Author Topic: How to kill CIS easily  (Read 24964 times)

Offline Shaoran

  • Comodo's Hero
  • *****
  • Posts: 901
    • La Confrérie des Marteleurs de claviers
How to kill CIS easily
« on: May 12, 2010, 03:33:12 AM »
Hi all,

As I said before, I think use safe list can be dangerous because hips don't handle it properly so we can use them to do what we want on the computer with all rights.

Today, I will show one way by using java. You can download it and try it (if you use vista (I didn't try on seven) you must run it has admin with the command java -jar kill_cis.jar ). You need to have install Comodo in partition C:\

Just execute kill_cis.jar, and reboot your machine (warning : as it works, use it on a test machine only). After restart, check CIS.

It's really a very very very very very very stupid method that works on Online armor too just because java is considered as safe application, so we just have to make a malware in java.

[attachment deleted by admin]
« Last Edit: May 12, 2010, 03:41:22 AM by Shaoran »

Offline ssj100

  • Comodo's Hero
  • *****
  • Posts: 482
Re: How to kill CIS easily
« Reply #1 on: May 12, 2010, 04:31:45 AM »
Thanks I'll test this out some time.  Sounds very interesting, and perhaps has implications for SRP/AppLocker too - for example, if your SRP/AppLocker rules allow javaw.exe to run, this could cause havoc, although the attacks would likely be mitigated particularly in a limited/restricted/standard user account.

Regardless, this is why it's very important to handle new files intelligently, as well as add a containment level of protection to your security setup/approach.

Will post back once I've done some testing.  Thanks once again.
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)

Offline Shaoran

  • Comodo's Hero
  • *****
  • Posts: 901
    • La Confrérie des Marteleurs de claviers
Re: How to kill CIS easily
« Reply #2 on: May 12, 2010, 04:41:03 AM »
As I do a modification in windows registry that require an administrator level, if you are not admin, it won't work. But there is other way, I just want an easy way because I don't want use lot of my time for this  ;D

Someone ask me to try it on Vipre Antivirus premium because there is some protection like registry protections, it failed too, but as it's not a real hips maybe all applications can do that.

Offline ssj100

  • Comodo's Hero
  • *****
  • Posts: 482
Re: How to kill CIS easily
« Reply #3 on: May 12, 2010, 04:47:50 AM »
...I just want an easy way because I don't want use lot of my time for this  ;D

Which is exactly why running as a LUA/RUA/SUA will prevent most malware infections from running successfully.
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)

Offline Josh™

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 1012
Re: How to kill CIS easily
« Reply #4 on: May 12, 2010, 05:05:45 AM »
Hi all,

As I said before, I think use safe list can be dangerous because hips don't handle it properly so we can use them to do what we want on the computer with all rights.

Today, I will show one way by using java. You can download it and try it (if you use vista (I didn't try on seven) you must run it has admin with the command java -jar kill_cis.jar ). You need to have install Comodo in partition C:\

Just execute kill_cis.jar, and reboot your machine (warning : as it works, use it on a test machine only). After restart, check CIS.

It's really a very very very very very very stupid method that works on Online armor too just because java is considered as safe application, so we just have to make a malware in java.

So what your saying is CIS can be killed, by an application that is in Comodo's Safelist or Trust Vendor List, if it's some what modified to do malicious actions, eg. Java?
Learn from the past, live in the present, prepare for the future.

Offline Kyle

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 3679
Re: How to kill CIS easily
« Reply #5 on: May 12, 2010, 05:18:33 AM »
his script uses Java to terminate CIS.
« Last Edit: May 12, 2010, 05:20:40 AM by Kyle »
Windows 7 x64
AMD FX 8120, 8gb ram, ATI 6870 1gb

Offline Josh™

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 1012
Re: How to kill CIS easily
« Reply #6 on: May 12, 2010, 05:21:31 AM »
his script uses Java to terminate CIS AFAIK.

Yes... Java Scripts (malicious ones) are off course heard of and CIS does, always with me, prevent these because its smart enough to know its doing a malicious action. Anyway. Letting Egemen know about this thread sounds like a plan for analyzing the tool attached in this thread.
Learn from the past, live in the present, prepare for the future.

Offline Shaoran

  • Comodo's Hero
  • *****
  • Posts: 901
    • La Confrérie des Marteleurs de claviers
Re: How to kill CIS easily
« Reply #7 on: May 12, 2010, 05:24:24 AM »
So what your saying is CIS can be killed, by an application that is in Comodo's Safelist or Trust Vendor List, if it's some what modified to do malicious actions, eg. Java?

Yes and no, we ask to a safe application to do something, if you directly modify the safe application, I think CIS will see it. And you will need an unknow application, so CIS will see you.
Here, I ask java to execute a java code, here I think it's the same issue, it ask to msiexec.exe to execute SetupRSTAV2010.msi


his script uses Java to terminate CIS AFAIK.

