Rootkit-driver install not intercepted?

[Guest]

[aigle]

I tried to install a rootkit driver manually via w2k_loqd.exe. CFP gave SCM access alert. I denied it but driver seems to be loaded as shwon by rootrepeal. While EQS stops it from loading. Can anyone confirm. Thanks

Tested on a fresh snapshot of Eaz-Fix , XP Home SP2, no other security software installed at all. Fresh install of CFP with paranoid settings. Used shadowSurfer for testing though.

[Vettetech]

What happens when you use "safe mode" and have remember checked off?

[aigle]

I always checked off remember( snasphots of popups taken before that just on appearing of pop ups). Did not try safe mode but it must be same as safe mode is less secure or atleast same as paranoid.

[Swordfish]

I have the same situation here (as I did comment on Wilders).
Here you go with some screenshots:
http://img363.imageshack.us/my.php?i...0199228vx2.jpg
http://img357.imageshack.us/my.php?i...7694241wa1.jpg
http://img80.imageshack.us/img80/5084/19469594ex6.jpg
http://img185.imageshack.us/img185/264/92335083pq3.jpg
http://img208.imageshack.us/img208/4665/32048945pf5.jpg

Regards,
a.

[aigle]

Thanks for confirming my findings.

Seems detection of service/ driver isntall/ loading is one of the areas where CFP needs to be improved a lot. Sadly I have not got any response from developers though I have post about atleast five threads where CFP seems to fail or seems buggy( 3 about driver loading/ install, one about physical memory access and one about file creation).

[egemen]

Sadly I have not got any response from developers though I have post about atleast five threads where CFP seems to fail or seems buggy( 3 about driver loading/ install, one about physical memory access and one about file creation).

Can you please put all of your proof of concepts into one archive and post here? And let me see what is going on..

Thx,
Egemen

[egemen]

I am afraid i can not verify your finding. CFP is intercepting the attempts successfully. Plus, w2k_load.exe does not use any fancy techniques to load the drivers.

Well i am sure you are aware of the fact that, once you install and load a rootkit driver, the tests you perform later is meaningless.

You have to use a clean PC to see if your rootkit is loaded again. Once you load it, do not assume it is going to go away...

EDIT: I was using the development snapshot and hence could not verify the issue. The build 378 does have this bug in Windows XP. Just verified. It will be fixed with the planned release in a couple of weeks.

[aigle]

Hi egemen, thanks for your confirmation.

Can you verify these three issues as well.

1- Driver install not intercepted

http://forums.comodo.com/leak_testingattacksvulnerability_research/d_give_a_great_alert_about_dns_trojan_dropper_test-t25570.0.html

http://www.wilderssecurity.com/showthread.php?t=216706

2- No alert for physical memory access

http://forums.comodo.com/leak_testingattacksvulnerability_research/phideexe_rootkit_bypassed_defence_plus-t25537.0.html

3- Wrong file creation alert

http://forums.comodo.com/leak_testingattacksvulnerability_research/false_file_creation_alert_is_ita_ghost_file_or_a_serious_bug-t25509.0.html

Thanks for your time

[egemen]

Hi egemen, thanks for your confirmation.

Can you verify these three issues as well.

1- Driver install not intercepted

http://forums.comodo.com/leak_testingattacksvulnerability_research/d_give_a_great_alert_about_dns_trojan_dropper_test-t25570.0.html

http://www.wilderssecurity.com/showthread.php?t=216706

2- No alert for physical memory access

http://forums.comodo.com/leak_testingattacksvulnerability_research/phideexe_rootkit_bypassed_defence_plus-t25537.0.html

3- Wrong file creation alert

http://forums.comodo.com/leak_testingattacksvulnerability_research/false_file_creation_alert_is_ita_ghost_file_or_a_serious_bug-t25509.0.html

Thanks for your time

2 is not a case. Please have a fresh XP instalation without any security software and try again. Vettech already posted screenshots. CFP intercepts and catches properly. But if you send me your version of the binary, i can verify again.

EDIT: I have just verified that this can happen in some computers. It is a rare bug. Fixed. Probably many other products have it.

3 there are many cases in which it can happen. CFP approves but later in the file system stack the request fails etc. It is not a serious issue or a bug.

[aigle]

Hmmmm........ and what about no.1.

Many thanks

[ailef]

some stupid question, what's your explorer setting in D+ ?

where to find this exploit?

[aigle]

What is the relation of explorer in this driver install? Driver is loaded by windows installer, not explorer. Explorer has custom policy BTW.

[ailef]

i ask that cause with explorer rule "windows system application", device driver installation is allowed.

update : i dled the file, aigle, thanks.

i don't have the same files like on the top of the topic, maybe u posted the wrong archive?

[egemen]

Hmmmm........ and what about no.1.

Many thanks

You can get the same alerts from CFP if you modify the policy. You can remove msiexec.exe from the default policy and CFP will just act like the hips you compare it.

However, there is something else there. A COM interface access. So asking the users about a legitimate system applications is not really a protection. MSIEXEC is DOING what it is supposed to do. COM interface access must be intercepted before the trojan controls msiexec service.  So when we have time, we will analyze it and see what is going on.

[aigle]

You can get the same alerts from CFP if you modify the policy. You can remove msiexec.exe from the default policy and CFP will just act like the hips you compare it.

I removed all default rules/ policy for msiexec.exe and unfoirtunately no alerts for a driver install/ load. CFP does not at all behaves like other HIPS here.

See my thread here for some more explanation.

http://www.wilderssecurity.com/showthread.php?t=216750

Thanks

[Tags:]