Author Topic: Trusted Vendors cannot be trusted.  (Read 2383 times)

Offline abe96

  • Newbie
  • *
  • Posts: 13
Trusted Vendors cannot be trusted.
« on: January 16, 2017, 06:29:27 am »
Hi,
I don't exactly know how this digital signature thing works, but it's really unsafe if it keeps going like this.

Short story.
This is a Xmas Ransomware, having an invalid digital signature.

And... CCAV trusted it. Even though I removed all entries in Trusted Vendors list. It automatically comes back.
I've tested CIS, and CIS recognized it as unknown when offline. (it's been recognized as malicious now so I have to test offline.)

Offline liosant

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 1636
  • GOD cure me epilepsy and atrophy - Sou brasileiro!
Re: Trusted Vendors cannot be trusted.
« Reply #1 on: January 16, 2017, 09:06:57 am »
Files with certificates are not always secure
What could lessen this was to have greater control over main applications and target applications (trojanRat do this and are quite old)
Example: svchost - windows update; Svchost - dllhost ... apparently are legitimate requests, but can be used by hidden and unknown malwares

One solution to this would be to isolate or block requests different from those made by the system and still runs the risk of malware leaking data (fortunately or unfortunately this is not exclusive to the comodo)

Offline abe96

  • Newbie
  • *
  • Posts: 13
Re: Trusted Vendors cannot be trusted.
« Reply #2 on: January 16, 2017, 07:14:44 pm »
Thanks for responding.
I think what you mentioned is more complicated than this.

All I want to say is: CCAV shouldn't treat a file with an invalid signature as it has a trusted signature.
Looks CCAV only checked the vendor name on the signature and let it pass. I'm not sure so I didn't make it clear.

Offline futuretech

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5324
Re: Trusted Vendors cannot be trusted.
« Reply #3 on: January 16, 2017, 07:34:39 pm »
Interesting...could you provide the sample, this shouldn't be happening as both CIS and CCAV use the same trusted file and vendor list when doing an online lookup.

Offline Umesh

  • Comodo Alumni
  • Comodo's Hero
  • *****
  • Posts: 3421
  • Comodo Alumni
    • COMODO
Re: Trusted Vendors cannot be trusted.
« Reply #4 on: January 16, 2017, 11:20:54 pm »
Hi Abe96,
Can you please share SHA-1 of sample you mentioned or link to virus total?

CCAV does check for validity of certificate before using signer name so we want to investigate further.

Thanks
-umesh

Hi,
I don't exactly know how this digital signature thing works, but it's really unsafe if it keeps going like this.

Short story.
This is a Xmas Ransomware, having an invalid digital signature.

And... CCAV trusted it. Even though I removed all entries in Trusted Vendors list. It automatically comes back.
I've tested CIS, and CIS recognized it as unknown when offline. (it's been recognized as malicious now so I have to test offline.)
We can't stop malware entering user's PC but we render them use-less when they enter PC: Welcome to Comodo's Default Deny innovation

Offline abe96

  • Newbie
  • *
  • Posts: 13
Re: Trusted Vendors cannot be trusted.
« Reply #5 on: January 16, 2017, 11:56:36 pm »

Offline Umesh

  • Comodo Alumni
  • Comodo's Hero
  • *****
  • Posts: 3421
  • Comodo Alumni
    • COMODO
Re: Trusted Vendors cannot be trusted.
« Reply #6 on: January 16, 2017, 11:58:17 pm »
Thanks Abe96,
can you please provide details of your Operating system with service pack?

SHA1: c8be4500127bfce10ab38152a8a5003b75613603
https://www.virustotal.com/en/file/78cc9626bb8d6f9d8ddf8236c197894a86f9d54a294b38c9c0b82744496b3fae/analysis/

Thanks.
We can't stop malware entering user's PC but we render them use-less when they enter PC: Welcome to Comodo's Default Deny innovation

Offline abe96

  • Newbie
  • *
  • Posts: 13
Re: Trusted Vendors cannot be trusted.
« Reply #7 on: January 17, 2017, 12:07:43 am »
Windows 8.1 6.3 build 9600 (64 bit)
It's running in VirtualBox 5 for testing some software and malware, so I don't upgrade it regularly.

Offline Umesh

  • Comodo Alumni
  • Comodo's Hero
  • *****
  • Posts: 3421
  • Comodo Alumni
    • COMODO
Re: Trusted Vendors cannot be trusted.
« Reply #8 on: January 17, 2017, 12:13:58 am »
Thanks Abe96,
We are investigating further, although a simple test on Win7, 64-bit showed CCAV detecting it as malware.

We are checking further if there are any race conditions.

Thanks
-umesh
We can't stop malware entering user's PC but we render them use-less when they enter PC: Welcome to Comodo's Default Deny innovation

Offline Umesh

  • Comodo Alumni
  • Comodo's Hero
  • *****
  • Posts: 3421
  • Comodo Alumni
    • COMODO
Re: Trusted Vendors cannot be trusted.
« Reply #9 on: January 17, 2017, 01:15:33 am »
Hi Abe96,
Please help us also as how you got this file i.e.

1. Installed via some software
2. Downloaded as archive
3. Downloaded standalone file from some site
4. Copied from some other system

any other


Thanks
-umesh
« Last Edit: January 17, 2017, 01:30:07 am by umesh »
We can't stop malware entering user's PC but we render them use-less when they enter PC: Welcome to Comodo's Default Deny innovation

Offline Umesh

  • Comodo Alumni
  • Comodo's Hero
  • *****
  • Posts: 3421
  • Comodo Alumni
    • COMODO
Re: Trusted Vendors cannot be trusted.
« Reply #10 on: January 17, 2017, 01:28:34 am »
Also Abe96,
Can you please scan same file on your host OS with CCAV and share results?

Thanks
-umesh
We can't stop malware entering user's PC but we render them use-less when they enter PC: Welcome to Comodo's Default Deny innovation

Offline abe96

  • Newbie
  • *
  • Posts: 13
Re: Trusted Vendors cannot be trusted.
« Reply #11 on: January 17, 2017, 01:42:28 am »
It was decompressed from the archive in VirtualBox shared folder.
[update] sample from malware traffic analysis

I forgot to mention. I'm using a Chinese-Traditional version of OS.
Changed the language when taking a screenshot to make it more clear.
Sorry, it's kinda misleading.

Maybe it isn't a common case, I'm ashamed now.

---------
About testing it on my host OS. It takes me some time to uninstall my current AV so please wait a moment.
« Last Edit: January 17, 2017, 02:45:49 am by abe96 »

Offline abe96

  • Newbie
  • *
  • Posts: 13
Re: Trusted Vendors cannot be trusted.
« Reply #12 on: January 17, 2017, 02:26:16 am »
And ... No detection. (Windows 10.0.14393 64 bit CHT)
I don't want to decompress it, my apologies.


CCAV really stutters on my host OS for no reason, it almost freezes my system.

« Last Edit: January 17, 2017, 02:32:07 am by abe96 »

Offline Wisdom

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 1050
  • Default-Deny Protection
    • CFI
Re: Trusted Vendors cannot be trusted.
« Reply #13 on: January 17, 2017, 10:49:51 am »
Thanks Abe96,
We are investigating further, although a simple test on Win7, 64-bit showed CCAV detecting it as malware.

We are checking further if there are any race conditions.

Thanks
-umesh

Hi umesh,

I tested the sample in VirtualBox and CCAV didn't detect it as Malware then I tried to send it to Valkyrie (online lookup) and it was detected as trusted.

Could you please test the sample in VirtualBox?

Note: CIS on my real system doesn't detect it as trusted.
Heuristics: detecting tomorrow’s threats today

Offline Umesh

  • Comodo Alumni
  • Comodo's Hero
  • *****
  • Posts: 3421
  • Comodo Alumni
    • COMODO
Re: Trusted Vendors cannot be trusted.
« Reply #14 on: January 17, 2017, 11:32:04 am »
Hi All,
We have identified the bug, where in certain certificate states CCAV could treat certificate valid.
This bug is only valid for Win 8 and on wards.

We will have a hot fix of CCAV by next week maximum to fix this.

Thank you for all your support.

-umesh
« Last Edit: January 17, 2017, 11:41:22 am by umesh »
We can't stop malware entering user's PC but we render them use-less when they enter PC: Welcome to Comodo's Default Deny innovation

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek