A webcam logger (.dll malware)

http://valkyrie.comodo.com/Result.html?sha1=4a1dae6be48280b4d39105ce9d4fc5700e56774d&&query=1&&filename=3890229.dll

http://camas.comodo.com/cgi-bin/submit?file=7e6636364101b7fde0cbe80df01b3a4ff786e1aecdbf1f6f7584c07799a72000

(1) I opened the webcam.

(2) I ran the .dll malware with the following command line.

regsvr32.exe “C:\virus\3890229\3890229.dll”

(3) It was sandboxed as “partially limited”

(4) The screen was locked by the malware.

(5) It showed a video which captures datas from the webcam.

(6) The result is the same for the sandbox level, “fully virtualized”
(The .dll malware can normally run in the two sandbox levels only.)

3.environment:
Windows XP Pro SP3 32bit

Can you please let me know what happens if it is sandboxed with the BB set to Unlimited?

Also, do you know if it can transfer what it records from the computer, or would that be stopped by the Firewall?

Thanks.

  1. The malware will not run normally if the sandbox level is set as limited or higher levels.

  2. The firewall can block it for accessing the internet.

  3. But, CIS allows all outbound connections by default.

  4. The CIMA can not analyse the behaviors of a .dll file, so the file rating can not terminate it immediately.

So (now) the default firewall depends on detection. Not so great.

Would you mind qualifying that please.

CIS does not aim to inhibit webcams or sound recording as far as I am aware.

[edit: There no HIPS sensor, and I’ve never seen it mentioned as a BB restriction.]

I guess he means by default CIS allows outgoing connections automatically.

But I guess the above default is only for Internet Security Config, in other Configs CIS asks for outgoing connections for Unknown Programs, am I right?

Did you report it malware on the Valkyrie page, as it seems to think it’s a trustworthy .dll…

Maybe Egemen could clarify if thre is any intention to inhibit sound and webcam capture?

CIS only allows all outbound connections for safe things, not unknown ones that are caught by the Behavior Blocker. Those things will not be able to connect.

If the user adds the following file group to the protected files, all BBed (without virtulization) applications will be blocked for connecting to the internet.

Windows Sockets Interface \Device\Afd\Endpoint \Device\Nsi

Thats a good rule to know :-TU
Is it possible to create the same rule for the virtualized BB ?

Internet Security Config Defaults - All outgoing connections allowed, safe or unknown, right?

Internet Security Config Defaults in Virtual Kiosk - Same as above or in Virtual Kiosk unknown outgoing connections are not allowed & if not allowed they are blocked or you get popup?

  1. No

  2. For the virtualization, it can be controlled by the firewall only.

ok
Thanks

You might recheck the predefined rules in application rules :wink:
There is no rule which says “Allow safe things to connect”.
There is a rule that says “Allow outgoing userfriendly”.
And only detection will save your a…

Or would you call this trojan safe? :smiley:

then please tell him, give him an info. I would like if he can check that and give us infos what is to do!?
Normaly, in many cases we hear nothing from egemen. maybe u have a better connection to him!?

Unfortunately not. I think Ronny’s the only person that has a reliable connection to Egemen, which is a pity.

My best guess about the situation is:

  • web cam and sound inhibition is not intended for partially limited and FV policies
  • general restrictions on policies at the limited level plus will have the effect of blocking web cams

That is even at high levels of restriction I doubt if web cams etc are being specifically targeted, but I may be wrong of course. IMO CIS is on a journey to tackling privacy issues really, it’s orientation in the past seems to me to have been more towards system damage prevention than privacy, though it has has had some privacy restrictions of course.

I’m basing this mainly on negative evidence, the fact that I cannot remember it being claimed as a feature, and the fact that known and reported weaknesses have not been addressed.

Just my view…

Mouse

These keys are protected when CIS is set to Proactive Security.

I get firewall alerts for things that have been restricted by the BB. I don’t get them if the BB is set to Fully Virtualized however.