Author Topic: Bypass V6 partially limited,limited,restricted and HIPS (New Method)  (Read 8797 times)

Offline a256886572008

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 963
1. I double clicked on the malware.



2. I chose "Run Isolated"

3.The FlashPlayer_11_4_update_for_Win.exe was sandboxed as "partially limited", but the svchost.exe executed by the explorer.exe was not sandboxed.



4. I checked the autorun entries.



5.environment:
Windows XP Pro SP3 32bit

6.
https://www.virustotal.com/file/9f1db11106b46925bb964f35719e4362b4309dbe69653fbab2a9b8481cc485d7/analysis/1359043787/

http://valkyrie.comodo.com/Result.html?sha1=25cfd9454c7b77027a278856d539f6f88222d099&&query=0&&filename=FlashPlayer_11_4_update_for_Win.exe

http://camas.comodo.com/cgi-bin/submit?file=9f1db11106b46925bb964f35719e4362b4309dbe69653fbab2a9b8481cc485d7

7. process tree:
malware --> nothing

explorer.exe --> svchost.exe

[attachment deleted by admin]
« Last Edit: January 28, 2013, 10:22:21 AM by a256886572008 »

Offline egemen

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 3380
Re: Bypass V6 partially limited,limited,restricted and HIPS (New Method)
« Reply #1 on: January 24, 2013, 03:40:16 PM »
1. I double clicked on the malware.



2. I chose "Run Isolated"

3.The FlashPlayer_11_4_update_for_Win.exe was sandboxed as "partially limited", but the svchost.exe executed by the explorer.exe was not sandboxed.



4. I checked the autorun entries.



5.environment:
Windows XP SP3 32bit

6.
https://www.virustotal.com/file/9f1db11106b46925bb964f35719e4362b4309dbe69653fbab2a9b8481cc485d7/analysis/1359043787/

http://valkyrie.comodo.com/Result.html?sha1=25cfd9454c7b77027a278856d539f6f88222d099&&query=0&&filename=FlashPlayer_11_4_update_for_Win.exe

http://camas.comodo.com/cgi-bin/submit?file=9f1db11106b46925bb964f35719e4362b4309dbe69653fbab2a9b8481cc485d7



Hmmm good one. Thanks for the report. Can you quickly send me the sample link?

Offline M.Richter

  • Comodo's Hero
  • *****
  • Posts: 331
Re: Bypass V6 partially limited,limited,restricted and HIPS (New Method)
« Reply #2 on: January 24, 2013, 05:59:10 PM »
what does this malware? Is it able to harm the system, i mean any changes or send data? What happen if u setup the sandbox to full virtualize?

Offline DrHaze

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 466
  • Once A Comodo!Always A Comodo!Go Comodo!!
Re: Bypass V6 partially limited,limited,restricted and HIPS (New Method)
« Reply #3 on: January 24, 2013, 08:05:26 PM »
I found a copy of this but avast blocks it. i know where to get it. But if your run it you will never really know what was done to your system..
AMD Phenom x4 3.3GHZ 12Gig Ram
Intel Core 2 Quad 2.5ghz 8Gig Ram
Windows 8 x64 Pro

Offline a256886572008

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 963
Re: Bypass V6 partially limited,limited,restricted and HIPS (New Method)
« Reply #4 on: January 24, 2013, 08:17:52 PM »
what does this malware? Is it able to harm the system, i mean any changes or send data? What happen if u setup the sandbox to full virtualize?

Only "untrusted" and "fully virtualized" can block the malware.

Offline M.Richter

  • Comodo's Hero
  • *****
  • Posts: 331
Re: Bypass V6 partially limited,limited,restricted and HIPS (New Method)
« Reply #5 on: January 24, 2013, 08:44:13 PM »
Only "untrusted" and "fully virtualized" can block the malware.

thank u for that info. is it able to run in virtualized sandbox and do not harm the system or does it not run?

Offline a256886572008

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 963
Re: Bypass V6 partially limited,limited,restricted and HIPS (New Method)
« Reply #6 on: January 24, 2013, 08:53:10 PM »
thank u for that info. is it able to run in virtualized sandbox and do not harm the system or does it not run?

It can be run in the virtualized sandbox but the explorer.exe can not execute the svchost.exe.

Offline M.Richter

  • Comodo's Hero
  • *****
  • Posts: 331
Re: Bypass V6 partially limited,limited,restricted and HIPS (New Method)
« Reply #7 on: January 24, 2013, 09:06:45 PM »
It can be run in the virtualized sandbox but the explorer.exe can not execute the svchost.exe.

thank you for that info again. that is a really nice one, interesting! :-)

That are the examples where i ask myself, is it better to make the software more usability friendly or more protective!?

