How to kill CIS easily

[Shaoran]

Hi all,

As I said before, I think use safe list can be dangerous because hips don't handle it properly so we can use them to do what we want on the computer with all rights.

Today, I will show one way by using java. You can download it and try it (if you use vista (I didn't try on seven) you must run it has admin with the command java -jar kill_cis.jar ). You need to have install Comodo in partition C:\

Just execute kill_cis.jar, and reboot your machine (warning : as it works, use it on a test machine only). After restart, check CIS.

It's really a very very very very very very stupid method that works on Online armor too just because java is considered as safe application, so we just have to make a malware in java.

[attachment deleted by admin]

[ssj100]

Thanks I'll test this out some time.  Sounds very interesting, and perhaps has implications for SRP/AppLocker too - for example, if your SRP/AppLocker rules allow javaw.exe to run, this could cause havoc, although the attacks would likely be mitigated particularly in a limited/restricted/standard user account.

Regardless, this is why it's very important to handle new files intelligently, as well as add a containment level of protection to your security setup/approach.

Will post back once I've done some testing.  Thanks once again.

[Shaoran]

As I do a modification in windows registry that require an administrator level, if you are not admin, it won't work. But there is other way, I just want an easy way because I don't want use lot of my time for this 

Someone ask me to try it on Vipre Antivirus premium because there is some protection like registry protections, it failed too, but as it's not a real hips maybe all applications can do that.

[ssj100]

...I just want an easy way because I don't want use lot of my time for this 

Which is exactly why running as a LUA/RUA/SUA will prevent most malware infections from running successfully.

[Josh™]

Hi all,

As I said before, I think use safe list can be dangerous because hips don't handle it properly so we can use them to do what we want on the computer with all rights.

Today, I will show one way by using java. You can download it and try it (if you use vista (I didn't try on seven) you must run it has admin with the command java -jar kill_cis.jar ). You need to have install Comodo in partition C:\

Just execute kill_cis.jar, and reboot your machine (warning : as it works, use it on a test machine only). After restart, check CIS.

It's really a very very very very very very stupid method that works on Online armor too just because java is considered as safe application, so we just have to make a malware in java.

So what your saying is CIS can be killed, by an application that is in Comodo's Safelist or Trust Vendor List, if it's some what modified to do malicious actions, eg. Java?

[Kyle]

his script uses Java to terminate CIS.

[Josh™]

his script uses Java to terminate CIS AFAIK.

Yes... Java Scripts (malicious ones) are off course heard of and CIS does, always with me, prevent these because its smart enough to know its doing a malicious action. Anyway. Letting Egemen know about this thread sounds like a plan for analyzing the tool attached in this thread.

[Shaoran]

So what your saying is CIS can be killed, by an application that is in Comodo's Safelist or Trust Vendor List, if it's some what modified to do malicious actions, eg. Java?

Yes and no, we ask to a safe application to do something, if you directly modify the safe application, I think CIS will see it. And you will need an unknow application, so CIS will see you.
Here, I ask java to execute a java code, here I think it's the same issue, it ask to msiexec.exe to execute SetupRSTAV2010.msi

his script uses Java to terminate CIS AFAIK.

I don't kill it directly, I think CIS will try to protect itself, so I modify cmdagent. After the restart, look his size, 0 byte  

[Kyle]

~SNIP~
Yes... Java Scripts (malicious ones) are off course heard of and CIS does, always with me, prevent these because its smart enough to know its doing a malicious action.
~SNIP~

Umm didn't u just read what he said? This script Terminates CIS so there is a huge vulnerability. That script could of been something Malicious -It's just a POC.


ADDED::
You'd think that CIS would be able to protect itself even from "Trusted" Processes.. Guess not  

[Shaoran]

ADDED::
You'd think that CIS would be able to protect itself even from "Trusted" Processes.. Guess not  

I'm not sure to understand all you said (as you may already see, I'm French and my English is still not perfect xD)
But if you said that Comodo can't protect itself from safe applications, I say yes. I said it long time ago in French corner, I try it last week end. We just have to know what application we will use. I think there is lot of way to do this, we just have to find a method to stay in the safe application.

Just try, on vista  or seven only (I don't know why it don't work on XP, I didn't look at this), if you execute (with admin rights) java -jar kill_cis.jar it'll work. If you try kill_cis.jar, Comodo will sandbox it.

Just imagine how many possibilities we have just with that method. And for Online Armor, it's the same issue, but they think at it a little, so some of them can't be used.

[Kyle]

I understand. You use a bad script through java to do bad things.
Je comprends. Vous utilisez un script java mauvaise grâce à faire de mauvaises choses.

there could be a lot of possibilities. more than just java, That exploit Comodo's trusted list.
il pourrait y avoir beaucoup de possibilités. plus que Java, qui exploitent la liste de confiance de Comodo.


http://translate.google.com/#

[ssj100]

Big question is whether Online Armor also has this issue, since Kyle is using it haha.

[Shaoran]

Arg, don't use google translate, sometime it's correct, but generally ....  

Stay in English, I'll understand.
You may not know but I'm the lead translator of French versions, so I think I can read you  

[Kyle]

Python is not in Comodo's trusted vendor list and I cannot add it. However, If i set python.exe as "Trusted" I can run a malicious script THROUGH PYTHON.  For example I can terminate some process, could probably do other things. I don't see why not.

Code: [Select]

import win32api
import win32pdhutil
import win32con

win32pdhutil.ShowAllProcesses()
pids = win32pdhutil.FindPerformanceAttributesByName('SOME PROCESS HERE')

for p in pids:
    handle = win32api.OpenProcess(win32con.PROCESS_TERMINATE, 0, p)
    win32api.TerminateProcess(handle,0)
    win32api.CloseHandle(handle)


[Shaoran]

Exactly, and this is only the easy way.