Author Topic: weakness of the gpCode  (Read 107021 times)

Offline harsha_mic

  • Computer Security Testing Group
  • Comodo Loves me
  • *****
  • Posts: 155
Re: weakness of the gpCode
« Reply #30 on: December 10, 2010, 11:30:29 PM »
Is it difficult for the devlopers to harden D+/Sandox to tackle this type of attacks? All i wanted is to either block the attack or show an how OA is doing....

If someone has a POC, then please send it to me.
W7 64 bit | Comodo Fw v5.8 | Eset NOD32 AV v5 | Hitman (ondemand)

Offline aigle

  • Comodo's Hero
  • *****
  • Posts: 722
Re: weakness of the gpCode
« Reply #31 on: December 11, 2010, 02:08:26 PM »
Yes, this hole must be fixed IMO.

Offline languy99

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 3981
Re: weakness of the gpCode
« Reply #32 on: December 11, 2010, 08:20:32 PM »
I did some testing on it. The sandbox does stop it with any settings restricted and above. My recommended settings for novice users stops this no problem. It seems to use a script to do it's dirty business. It seems to want access to the ApiPort.

Remember when doing testing with different sandbox levels you have to remove the file from the unrecognized files window before trying a new sandbox test becasue if you don't it will apply the sandbox level it originally had even if you changed it to a higher setting.
http://www.youtube.com/languy99

Software Reviews for all.

Follow me on Twitter http://twitter.com/#!/languy99

Offline Chiron

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11951
Re: weakness of the gpCode
« Reply #33 on: December 11, 2010, 08:38:13 PM »
It seems to use a script to do it's dirty business.
So why isn't it stopped?

I thought that V5 was supposed to detect the script that called for the action.

Offline languy99

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 3981
Re: weakness of the gpCode
« Reply #34 on: December 11, 2010, 08:46:38 PM »
from what I can tell because it is using the ApiPort to access the system with the script. And from what I can tell in partially limited and limited the apiport is not being controlled by the sandbox.
http://www.youtube.com/languy99

Software Reviews for all.

Follow me on Twitter http://twitter.com/#!/languy99

Offline Chiron

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11951
Re: weakness of the gpCode
« Reply #35 on: December 11, 2010, 11:44:13 PM »
from what I can tell because it is using the ApiPort to access the system with the script. And from what I can tell in partially limited and limited the apiport is not being controlled by the sandbox.
Well I think that's a problem that needs to be solved, in default configuration, since this malware is in the wild.

Of course I am well aware that you agree with  me, but it still needs to be said. ;)

Offline harsha_mic

  • Computer Security Testing Group
  • Comodo Loves me
  • *****
  • Posts: 155
Re: weakness of the gpCode
« Reply #36 on: December 11, 2010, 11:48:34 PM »
[at]languy99, So, you mean that Sandbox at levels restricted,untrusted would block this virus from infecting the other files.
W7 64 bit | Comodo Fw v5.8 | Eset NOD32 AV v5 | Hitman (ondemand)

Offline languy99

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 3981
Re: weakness of the gpCode
« Reply #37 on: December 11, 2010, 11:49:32 PM »
It did in my testing.
http://www.youtube.com/languy99

Software Reviews for all.

Follow me on Twitter http://twitter.com/#!/languy99

Offline harsha_mic

  • Computer Security Testing Group
  • Comodo Loves me
  • *****
  • Posts: 155
Re: weakness of the gpCode
« Reply #38 on: December 11, 2010, 11:58:10 PM »
thanks languy99.
W7 64 bit | Comodo Fw v5.8 | Eset NOD32 AV v5 | Hitman (ondemand)

Offline Valentin N

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 2869
  • Usability Study Group
    • My homepage at the moment
Re: weakness of the gpCode
« Reply #39 on: December 12, 2010, 05:09:52 AM »
then I have good protection settings:) Thanks for you input Languy!
Skype: comodohelper (Personal)

CEVPN: Valentin N

CIS 6.3

Keep CTM alive by voting


Offline Luc[y]

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 671
Re: weakness of the gpCode
« Reply #40 on: December 12, 2010, 08:10:12 AM »
can i have the samples?
Ok edit, i found an old samples of this, cis 3.14 block it. ( antioverflow ) windows xp 32.
« Last Edit: December 12, 2010, 11:44:47 AM by Luc[y] »

Offline morphiusz

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 3082
    • Suspicious file?
Re: weakness of the gpCode
« Reply #41 on: December 12, 2010, 01:19:41 PM »
I did some more tests.
GPCode:


Defense +  : FAIL

Sandbox:

partially limited : FAIL
limited : FAIL
restricted : PASS
untrusted : PASS

Offline Siketa

  • Comodo's Hero
  • *****
  • Posts: 5066
Re: weakness of the gpCode
« Reply #42 on: December 12, 2010, 03:19:16 PM »
I did some more tests.
GPCode:


Defense +  : FAIL

Sandbox:

partially limited : FAIL
limited : FAIL
restricted : PASS
untrusted : PASS

Another reason to change default setting to Restricted at least.

Offline Chiron

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11951
Re: weakness of the gpCode
« Reply #43 on: December 12, 2010, 06:56:21 PM »
Can we get some confirmation that the devs are looking into this? Please. ;D

Offline SS26

  • Comodo's Hero
  • *****
  • Posts: 1925
Re: weakness of the gpCode
« Reply #44 on: December 13, 2010, 03:24:36 PM »
Defense +  : FAIL
What is it meant to mean: Defense+ with Sandbox permanently disabled?

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek