CIS 5.9 bypassed by java_rhino exploit

[Guest]

[Chiron]

What happens if you have CIS configured as I suggest here?

Thanks.

[languy99]

how about turning off enhanced security mode?

[Kruis]

Java Downloader Comodo Not Detected 

[OmeletGuy]

Dragon can stand up to this.. It asks if you want to run Java or not.. 

As for CIS.. I >believe< 6.0 will help protect vs this..

[liosant]

try this procedure disables antivirus, firewall, defense +, quit the CIS, terminate cmdagent, uncheck Run cloud behavior analysis based on unrecognized files and automatically check the files not recognized in the cloud
remove all files Trusted Files

important: delete all files in the folder C: \ Program Files \ COMODO \ COMODO Internet Security \ database
and restart the pc  and redo the test
oops! after restart active  antivirus, firewall and defense +, except the check in the clouds
  does not hurt to try

sorry my english!

[clockwork]

I think, procedures should reflect used settings, and not all possible settings which could have an effect.

The exploit and the payload seems not to be asked by defense+ as its described.

[naren]

Yes, I hope so too. I think a possibility could be that Comodo just starts blocking all known payloads. This way a exploit could run, but it can't make contact with the hackers machine. This would be more efficient then blocking all exploits I think.

When opening the page and starting the exploit Avast detected the exploit with a signature. It detected the exploit, not the payload. The PC was thereby not compromised.

This is Avast description after blocking the infection: http://www.avast.com/en-eu/lp-security-information-fp2?p_ext=0&utm_campaign=Virus_alert&utm_source=prg_fav_60_3&utm_medium=prg_systray&utm_content=.%2Ffa%2Fen-eu%2Fvirus-alert-challenger2&p_vir=java:Agent-AGH%20

Which Avast shield detected it? Does File Shield detects it? I guess Script or WebShield detected it?

Can you check & tell me if UnThreat Free detects it? I am currently running UnThreat so wanna know.

Or post VirusTotal link.

Thanx
Naren

[webbie146]

Which Avast shield detected it? Does File Shield detects it? I guess Script or WebShield detected it?

Can you check & tell me if UnThreat Free detects it? I am currently running UnThreat so wanna know.

Or post VirusTotal link.

Thanx
Naren

I will try all suggestions i got just to test this out. Thing is CIS is bypassed in the default config, which is what most people use. I will test it out though.

Sure i can test UnThreat if you want 
Problem is uploading to VT is not that easy. These exploit go straight to memory, meterpreter does not even touch the disk. I can try though.

[naren]

I will try all suggestions i got just to test this out. Thing is CIS is bypassed in the default config, which is what most people use. I will test it out though.

Sure i can test UnThreat if you want 
Problem is uploading to VT is not that easy. These exploit go straight to memory, meterpreter does not even touch the disk. I can try though.

Yes plzz test UnThreat Free & report here. I bet UnThreat Free will detect it

Thanx
Naren

[SpeedyPC]

Detected with Signature, so the exploit was blacklisted on their AV.

I guess Avast is by far to clever for Comodo

[B-boy/StyLe/]

Will NoScript help in stopping this even JAVA is installed on the machine ?
Can you test the exploit with NoScript enabled and  java installed and NoScript enabled without Java installed.
Thanks !



Regards,
Georgi

[webbie146]

how about turning off enhanced security mode?

Just tested, there is no change. CIS still bypassed, and no alerts.

What happens if you have CIS configured as I suggest here?

Thanks.

Still bypassed, with no alerts.

Yes plzz test UnThreat Free & report here. I bet UnThreat Free will detect it

Thanx
Naren

I tested Unthreat free. I updated it, and left all settings stock. Opened the link and the PC got exploited. Unthreat did not pop-up any alert at all.
Unthreat get's bypassed.

Will NoScript help in stopping this even JAVA is installed on the machine ?
Can you test the exploit with NoScript enabled and  java installed and NoScript enabled without Java installed.
Thanks !

Regards,
Georgi

Noscript can block this. Once u open up the link Noscript will automatically block the exploit.
Tested sandboxie for someone too. Sandboxed the browser, and emptied the sandbox.
The connection between the hacker and victim PC is interrupted. Sandboxie is effective against this exploit.

[languy99]

make one change and you will see how it is being exploited. Go to d+ security policy, protected com interfaces tab, select add com components, in the add new item area add * then select ok to everything. Try to run the exploit again and see if you get any popups now, fiy there might be a lot.

[harsha_mic]

webbie146, if you don't mind, i'm interested to see if OA free/premium blocks it or not..

[WinDefend]

Hi webbie,

Is it possible to run a re-test, if you have time? The latest Java 6 is update 30, update 27 was released in September and 29 in October. (28 was skipped.)

[Tags:]