Author Topic: New Attack Uses Microsoft's Application Verifier to Hijack Antivirus Software  (Read 4898 times)

Offline Graham1

  • Comodo's Hero
  • *****
  • Posts: 1873
CCAV will run all unknowns in the sandbox so again it shouldn't be affected. As for CIS you should switch to the proactive configuration as pointed out by Jon79.

Thanks for the confirmation futuretech.

:)
Ubuntu 16.04 LTS (x64) | Chromium | uBlock Origin | Privacy Badger | HTTPS Everywhere

https://www.thevenusproject.com | Beyond Politics Poverty and War

Offline MichaelEngstler

  • Newbie
  • *
  • Posts: 1
    • Cybellum
Hi Guys,
It's Michael from Cybellum here.
First of all I would like to give a lot of credit to Comodo as it was one of the most challenging antiviruses to attack with DoubleAgent.
Comodo implemented a very interesting feature called CIS Protected Registry Keys which in fact was supposed to block DoubleAgent-like attacks.

We struggled at the beginning and indeed Comodo managed to block most attempts to attack it via DoubleAgent.
It was tricky, but eventually we succeeded, and Comodo is vulnerable to DoubleAgent just like all the other antiviruses.

I took the time and effort to upload a POC video showing DoubleAgent successfully attacking Comodo https://www.youtube.com/watch?v=WMmvJXau1k0&feature=youtu.be
This video was done a few minutes ago, so it obviously affects the latest version of Comodo.

The Comodo attack is the only one that doesn't use our publicly available POC code, but rather a different private code.
We decided not to share the private code in order to protect Comodo users, but Egemen (from Comodo) have received it and is aware of it.
Egemen has done a great work communicating with us, and hopefully a new patch would be released soon to close Comodo's vulnerability to DoubleAgent.

Michael Engstler
Co-Founder & CTO, Cybellum
« Last Edit: March 22, 2017, 03:51:43 PM by MichaelEngstler »

Offline windstorm

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 3630
That's great. Welcome to the forums, Michael. I'm looking forward to your bug reports.  :)
It is a bit unclear to me how the issue relates to Sandbox component. By the way, I agree that DLL shouldn't be loaded in such a way. So.. what about browsers? Are these vulnerable from that perspective? (as you probably know there is module blacklisting/whitelisting)
« Last Edit: March 22, 2017, 03:48:52 PM by windstorm »

Offline windstorm

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 3630
[...]
It is has a new rule saying sandbox any unknown introduced less than 3 days ago.

Indeed. Quite annoying. Why? (although I have some ideas in mind)

Offline egemen

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 3380

The Comodo attack is the only one that doesn't use our publicly available POC code, but rather a different private code.
We decided not to share the private code in order to protect Comodo users, but Egemen (from Comodo) have received it and is aware of it.

Correct. The PoC we have is a new COMODO specific issue which can allow attacker to do a few things with default configuration. Default config needs to be slightly changed. See below for configuration changes to cover this PoC as well.
« Last Edit: March 22, 2017, 06:26:36 PM by egemen »

Offline futuretech

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 2910
Correct. The PoC we have is a new COMODO specific vulnerability which can allow attacker to do a few things with default configuration. Default config needs to be slightly changed. In April, we wiil disclose the details.
If you mean that CIS doesn't do command-line analysis of python scripts? Which can be easily addressed by adding *\python.exe and *\pythonw.exe to the heuristic command-line analysis for certain applications list. Which I thought was strange when looking at the list, that perl was there but not python and I consider python to be more widespread on windows than perl. Of course it requires python to be installed on a users PC for this particular attack to work.

Offline egemen

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 3380
If you mean that CIS doesn't do command-line analysis of python scripts? Which can be easily addressed by adding *\python.exe and *\pythonw.exe to the heuristic command-line analysis for certain applications list. Which I thought was strange when looking at the list, that perl was there but not python and I consider python to be more widespread on windows than perl. Of course it requires python to be installed on a users PC for this particular attack to work.

Exactly. Its a configuration issue. You are right about python.  We will simply make this part of default config so you dont have to add it manually. Thats all.
« Last Edit: March 22, 2017, 06:28:09 PM by egemen »

Offline windstorm

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 3630
It's not really practical anyway since it needs administrator rights.

Offline megaherz33

  • Comodo's Hero
  • *****
  • Posts: 1379
  • Long Live COMODO (Rock-n-Roll) !
MichaelEngstler,

Which AV were tested or only those listed in the list?

Thank you.
« Last Edit: March 23, 2017, 04:50:13 AM by megaherz33 »



Comodo Internet Security v10.0.2.6408

Offline liosant

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 834
The problem remains the same, secure files are not trusted, they can be used to run malicious code. For example: trojancrypt use dllhost, wscript ... but for being considered system files are allowed by default.

On boot failure and execution on system boot, in the vast majority of cases, extraction takes place for boot folders or run lines run through runonce, rundll, dllhost, cmd, conhost ...
Command prompt is opened by secure applications, but secure applications can be used by malware or unknown files to run command lines

Offline Protected_PC

  • Comodo Loves me
  • ****
  • Posts: 160
  • Protected Completely From Every Threat
Windows 10 Professional/COMODO Internet Security Premium

Offline windstorm

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 3630
Good marketing, I guess.  :-La

Offline B-boy/StyLe/

  • Comodo Member
  • **
  • Posts: 28
Hi,

I am wondering if this bypass have something to do with the removed feature after CIS 3 to intercept dll injections?

Post 2: (CIS 5 failed)

https://www.wilderssecurity.com/threads/stuxnet-lnk-exploit-malware-versus-hips.297649/#post-1861199

Post 6: (CIS 3 passed but impractical)

https://www.wilderssecurity.com/threads/stuxnet-lnk-exploit-malware-versus-hips.297649/#post-1861203

Thanks!
« Last Edit: March 23, 2017, 06:02:13 PM by B-boy/StyLe/ »

Offline windstorm

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 3630
If you are running with administrator rights and you take away Sandbox, HIPS then you cannot stop it. This behavior is intended and there is no vulnerability. You can do pretty much anything as administrator and that's the way it should be. Just try to kill a process, load drivers, whatever. It's not a traditional AV. You could look at it as a test for embedded code detection in best case.
I disagree with proposed solution. [at]liosant has a good point-- you solve the issue for unsigned DLLs but that's it. It's a partial solution. This is only useful for troubleshooting when a DLL breaks the application and you'd want to blacklist it.


« Last Edit: March 24, 2017, 03:00:20 AM by windstorm »

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek