* Home Help Search Login Register  

Welcome, Guest. Please login or register.
September 05, 2008, 12:54:40 PM

Login with username, password and session length

188663 Posts
22008 Topics
52794 Members
Latest Member: chmielu

more news...
Search:     Advanced search | Tag Cloud
+  Welcome to the Comodo Forum
|-+  Desktop Security Products
| |-+  Comodo Firewall
| | |-+  Leak Testing/Attacks/Vulnerability Research
| | | |-+  Defence Plus bypassed by Kraken botnet? [RESOLVED]		 « previous next »
Pages: 1 [2] Go Down Print
Author Topic: Defence Plus bypassed by Kraken botnet? [RESOLVED]  (Read 3524 times)
Yuriy
Global Moderator
Comodo's Hero
*****
Offline Offline

Posts: 972
« Reply #15 on: April 11, 2008, 08:46:32 AM »
aigle,

Thanks for that malware. I receive exactly same results as you described in your first message when testing in my XP VM with CFP 3.0.22 BETA.
Logged
salmonela
Computer Security Testing Group
Comodo's Hero
*****
Offline Offline

Posts: 441


Spy
« Reply #16 on: April 11, 2008, 10:54:09 AM »
Quote from: aigle on April 10, 2008, 04:32:00 AM
I am not sure if my results are correct. Seems as file protection feature of Defence plus is bypassed. Here is how I reproduce it.

I executed malware.exe( Kraken botnet). I get these pop ups:

1- Exploere.exe trying to execute malware.exe- I allowed.

2- Malware.exe trying to modify itself- I allowed.

3- Malware.exe trying to create a randomly named executable in system32 folder- I denied but the executable was still created in system32 folder.

4- Malware.exe tries to execute the newly created execuatble in system32 foilder.

I noticed that if I deny second pop up and then deny 3rd pop up also, malware.exe is not able to create an executable in system32 folder but if I allow second popup and deny only 3rd pop up, malware.exe is able to create an executable in system32 folder. It seems so weired. Can anyone confirm this? PM me to get the malware.

BTW I did thid testing under Shadow mode of ShadowSurfer and I am still using an older version of CFP 3.0.18.309.
I can also confirm your findings aigle (VMware ,CFP 3.0.21.329, D+ paranoid, Image execution control - aggressive),
After allowing Malware.exe to modify itself, randomly created .exe is created in system32 folder (whatever your answer is), if you denied to Malware.exe modify itself, Malware.exe can be denied from creating randomly created .exe in system32 folder.

Thanks for your valuable findings here at Comodo forum  Thumb Up
« Last Edit: April 11, 2008, 10:58:28 AM by salmonela » Logged
XP Pro SP3, Pentium4-3Ghz, 4×512Mb DDR, Ralink RT61 WLAN PCI adapter, ZyXEL P-660HW-D3 WLAN Router DSL modem
Bad English, I know...
Thanks
PLEASE DO NOT REPLY DUMB QUESTIONS/ANSWERS
aigle
Comodo's Hero
*****
Offline Offline

Posts: 325
« Reply #17 on: April 11, 2008, 05:32:33 PM »
By the way same findings with NeoavaGuard and ThreatFire though TF later caught the execuatble when it started from system32.
Logged
salmonela
Computer Security Testing Group
Comodo's Hero
*****
Offline Offline

Posts: 441


Spy
« Reply #18 on: April 11, 2008, 08:05:12 PM »
Hmm it seems pretty common failure among "HIPS-like" defense,
What about our Chinese friends: EQsecure, Netchina S3, did you or someone from Wilders test these against Kraken maybe?
Logged
XP Pro SP3, Pentium4-3Ghz, 4×512Mb DDR, Ralink RT61 WLAN PCI adapter, ZyXEL P-660HW-D3 WLAN Router DSL modem
Bad English, I know...
Thanks
PLEASE DO NOT REPLY DUMB QUESTIONS/ANSWERS
aigle
Comodo's Hero
*****
Offline Offline

Posts: 325
« Reply #19 on: April 11, 2008, 09:11:08 PM »
EQS was OK.
Logged
salmonela
Computer Security Testing Group
Comodo's Hero
*****
Offline Offline

Posts: 441


Spy
« Reply #20 on: April 20, 2008, 06:16:52 PM »
I can all inform you that ↑above↑ reported "Kraken botnet issue" is solved in new 3.0.22.349 build...
 Viva Comodo
Logged
XP Pro SP3, Pentium4-3Ghz, 4×512Mb DDR, Ralink RT61 WLAN PCI adapter, ZyXEL P-660HW-D3 WLAN Router DSL modem
Bad English, I know...
Thanks
PLEASE DO NOT REPLY DUMB QUESTIONS/ANSWERS
OD
Forum Volunteer
Global Moderator
Comodo's Hero
*****
Offline Offline

Posts: 489


"To live is to dance, to dance is to live."
« Reply #21 on: April 20, 2008, 10:19:21 PM »
Quote from: salmonela on April 20, 2008, 06:16:52 PM
I can all inform you that ↑above↑ reported "Kraken botnet issue" is solved in new 3.0.22.349 build...
 Viva Comodo


verified

OD
Logged
"Sometimes when I get up in the morning, I feel very peculiar. I feel like I've just got to bite a cat! I feel like if I don't bite a cat before sundown, I'll go crazy! But then I just take a deep breath and forget about it", then again sometimes you just have to bite a cat
aigle
Comodo's Hero
*****
Offline Offline

Posts: 325
« Reply #22 on: April 21, 2008, 01:49:09 AM »
That,s nice.
Logged
Josh123
Guest
« Reply #23 on: April 25, 2008, 12:35:59 AM »
Quote from: Opus Dei on April 20, 2008, 10:19:21 PM
verified

OD

+1

Topic locked.

Josh
Logged
Tags:
Pages: 1 [2] Go Up Print 
« previous next »
Jump to:  

SSL Firewall
Page created in 0.229 seconds with 19 queries.
Powered by SMF 1.1.5 | SMF © 2006, Simple Machines LLC
Seo4Smf v0.2 © Webmaster's Talks 		Design by 7dana.com