Author Topic: bypass v5.10.228257.2253 (dll malware, QQ pass)  (Read 9789 times)

Online a256886572008

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 886
bypass v5.10.228257.2253 (dll malware, QQ pass)
« on: May 11, 2012, 09:20:58 AM »
1. I double click on the photo.exe.

It can terminate the existing  process of QQ IM software.



2.Then, I restart QQ IM and type some words on the window of it.

The photo.exe can connect to the internet.



3.comodo trusts the photo.exe which is injected with the MSDTCTM.dll.





4.The malware creates an autorun entry.



5.environment:

Windows XP SP3 32bit
« Last Edit: May 11, 2012, 06:36:54 PM by a256886572008 »

Offline languy99

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 3940
Re: bypass v5.10.228257.2253 (dll malware, QQ pass)
« Reply #1 on: May 11, 2012, 09:40:29 AM »
do you have a virustotal of the photo.exe
http://www.youtube.com/languy99

Software Reviews for all.

Follow me on Twitter http://twitter.com/#!/languy99


Offline languy99

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 3940
Re: bypass v5.10.228257.2253 (dll malware, QQ pass)
« Reply #3 on: May 11, 2012, 11:05:05 AM »
can you open up kill switch and show me the active processes and then show me the associated dll's with the photo.exe and QQ?
http://www.youtube.com/languy99

Software Reviews for all.

Follow me on Twitter http://twitter.com/#!/languy99

Offline Ionel

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 790
Re: bypass v5.10.228257.2253 (dll malware, QQ pass)
« Reply #4 on: May 11, 2012, 11:30:20 AM »
1. I double click on the photo.exe.

It can terminate the existing  process of QQ IM software.

2.Then, I restart QQ IM and type some words on the window of it.

The photo.exe can connect to the internet.


3.comodo trusts the photo.exe which is injected with the MSDTCTM.dll.

4.environment:

Windows XP SP3 32bit

Hi a256886572008,

We are looking into this issue and provide a fix as soon as possible.

Thank you for reporting it!

Regards,
Ionel

Online a256886572008

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 886
Re: bypass v5.10.228257.2253 (dll malware, QQ pass)
« Reply #5 on: May 11, 2012, 11:37:14 AM »
1.



2.The malware puts a transparent window on the window of QQ IM.

So,  it can connect to the internet, after the user types some words on that.

« Last Edit: May 11, 2012, 06:07:00 PM by a256886572008 »

Offline Hause

  • Comodo's Hero
  • *****
  • Posts: 962
Re: bypass v5.10.228257.2253 (dll malware, QQ pass)
« Reply #6 on: May 12, 2012, 04:31:03 AM »
We are looking into this issue and provide a fix as soon as possible.
Thank you for reporting it!
Regards,
Ionel
Аlmost half a year has passed since the first reports of this problem.
https://forums.comodo.com/news-announcements-feedback-cis/allegation-of-comodo-defence-plus-byapssed-by-zeroaccess-rootkit-t79079.0.html
Seems will have to wait another six months, up to version CIS 6...

Offline fake5

  • Comodo Loves me
  • ****
  • Posts: 101
Re: bypass v5.10.228257.2253 (dll malware, QQ pass)
« Reply #7 on: May 12, 2012, 04:39:45 AM »
Hi a256886572008,

We are looking into this issue and provide a fix as soon as possible.

Thank you for reporting it!

Regards,
Ionel


 :-TU :-TU :-TU
plz fix it as soon as possible, thx!

Offline Seany007

  • Comodo's Hero
  • *****
  • Posts: 2376
  • Comodo Commando
Re: bypass v5.10.228257.2253 (dll malware, QQ pass)
« Reply #8 on: May 12, 2012, 08:52:13 AM »
Аlmost half a year has passed since the first reports of this problem.
https://forums.comodo.com/news-announcements-feedback-cis/allegation-of-comodo-defence-plus-byapssed-by-zeroaccess-rootkit-t79079.0.html
Seems will have to wait another six months, up to version CIS 6...

Oh well... The chances of you walking into such malware is low same as ransom...
Proud Comodo User (CIS, CD, CID and CMS)

Offline OmeletGuy

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 2903
  • Dragon Theme Maker
Re: bypass v5.10.228257.2253 (dll malware, QQ pass)
« Reply #9 on: May 12, 2012, 06:03:05 PM »
Current CIS can likely be made to stop this with D+ rules... will it cut into compatibility and stability? maybe.
Comodo Dragon themes, including windows Aero options. Download  Here

System Details: W7-64bit | 4GB DDR2 | Intel Core 2 Extreme X6800 | CIS 6.3 | Geforce 560 GTX

Online a256886572008

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 886
Re: bypass v5.10.228257.2253 (dll malware, QQ pass)
« Reply #10 on: May 13, 2012, 10:24:36 AM »
Automatically sandbox process whose modules contain unrecognized files ?


Offline OmeletGuy

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 2903
  • Dragon Theme Maker
Re: bypass v5.10.228257.2253 (dll malware, QQ pass)
« Reply #11 on: May 13, 2012, 10:41:40 AM »
Automatically sandbox process whose modules contain unrecognized files ?



Well maybe not like that with the current version thats more 6.0. I mean I could make a custom rule for Photo.exe to prevent it from getting infected.
Comodo Dragon themes, including windows Aero options. Download  Here

System Details: W7-64bit | 4GB DDR2 | Intel Core 2 Extreme X6800 | CIS 6.3 | Geforce 560 GTX

Offline jay2007tech

  • Malware Research Group
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 1994
Re: bypass v5.10.228257.2253 (dll malware, QQ pass)
« Reply #12 on: May 13, 2012, 02:55:27 PM »
In Defence+, Would changing from "partially limited" to "limited" solve this?
It's hard being a crooked Admin when the files won't pass an md5checksum test.  But like any other good crooked Admin it can be done, it just takes time(and lots of it) and a few aspirins

Online a256886572008

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 886
Re: bypass v5.10.228257.2253 (dll malware, QQ pass)
« Reply #13 on: May 13, 2012, 11:37:59 PM »
In Defence+, Would changing from "partially limited" to "limited" solve this?

comodo would  still trust the malware.

Offline pykko

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 545
    • Intr-o lume plina de virusi, ai un prieten
Re: bypass v5.10.228257.2253 (dll malware, QQ pass)
« Reply #14 on: May 16, 2012, 12:38:57 PM »
This is a very serious issue. Is any Deve looking into it ?

 

Seo4Smf 2.0 © SmfMod.Com | Smf Destek