I don't kill it directly, I think CIS will try to protect itself, so I modify cmdagent. After the restart, look his size, 0 byte  88)
« Last Edit: May 12, 2010, 05:33:59 AM by Shaoran »

Offline Kyle

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 3679
Re: How to kill CIS easily
« Reply #8 on: May 12, 2010, 05:25:05 AM »
~SNIP~
Yes... Java Scripts (malicious ones) are off course heard of and CIS does, always with me, prevent these because its smart enough to know its doing a malicious action.
~SNIP~


Umm didn't u just read what he said? This script Terminates CIS so there is a huge vulnerability. That script could of been something Malicious -It's just a POC.


ADDED::
You'd think that CIS would be able to protect itself even from "Trusted" Processes.. Guess not  :o
« Last Edit: May 12, 2010, 05:30:26 AM by Kyle »
Windows 7 x64
AMD FX 8120, 8gb ram, ATI 6870 1gb

Offline Shaoran

  • Comodo's Hero
  • *****
  • Posts: 901
    • La Confrérie des Marteleurs de claviers
Re: How to kill CIS easily
« Reply #9 on: May 12, 2010, 05:49:17 AM »
ADDED::
You'd think that CIS would be able to protect itself even from "Trusted" Processes.. Guess not  :o

I'm not sure to understand all you said (as you may already see, I'm French and my English is still not perfect xD)
But if you said that Comodo can't protect itself from safe applications, I say yes. I said it long time ago in French corner, I try it last week end. We just have to know what application we will use. I think there is lot of way to do this, we just have to find a method to stay in the safe application.

Just try, on vista  or seven only (I don't know why it don't work on XP, I didn't look at this), if you execute (with admin rights) java -jar kill_cis.jar it'll work. If you try kill_cis.jar, Comodo will sandbox it.

Just imagine how many possibilities we have just with that method. And for Online Armor, it's the same issue, but they think at it a little, so some of them can't be used.
« Last Edit: May 12, 2010, 05:58:19 AM by Shaoran »

Offline Kyle

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 3679
Re: How to kill CIS easily
« Reply #10 on: May 12, 2010, 06:01:28 AM »
I understand. You use a bad script through java to do bad things.
Je comprends. Vous utilisez un script java mauvaise grâce à faire de mauvaises choses.

there could be a lot of possibilities. more than just java, That exploit Comodo's trusted list.
il pourrait y avoir beaucoup de possibilités. plus que Java, qui exploitent la liste de confiance de Comodo.


http://translate.google.com/#
Windows 7 x64
AMD FX 8120, 8gb ram, ATI 6870 1gb

Offline ssj100

  • Comodo's Hero
  • *****
  • Posts: 482
Re: How to kill CIS easily
« Reply #11 on: May 12, 2010, 06:09:18 AM »
Big question is whether Online Armor also has this issue, since Kyle is using it haha.
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)

Offline Shaoran

  • Comodo's Hero
  • *****
  • Posts: 901
    • La Confrérie des Marteleurs de claviers
Re: How to kill CIS easily
« Reply #12 on: May 12, 2010, 06:14:35 AM »
Arg, don't use google translate, sometime it's correct, but generally ....  88)

Stay in English, I'll understand.
You may not know but I'm the lead translator of French versions, so I think I can read you  ;)
« Last Edit: May 12, 2010, 06:16:14 AM by Shaoran »

Offline Kyle

  • Computer Security Testing Group
  • Comodo's Hero
  • *****
  • Posts: 3679
Re: How to kill CIS easily
« Reply #13 on: May 12, 2010, 06:36:42 AM »
Python is not in Comodo's trusted vendor list and I cannot add it. However, If i set python.exe as "Trusted" I can run a malicious script THROUGH PYTHON.  For example I can terminate some process, could probably do other things. I don't see why not.
Code: [Select]
import win32api
import win32pdhutil
import win32con

win32pdhutil.ShowAllProcesses()
pids = win32pdhutil.FindPerformanceAttributesByName('SOME PROCESS HERE')

for p in pids:
    handle = win32api.OpenProcess(win32con.PROCESS_TERMINATE, 0, p)
    win32api.TerminateProcess(handle,0)
    win32api.CloseHandle(handle)
Windows 7 x64
AMD FX 8120, 8gb ram, ATI 6870 1gb

Offline Shaoran

  • Comodo's Hero
  • *****
  • Posts: 901
    • La Confrérie des Marteleurs de claviers
Re: How to kill CIS easily
« Reply #14 on: May 12, 2010, 06:38:07 AM »
Exactly, and this is only the easy way.

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek