   

I am curious to hear from our Comodo folks, but allowing the malware to execute seems a highly dangerous behavior and playing with fire is a good way to burn fingers.

     

[Ragwing]

Greetings!

I allowed execution of Sohand IM worm and denied all other actions of this malware but it was able to bypass Defence+ making Task Manager and RegEdit disabled.

This is because HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ isn't added in My Protected Registry Entries by default.
The virus adds the REG_DWORD's DisableTaskMgr and DisableRegistryTools and set them to 1.

Also, could you please PM me the files so that I could run a test with Defense+?

Cheers,
Ragwing

[aigle]

I have sent to u.

Thanks

[Ultra-Bot]

Greetings!

This is because HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ isn't added in My Protected Registry Entries by default.
The virus adds the REG_DWORD's DisableTaskMgr and DisableRegistryTools and set them to 1.

Also, could you please PM me the files so that I could run a test with Defense+?

Cheers,
Ragwing

Than how is possible to pass this rootkit test?
I thought CFP 3.0 protects its files and processes against all kinds of attacks by default, inlcuding the registry files you mentioned above.

[salmonela]

Here is couple of registry tests which CFP doesnt completely pass by default (download in attachment)
BTW on regtest phase2 CFP crashes...
Note: for successful testing of regtest you need to allow: regtest.exe to execute regtest.exe and to regtest.exe access regtest.exe in memory, every other request should be denied.

[Ultra-Bot]

Greetings!

This is because HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ isn't added in My Protected Registry Entries by default.
The virus adds the REG_DWORD's DisableTaskMgr and DisableRegistryTools and set them to 1.

Also, could you please PM me the files so that I could run a test with Defense+?

Cheers,
Ragwing

Does CFP 3.0 now pass and block SSDT unhooker rootkit ( rootkit EZ) now and how does CFP 3.0 pass it?

If it doesn't pass, than I hope both Melih and Egemen will respond and react, I hope.

[Ragwing]

I've uploaded the tests here in a zip file, containing one avi file (Xvid) for each test.
The unhooker was pretty owned by Dr Watson and DEP.
Tested on a virtual XP PRO SP 2 with DEP enabled for everything and CFP 3 with firewall in Custom Policy Mode and Defense+ in Paranoid Mode.

Cheers,
Ragwing

[Ultra-Bot]

I've uploaded the tests here in a zip file, containing one avi file (Xvid) for each test.
The unhooker was pretty owned by Dr Watson and DEP.
Tested on a virtual XP PRO SP 2 with DEP enabled for everything and CFP 3 with firewall in Custom Policy Mode and Defense+ in Paranoid Mode.

Cheers,
Ragwing

Hi, Ragwing!
I want to thank you for your answer. I saw your testing in avi format. But one thing I don't understand.
Does CFP 3.0 pass these tests you tried or not,because I didn't see if it said that CFP passed or not?

What does Windows ask you in the end?
Dat har programmet avslutades for att skydda datorn- what does it mean if you don't mind.
There is also choice:
Andra installnigar and Stang meddelandet (you choose this option)
Does it mean like Windows ask you do you want to and are you sure that you want to install this RTKT Agent EZ. SSDT Unhooker and Sohand.e IM Worm coolpics?

Also, from where I can download these tests and WILL THEY HURT MY COMPUTER IN CASE CFP 3.0 DOESN'T PASS THEM?

Also, what to allow and what to exactly block?
You have allowed rundll32.exe, drwtswin.exe and dumprep.exe and blocked everything else?

How come Aigle (poster who started this thread) failed to block these rootkits tests?
Thank you for your time and patience, again!




 

[Ragwing]

Hi, Ragwing!
I want to thank you for your answer. I saw your testing in avi format. But one thing I don't understand.
Does CFP 3.0 pass these tests you tried or not,because I didn't see if it said that CFP passed or not?

I'd say it passed the first one, but for the other one, I can't say it did, since I couldn't test it properly with CFP 3. But DEP will protect you from it.

What does Windows ask you in the end?
Dat har programmet avslutades for att skydda datorn- what does it mean if you don't mind.

It means that Windows has terminated the program to protect my computer.

There is also choice:
Andra installnigar and Stang meddelandet (you choose this option)
Does it mean like Windows ask you do you want to and are you sure that you want to install this RTKT Agent EZ. SSDT Unhooker and Sohand.e IM Worm coolpics?

No, it means Edit settings and Close this message

Also, from where I can download these tests and WILL THEY HURT MY COMPUTER IN CASE CFP 3.0 DOESN'T PASS THEM?

I can send them to you. But they will harm your computer if CFP 3 fails to block them. That's why I tested them in a virtual PC.

Also, what to allow and what to exactly block?
You have allowed rundll32.exe, drwtswin.exe and dumprep.exe and blocked everything else?

You should only allow executions.and block all other actions.

How come Aigle (poster who started this thread) failed to block these rootkits tests?

We used different versions of CFP 3, and we both have different system configurations

Cheers,
Ragwing

[Ultra-Bot]

I'd say it passed the first one, but for the other one, I can't say it did, since I couldn't test it properly with CFP 3. But DEP will protect you from it.