I would choose the second one :-) ... even the virtualized sandbox is not userfriendly at all as the default settings, but it seems u get more protection. 

Offline a256886572008

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 963
Re: Bypass V6 partially limited,limited,restricted and HIPS (New Method)
« Reply #8 on: January 24, 2013, 09:47:16 PM »

Hmmm good one. Thanks for the report. Can you quickly send me the sample link?

1. There is one problem in COMODO Autorun Analyser.

It can not detect the autorun file, skype.dat



2. The rating scan can not detect it.

« Last Edit: January 25, 2013, 09:43:13 AM by a256886572008 »

Offline a256886572008

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 963
Re: Bypass V6 partially limited,limited,restricted and HIPS (New Method)
« Reply #9 on: January 25, 2013, 02:53:51 AM »
1. I tested the malware with Malware Defender.

Quote
2013/1/25 15:50:59    Create new process    Permitted
Process: c:\windows\explorer.exe
Target: c:\virus\flashplayer_11_4_update_for_win\flashplayer_11_4_update_for_win.exe
Cmd line: "C:\virus\FlashPlayer_11_4_update_for_Win\FlashPlayer_11_4_update_for_Win.exe"
Rule: [App]*

2013/1/25 15:51:10    Access memory of another process    Denied
Process: c:\virus\flashplayer_11_4_update_for_win\flashplayer_11_4_update_for_win.exe
Target: c:\windows\explorer.exe
Rule: [App]*


2. Defensewall HIPS can block it.
Quote
DefenseWall log file

01.25.2013  20:26:13, module C:\virus\FlashPlayer119\FlashPlayer119.exe, Attempt to open process C:\WINDOWS\explorer.exe (Process)

 01.25.2013  20:26:13, module C:\virus\FlashPlayer119\FlashPlayer119.exe, Open process memory allocation error (Memory)

3. Private firewall V7



4.  Online Armor 6.0.0.1736

Failed

5. Outpost Firewall Pro V8

Failed

6. KIS 2013



7. Maybe the bug is the "interprocess memory accesses"
« Last Edit: January 27, 2013, 01:58:28 PM by a256886572008 »


Offline Siketa

  • Comodo's Hero
  • *****
  • Posts: 5066
Re: Bypass V6 partially limited,limited,restricted and HIPS (New Method)
« Reply #11 on: January 25, 2013, 04:08:54 AM »
Valkyrie is offline....again.... :(
Is it safe file?


Offline treefrogs

  • Comodo's Hero
  • *****
  • Posts: 550
  • Money.... it's a crime
Re: Bypass V6 partially limited,limited,restricted and HIPS (New Method)
« Reply #13 on: January 25, 2013, 05:11:04 AM »
Only "untrusted" and "fully virtualized" can block the malware.

Good to see Fully Virtual blocks this malware.
Windows 7 x64
CIS 6 - fully virtual/HIPS enabled
Virtual Dragon
Cyberfox

Offline a256886572008

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 963
Re: Bypass V6 partially limited,limited,restricted and HIPS (New Method)
« Reply #14 on: January 26, 2013, 11:44:13 AM »
1. New malware

2. The svchost.exe executed by explorer.exe was not sandboxed.

3. The situation existed in a very short period.
(Maybe the autorun entry also appear in a very short period.)

4. The event logs did not indicate the malware accessed memory of the explorer.exe
Quote
2013-01-27 00:30:44   C:\virus\xbldnpkeg3g6sesakuzhue\xbldnpkeg3g6sesakuzhue.exe   Sandboxed As   Partially Limited  

2013-01-27 00:30:53   C:\virus\xbldnpkeg3g6sesakuzhue\xbldnpkeg3g6sesakuzhue.exe   Sandboxed As   Partially Limited  

4.environment:
Windows XP Pro SP3 32bit

5.
https://www.virustotal.com/file/7a827d336c0fae31a751fbca444f86c54db1fc57cf2fc7cd9441e841dbf8f620/analysis/

http://camas.comodo.com/cgi-bin/submit?file=7a827d336c0fae31a751fbca444f86c54db1fc57cf2fc7cd9441e841dbf8f620

http://valkyrie.comodo.com/Result.html?sha1=32bf4c24121eb01a2b940b5525f991e57b8ca70d&&query=0&&filename=xbldnpkeg3g6sesakuzhue.exe





[attachment deleted by admin]
« Last Edit: January 26, 2013, 12:22:36 PM by a256886572008 »

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek