Comodo bypassed

[SD Ahmad]

Hi all

I found a topic that talks about hacking Comodo by the URL-HTA

http://forum.zyzoom.net/threads/308621/

[prodex]

This site contains malware, blocked by my protection program - just seen - it seems  it's ransamware

[morphiusz]

Here is a youtube video: https://youtu.be/vC-2GARcrV4

[SD Ahmad]

This site contains malware, blocked by my protection program - just seen - it seems  it's ransamware

It is clean
https://www.virustotal.com/ar/url/2d2320aa336227ace34e38589c48525b2bce91d7f5893690192ad54dc5160421/analysis/1529741307/

[Eric Cryptid]

Hmm, looking a the video I only saw two items that weren't in my default setup. Those being the Firewall Application default rule for Windows Updater App and the default rule to Ignore Metro Apps.

I did see that the files were manually removed from the Blocked Applications and File List after each run. Was virus still evident after reboot or manually resetting the container?

I'm no expert though, just my observation from watching it.

Eric

[SD Ahmad]

Hmm, looking a the video I only saw two items that weren't in my default setup. Those being the Firewall Application default rule for Windows Updater App and the default rule to Ignore Metro Apps.

I did see that the files were manually removed from the Blocked Applications and File List after each run. Was virus still evident after reboot or manually resetting the container?

I'm no expert though, just my observation from watching it.

Eric

If you try to create an empty file with the same extension and then open it with a browser, the file will not be placed in the container

[black007]

hi all

i am owner this video

about this comment

Hmm, looking a the video I only saw two items that weren't in my default setup. Those being the Firewall Application default rule for Windows Updater App and the default rule to Ignore Metro Apps.

I did see that the files were manually removed from the Blocked Applications and File List after each run. Was virus still evident after reboot or manually resetting the container?

I'm no expert though, just my observation from watching it.

Eric

All settings are on the default settings  by company

about manually remove Blocked Applications ? this gust for to Make sure the final file (bypass.hta) is not Blocked by contained

about the virus still evident after reboot or manually resetting the container? There is no installation in the file after reboot or manually resetting the container I did it gust for testing only

any thing you ask for i will reply it and i want to send the file to company Give me the link to submit file to analysis

best of luck

[EricJH]

You can send the file following the instructions in Submit Malware Here To Be Blacklisted - 2018 (NO LIVE MALWARE!).

[morphiusz]

IMO It's best to contact Umesh directly - please send him a PM with a link to the malware and this topic.

[pio]

This site contains malware, blocked by my protection program - just seen - it seems  it's ransamware

I can partially agree with what "Prodex" says. The site "h**p://forum.zyzoom.net" contains some references to blacklisted domains and blacklisted links. That is why it is blocked by some applications.

But there are no immediate risks on this site!

Nevertheless, an interesting report! Thank you to "SD Ahmad"!!!

References to Blacklisted Domains:

Detected reference to malicious blacklisted domain >>> /threads/307678/# > "winaso.com" > Page/File MD5: AAAC4517A897D0486BCCE65007A17ADC

Detected reference to malicious blacklisted domain >>> /threads/307627/# > "up.ibda3gate.com" > Page/File MD5: C364D0FA04208126762A8BE76458007C

Detected reference to malicious blacklisted domain >>> /forums/-/index.rss  > "up.ibda3gate.com" > Page/File MD5:   043E36C0549D5549A452F729A5621661

[ReeceN]

Was this not achieved because the file was placed onto the system by the VM (which would have been comparable to writing the file to disk using a different OS), and therefore did not meet any of the default Containment Conditions, in particular the 'File Created by Porcess(es)' condition?