It means that Windows has terminated the program to protect my computer.

No, it means Edit settings and Close this message

I can send them to you. But they will harm your computer[/u] if CFP 3 fails to block them. That's why I tested them in a virtual PC.

You should only allow executions.and block all other actions.

We used different versions of CFP 3, and we both have different system configurations

Cheers,
Ragwing

Again thanks for your time and patience, but what do you mean by DEP?
Also, could you please retest the second for which you're not sure if you passed or not?
And how do you know you passed the second test (the one you're not sure that you passed)?

Also, did you pick up these tests from Unhooker malware tests:
http://membres.lycos.fr/nicmtests/Unhookers/unhooking_tests.htm

I tried to email to this guy Nicola to test CFP 3.0 the same as Dynamic Security Agent in about 80 tests, but there was no response:
Here is the review of Dynamic Security Agent:
http://membres.lycos.fr/nicmtests/Dynamic-Security-agent-tests/DSA_index.htm

Big thanks, again.


 

[egemen]

On my system Defence+ failed against SSDT unhooker rootkit( rootkit EZ). I allowed execution and denied all other behaviouirs of rootkit but it is able to destroy CFP, install hidedden drivers and CDP doesn,t give alerts about execution of any new executables after this.

That sounds alarming. I dont think it is possible unless there is something wrong with your configuration. Can you please urgently PM me this rootkit?

I allowed execution of Sohand IM worm and denied all other actions of this malware but it was able to bypass Defence+ making Task Manager and RegEdit disabled.

That should be because of the registry key Ragwing mentioned. Need to check to see. It can be easily added to my protected registry keys by default though. It is not bypassing D+. It is just that D+ does not protect that key. Thats all.

But this issue is not really important compared to the first one in which you claim a driver is installed. That would really be a serious problem. Please urgently send me these samples so that we can protect our users if there is something wrong.

Thanks,
egemen

[Ragwing]

Again thanks for your time and patience, but what do you mean by DEP?

Data Execution Prevention

Also, could you please retest the second for which you're not sure if you passed or not?
And how do you know you passed the second test (the one you're not sure that you passed)?

I'll disable DEP and re-run the test tomorrow, got to sleep now

That sounds alarming. I dont think it is possible unless there is something wrong with your configuration. Can you please urgently PM me this rootkit?

I've PM'ed it to you now.

Cheers,
Ragwing

[egemen]

I've uploaded the tests here in a zip file, containing one avi file (Xvid) for each test.
The unhooker was pretty owned by Dr Watson and DEP.
Tested on a virtual XP PRO SP 2 with DEP enabled for everything and CFP 3 with firewall in Custom Policy Mode and Defense+ in Paranoid Mode.

Cheers,
Ragwing

Ok i have just reviewed the videos.
As I see from the AVI videos of Ragwing(Kudos!), there are 2 popups which prevent this rootkit.EZ. first one is about privilege escalletion:

1 - rootkit is trying to obtain debug privilege. This is blocked and hence it crashes because it assumes it can obtain such a privilege without being intercepted. So if it is allowed, i believe we can see other things such as interprocess memory access etc. Since it is blocked, it just crashes.

2 - rootkit is trying to access the Service Control Manager. This is another important alert because it is trying to install a driver, which, if installed , could be a serious problem.

There are other popups like rundll32.exe etc which could be a problem later on. Thank you for the AVI Ragwing. It was really cool.

Other than that, we can also see in video 1, CFP D+ detects Sohand IM Trojan as a virus! This demontrates another aspect of what a powerful engine Defense+ is against the unknown malware.


Egemen

[Ragwing]

1 - rootkit is trying to obtain debug privilege. This is blocked and hence it crashes because it assumes it can obtain such a privilege without being intercepted. So if it is allowed, i believe we can see other things such as interprocess memory access etc. Since it is blocked, it just crashes.

I thought DEP prevented it, but it looks like Microsoft can't do anything right after all...
And most users that know what they're doing would never give Debug to a completely unknown process. That's just insane!

2 - rootkit is trying to access the Service Control Manager. This is another important alert because it is trying to install a driver, which, if installed , could be a serious problem.

Yes, but if you allow it, it should say that it's trying to create name.drv in system 32 or some other location.

There are other popups like rundll32.exe etc which could be a problem later on.

Yeah, but it's because of Dr Watson, I guess

Thank you for the AVI Ragwing. It was really cool.

No problem.

Except the service control manager alert, if you try to allow Debug privilege popup, i am sure there will be other sorts of interesting alerts like LoadDriver or interprocess meory access etc.

Yes. But you can't properly test a HIPS if you allow suspicious stuff like giving it Debug.

Other than that, we can also see in video 1, CFP D+ detects Sohand IM Trojan as a virus! This demontrates another aspect of what a powerful engine Defense+ is against the unknown malware.

Does it work by scanning the behaviour of the files or does it analyze the code?

Cheers,
Ragwing

[Tags:]