Author Topic: Avatar rootkit bypasses COMODO HIPS/Sandbox or not?  (Read 9084 times)

Offline malwarekiller

  • Comodo Loves me
  • ****
  • Posts: 194
Avatar rootkit bypasses COMODO HIPS/Sandbox or not?
« on: May 22, 2013, 05:32:08 AM »
http://www.kernelmode.info/forum/viewtopic.php?f=16&t=2698#p19147

it is said to bypass HIPS...does it bypass any of the CIS HIPS/Sandbox or any other protection feature?

I have a sample of this rootkit if anyone needs it for testing against CIS.
« Last Edit: May 22, 2013, 05:35:45 AM by malwarekiller »

Offline Citizen K

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 26181
Re: Avatar rootkit bypasses COMODO HIPS/Sandbox or not?
« Reply #1 on: May 22, 2013, 07:46:30 PM »
Did you test it yourself? Where was is stated that it can bypass a HIPS? If so what HIPS and how can it get past it?

Offline malwarekiller

  • Comodo Loves me
  • ****
  • Posts: 194
Re: Avatar rootkit bypasses COMODO HIPS/Sandbox or not?
« Reply #2 on: May 23, 2013, 02:08:01 AM »
That is what was said on kernelmode forum and the advertisement of the rootkit claims to bypass CIS.
« Last Edit: May 23, 2013, 02:10:17 AM by malwarekiller »

Offline nsm0220

  • Comodo Loves me
  • ****
  • Posts: 161
Re: Avatar rootkit bypasses COMODO HIPS/Sandbox or not?
« Reply #3 on: May 28, 2013, 12:53:51 AM »
Did you test it yourself? Where was is stated that it can bypass a HIPS? If so what HIPS and how can it get past it?

don't worry EricJH rootkits like these can be stopped by any good av that has a good behavior blocker,hips,or sandbox.besides the people who made the rootkit look like beginners that made it.
« Last Edit: May 28, 2013, 03:22:54 AM by nsm0220 »

Offline a256886572008

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 963
Re: Avatar rootkit bypasses COMODO HIPS/Sandbox or not?
« Reply #4 on: May 28, 2013, 12:02:41 PM »
BB can block it.

Quote
013-05-01 22:35:35         C:\Documents and Settings\All Users\Application Data\Shared Space\93473126a9aa13834413c494ae5f62eec1016fde\93473126a9aa13834413c494ae5f62eec1016fde.exe         Sandboxed As         Partially Limited

2013-05-01 22:35:42         C:\Documents and Settings\All Users\Application Data\Shared Space\93473126a9aa13834413c494ae5f62eec1016fde\93473126a9aa13834413c494ae5f62eec1016fde.exe         Modify Key         HKLM\SYSTEM\ControlSet001\Services\flimtic

2013-05-01 22:35:42         C:\Documents and Settings\All Users\Application Data\Shared Space\93473126a9aa13834413c494ae5f62eec1016fde\93473126a9aa13834413c494ae5f62eec1016fde.exe         Load Driver         C:\Documents and Settings\Roger\Local Settings\Temp\flimtic.sysflimtic.sys

2013-05-01 22:35:42         C:\Documents and Settings\All Users\Application Data\Shared Space\93473126a9aa13834413c494ae5f62eec1016fde\93473126a9aa13834413c494ae5f62eec1016fde.exe         Modify Key         HKLM\SYSTEM\ControlSet???\Services\flimtic

2013-05-01 22:35:42         C:\Documents and Settings\All Users\Application Data\Shared Space\93473126a9aa13834413c494ae5f62eec1016fde\93473126a9aa13834413c494ae5f62eec1016fde.exe         Access COM Interface         LocalSecurityAuthority.Backup


2013-05-01 22:36:09         C:\WINDOWS\system32\cmd.exe         Sandboxed As         Partially Limited

2013-05-01 22:36:15         C:\WINDOWS\system32\cmd.exe         Modify File         C:\Documents and Settings\All Users\Application Data\Shared Space\93473126a9aa13834413c494ae5f62eec1016fde\93473126a9aa13834413c494ae5f62eec1016fde.exe

Offline nsm0220

  • Comodo Loves me
  • ****
  • Posts: 161
Re: Avatar rootkit bypasses COMODO HIPS/Sandbox or not?
« Reply #5 on: May 28, 2013, 12:16:05 PM »

Offline malwarekiller

  • Comodo Loves me
  • ****
  • Posts: 194
Re: Avatar rootkit bypasses COMODO HIPS/Sandbox or not?
« Reply #6 on: May 29, 2013, 12:01:25 AM »
don't worry EricJH rootkits like these can be stopped by any good av that has a good behavior blocker,hips,or sandbox.besides the people who made the rootkit look like beginners that made it.

This is wrong...there are ways to bypass BB,HIPS also and in fact do some google search on this.

Every layer of protection technology can and will be eventually attacked by malware writers and will be bypassed and there will be no 100% protection ever.  ;)

Offline nsm0220

  • Comodo Loves me
  • ****
  • Posts: 161
Re: Avatar rootkit bypasses COMODO HIPS/Sandbox or not?
« Reply #7 on: May 31, 2013, 12:17:28 PM »
BB can block it.


thanks for showing the data as well btw how did you get this log anywhy

Offline nsm0220

  • Comodo Loves me
  • ****
  • Posts: 161
Re: Avatar rootkit bypasses COMODO HIPS/Sandbox or not?
« Reply #8 on: June 01, 2013, 08:32:32 PM »
btw can somebody close this topic before it gets out of hand 

Offline Chiron

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11951
Re: Avatar rootkit bypasses COMODO HIPS/Sandbox or not?
« Reply #9 on: June 01, 2013, 08:44:55 PM »
btw can somebody close this topic before it gets out of hand 
At the moment this topic does not seem out of hand. Thus, unless malwarekiller would like this topic locked, I see no reason to lock it.

Everyone just needs to stay on topic and refrain from personal attacks, or any remarks which could be interpreted as flaming. As long as everyone does that I see nothing to worry about.

Offline captainsticks

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11197
    • Comodo Help
Re: Avatar rootkit bypasses COMODO HIPS/Sandbox or not?
« Reply #10 on: June 02, 2013, 01:18:12 AM »
btw can somebody close this topic before it gets out of hand 
If you suspect that is going to happen, just avoid posting in it. :-\
It does not have to be locked to do that, just let common sense prevail.

Offline malwarekiller

  • Comodo Loves me
  • ****
  • Posts: 194
Re: Avatar rootkit bypasses COMODO HIPS/Sandbox or not?
« Reply #11 on: June 02, 2013, 12:14:16 PM »
How about the HIPS any bypass?

Offline Mrarnold.

  • Comodo's Hero
  • *****
  • Posts: 699
  • R.I.P.Jay "padre" miner.Thank You For The Amiga.
Re: Avatar rootkit bypasses COMODO HIPS/Sandbox or not?
« Reply #12 on: June 02, 2013, 01:08:08 PM »
Is that just a single rootkit or does it have many variants.
Comodo Internet Security Premium 6.3,302093.2976.

Offline nsm0220

  • Comodo Loves me
  • ****
  • Posts: 161
Re: Avatar rootkit bypasses COMODO HIPS/Sandbox or not?
« Reply #13 on: June 02, 2013, 01:55:24 PM »
Is that just a single rootkit or does it have many variants.

looks a single rootkit but that can change with time just how TDL 3 became TDL 4

Offline nsm0220

  • Comodo Loves me
  • ****
  • Posts: 161
Re: Avatar rootkit bypasses COMODO HIPS/Sandbox or not?
« Reply #14 on: June 03, 2013, 04:35:22 PM »
btw the rootkit is easily removable are you need to do is use hitman pro kickstart or dr web boot cd to remove it

if anyone needs these two programs feel free to pm me  
« Last Edit: June 03, 2013, 04:47:13 PM by nsm0220 »

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek