Downadup/ Conficker worm versus Defence Plus

[Guest]

[aigle]

The AV Detects this worm in CIS. Hence I am unable to send it to Egemen because the AV in CIS watches all of [ at ]comodo.com Email's...

See Screen Shot.

Cheers,
Josh

Hmmm... so you mean no way to send thia worm to him for analysis?

Thanks

[gibran]

And I did not write that I use default proactive config. I just tried that config with the malware.

Yep. that was that I meant with you used also.

Hi gibran, it was not a professional testing, you must consider this and thread is NOT against CIS, it,s to improve CIS. There is no offence against CIS, It does intercepts the threat but interception can be improved much and that,s all I want9 just like oA people implememnted it promptly without thinking that it is againt OA).

New features are always welcome but IMO the misunderstanding possibly triggered by inaccurate testing or speculations helps no one.

I hope you'll also consider that Comodo devs are currently focused on finalizing the current CIS beta.

BTW can you confirm that the feature implemented in the new OA Beta 3.1.0.18 was coded in less than two days after this test was disclosed or was it also featured in one of the betas ranging between 3.0.0.190 (current final release) and Beta 3.1.0.18?

[aigle]

Yep. that was that I meant with
New features are always welcome but IMO the misunderstanding possibly triggered by inaccurate testing or speculations helps no one.

Why do u expect professional testing from ordinary users like me? I gave an input, it,s upto them to look into it if they like/ bother to do do. I might believe you if same is said by comodo developers themselves.

I hope you'll also consider that Comodo devs are currently focused on finalizing the current CIS beta.

That,s why it,s the best time to report such issues so that they can implement an interception before final version.

BTW can you confirm that the feature implemented in the new OA Beta 3.1.0.18 was coded in less than two days after this test was disclosed or was it also featured in one of the betas ranging between 3.0.0.190 (current final release) and Beta 3.1.0.18?

I am not sure. I guess it was reported to them by a member after I posted thread at Wilders and they said they will fix it and then some one posted screenshots form a closed beta that it is being intercepted. Seems they fixed it just recently.

[gibran]

Why do u expect professional testing from ordinary users like me?

Obviously I never stated I was acting as a representative of Comodo nor I did espect that saying that IMO misunderstanding possibly triggered by inaccurate testing or speculations helps no one would be so objectionable.

That,s why it,s the best time to report such issues so that they can implement an interception before final version.

I see. Thanks for specifically clarifying this.

[3xist]

Hmmm... so you mean no way to send thia worm to him for analysis?

Thanks

Egemen is posting now relating to it... I sent the link to him.

Cheers,
Josh

[egemen]

CFP - on default interactive security mode, you will get only one pop up that is execution of dll/ vmx file by rundll32. If u allow it, no more pop ups and malware is free to do all its actions. CFP however did label it as suspicious via file heuristics. 

I wonder what if some one just allowed the execution of vmx file by mistake. No second chance in this case! Hmmm.... I don,t feel so good.

My thread is here. 

http://www.wilderssecurity.com/showthread.php?t=231106

Hi Guys,

The "COMODO - Internet Security" policy, by default, is going to catch this and properly identify it as MALWARE. This is a unique and the most important popup for the end user(1.png). The rest is too much for the average Joe.

However if desired, advanced users can have CIS switched to "COMODO - Proactive Security" policy,  and set Defense+ to Paranoid mode for further testing. However the is only for advanced users who know what they are doing.

In this case, CIS will go crazy for sure. It is going to generate more than 10 popups. I am attaching some of them here.

[Melih]

I mean what else can CIS say???

it prevented this little bugger and told the user is malware... good job CIS!!!

Melih

[aigle]

Hi egemen and Melih, I will disagree.

Ten plus pop ups are useless as the main pop ups is rundll32.exe accesing svchost.exe in memory. Why one will block this? It look a legit action. One uou allowed it after execution, u can,t stop the malware even if u choose block all other pop up alerts.

The best is the pop up by OA showing malware dll( vmx) accessing svchost.exe in memory.

[egemen]

D+ treats rundll32.exe specially. Thats why it is intercepting the DLL from being loaded with autorun and thats why you are getting a VIRUS alert. That is a quite targeted alert. This is the best way to prevent against such kind of attacks. So in short and as a result, CIS users, as seen in the picture, were protected against this worm from day 0 by default. There is no need to discuss a theory while you have a practical example.

This was one of the ways for a malware to load its components to the memory. I.e. using autorun. There are other ways and CIS intercepts all of them.

I am not sure but if I recall correctly this worm also exploits a buffer overflow vulnerability to spread itself. If this is the case, CIS will also prevents its spread by detecting the buffer overflow attack on the attacked computer in the network.

Good luck
Egemen

[aigle]

Hmmm... you never answered my Q? Why a user will stop Rundll32.exe from accessing svchost.exe in memory. User will not stop it and svchost.exe in turn will create autorun and vmx files on all attached USB sticks.

May be you will not agree but OA deals it mor specifically, it intercepts it as malicious vmx accessing svchost.exe in memory that clearly looks a more suspicious action.

 Infact when u are using beningn USB memory sticks for usuall work, after few times you will have automatically made an allow rule for this due to the off and on pop up about it from CFP. Now if u plugin an infected USB stick you will not even get an alert from CFP about rundll32.exe accessing svchost.exe in memory, but here OA users will still get an alert about malware vmx accessing svchost.exe in memory.

I see special teatment from OA rather than CFP.

 

[gibran]

Now if u plugin an infected USB stick you will not even get an alert from CFP about rundll32.exe accessing svchost.exe in memory

aigle it looks like you forgot again or you made a typo.

Yes, my initial analysis was not so complete. I missed those pop ups probably as I must have made an allow rule for rundll32 accessing svchost.exe in memory

Note: Alerts from Current CIS 3.8 beta.

[egemen]

Now if u plugin an infected USB stick you will not even get an alert from CFP about rundll32.exe accessing svchost.exe in memory, but here OA users will still get an alert about malware vmx accessing svchost.exe in memory.

You are getting the most important alert you can see from CIS when you insert infected USB stick: It says this is a malware!!!!And this is just because we are making some special handling for this case and we have already calculated the risks and introduced protection before this bad guy! What else do you want? Other vendors handle it differently so what? Do an experiemnt and show your grandfather the first CIS alert and the other vendors' alert to see which one helps him most...

Anyway here is my LAST explanation on this subject:

rundll32.exe is a SAFE application. Unless it is used by a malware, it poses no harm. Autorun CD/DVD/USB media are the most important and common way a virus exploits rundll32.exe. CIS protects rundll32.exe from being misused by giving it a special treament when it loads DLLs. 

[aigle]

aigle it looks like you forgot again or you made a typo.

Note: Alerts from Current CIS 3.8 beta.

I don,t know how can I explain it to you. I made allow rule not by misatke but I made this rule when I got this alert for a legit reason while using USB memory sticks. Do u expect a user not to make rule by remmber this option and to get same pop ups every time he uses an application?

While testing I used a config without any rule sets made yet, just to know what I had missed.

And red alerts doesn,t matter as I get much more red alerts on my PC for legit applications rather than malware.

[aigle]

You are getting the most important alert you can see from CIS when you insert infected USB stick: It says this is a malware!!!!And this is just because we are making some special handling for this case and we have already calculated the risks and introduced protection before this bad guy! What else do you want? Other vendors handle it differently so what? Do an experiemnt and show your grandfather the first CIS alert and the other vendors' alert to see which one helps him most...

Anyway here is my LAST explanation on this subject:

rundll32.exe is a SAFE application. Unless it is used by a malware, it poses no harm. Autorun CD/DVD/USB media are the most important and common way a virus exploits rundll32.exe. CIS protects rundll32.exe from being misused by giving it a special treament when it loads DLLs. 

Hi, heuristics alert IMO is not so imporatant to my grandfather or yours as CFP gives this alert for so many legitimate applications.

The final verdit from you is that you handle it differently than others and you think you handle it better. That,s Ok but I don,t agree at all. And I will just STOP my discussion here. 

IMO, some one else is handling it better as far as rundll32.exe is concernd( heuristic alert nevertheless is a plus).

CIS protects rundll32.exe from being misused by giving it a special treament when it loads DLLs. 

Not sure what you mean by this. May be you mean that each dll executed/ loaded by rundll32.exe triggers a pop up alert by CFP? Am I true?

I will be interested to see what other CFP users think about al this discussion. Thanks

[gibran]

I don,t know how can I explain it to you. I made allow rule not by misatke but I made this rule when I got this alert for a legit reason while using USB memory sticks. Do u expect a user not to make rule by remmber this option and to get same pop ups every time he uses an application?

While testing I used a config without any rule sets made yet, just to know what I had missed.

And red alerts doesn,t matter as I get much more red alerts on my PC for legit applications rather than malware.

What you made, for whatever reason you supposedly made it, was to intentionally lower CIS protection.
And please whatever is your take about it readers don't have to walk though this entire topic to know what you omitted.

CFP - on default interactive security mode, you will get only one pop up that is execution of dll/ vmx file by rundll32. If u allow it, no more pop ups and malware is free to do all its actions. CFP however did label it as suspicious via file heuristics. 

I wonder what if some one just allowed the execution of vmx file by mistake. No second chance in this case! Hmmm.... I don,t feel so good.

My thread is here. 

http://www.wilderssecurity.com/showthread.php?t=231106

Your first post is still unedited. And what you remember not so much clearly I asked you before

I tested CFP with two configurations.

1- Default proactive with paranoid mode
2- My own custom policy with paranoid mode( has many allow rules and some of them liberal may be- to decrease the no of pop ups i get in every day use of my PC).

If anybody still wonders:
https://forums.comodo.com/leak_testingattacksvulnerability_research/downadup_conficker_worm_versus_defence_plus-t33410.0.html;msg240093#msg240093
https://forums.comodo.com/leak_testingattacksvulnerability_research/downadup_conficker_worm_versus_defence_plus-t33410.0.html;msg240117#msg240117
https://forums.comodo.com/leak_testingattacksvulnerability_research/downadup_conficker_worm_versus_defence_plus-t33410.0.html;msg240123#msg240123
https://forums.comodo.com/leak_testingattacksvulnerability_research/downadup_conficker_worm_versus_defence_plus-t33410.0.html;msg240324#msg240324
https://forums.comodo.com/leak_testingattacksvulnerability_research/downadup_conficker_worm_versus_defence_plus-t33410.0.html;msg240371#msg240371
https://forums.comodo.com/leak_testingattacksvulnerability_research/downadup_conficker_worm_versus_defence_plus-t33410.0.html;msg240495#msg240495
https://forums.comodo.com/leak_testingattacksvulnerability_research/downadup_conficker_worm_versus_defence_plus-t33410.0.html;msg240515#msg240515

[Tags:]