"Comodo Internet Security AV & Sandbox bypass"

[Guest]

[SanyaIV]

Hello,

Sorry if this is in the wrong category / sub-forum.

I don't have much information about the video but if anyone would like to comment on it that would be appreciated. A bypass should be a high priority, no?

Here's the video someone linked me too, and as you see it's somewhat relatively fresh, meaning it isn't from 2010 or anything. It's a little more over a month ago.

http://www.youtube.com/watch?v=TopCisbEbWU

[a256886572008]

1.All things were done by the process, "rundll32.exe"

2.test.exe was not sandboxed by CIS

[SanyaIV]

1.All things was done by the process, "rundll32.exe"

2.test.exe was not sandboxed by CIS

I'm not quite sure what that means, does it mean that it only works in a controlled testing environment? Or perhaps that he had allowed the test.exe beforehand? What does it mean that all things was done by the process rundll32.exe? I don't know so much about these things.

[EricJH]

With default setting ARP cache protection is not active. And since the attack was run over the local network I am wondering if ARP cache protection would have stopped the attack.

[a256886572008]

I'm not quite sure what that means, does it mean that it only works in a controlled testing environment? Or perhaps that he had allowed the test.exe beforehand? What does it mean that all things was done by the process rundll32.exe? I don't know so much about these things.

cmd.exe (trusted)   -->    test.exe (not sandboxed)   -->    ..........     -->     rundll32.exe

[EricJH]

Or perhaps that he had allowed the test.exe beforehand?

Good catch. The video does not show us the list of Trusted Files.

[SanyaIV]

https://astr0baby.wordpress.com/2012/07/06/viktor-cleaner-1-2/

I think this is the tool used in the video. After reading it appears that it unloads the AV from memory, and some batch file is supposed to make it silent / stealthy. It does need admin privileges though.

[AimeeLW]

He does mention while you can run it without admin privileges, that you do need it in most cases for it to work!

That would be too good to be true if ran without admin rights and it would bring down all those AVs
You need admin in most cases, in some NT Authority\System required like Webroot

[AimeeLW]

So if this was in some malware it would need to be given admin privileges for it to work, and if user didn't give it then it might fail ?

Be interesting to see it without admin privileges against CIS v5.10, see if it can still work 

More importantly is there anything Comodo can do to protect CIS from this kinda of 'attack' ?

[EricJH]

So if this was in some malware it would need to be given admin privileges for it to work, and if user didn't give it then it might fail ?

If the malware needs admin privileges and does not get it it will fail.

Be interesting to see it without admin privileges against CIS v5.10, see if it can still work 

More importantly is there anything Comodo can do to protect CIS from this kinda of 'attack' ?

Without something to test it is hard to really get a finger behind this.

In this topic there are two things mentioned that needs clearing up: we did not see the list of Trusted Files and unfortunately it was not tested with ARP cache filtering enabled. ARP cache filtering is not enabled by default in CIS though.

[ailef]

would it change something if the firewall was configured in very high alert frequency ?
it's in low alerts in this video, in my case i never use the firewall in other setting than very high so I know about anything trying to go in or out.
if the firewall catches the connexion, how can the exploit work ?
or even in very high alerts, it can bypass the firewall ?
in my case, when i got a another machine in local trying to send me request, i got an alert.

[Tags:]