Allegation of Comodo Defence Plus Byapssed by Zeroaccess rootkit

There is a thread in Wilders that says that.

Most probably it happens according to the autosandbox and Defense+ level.
Maybe someone with more knowledge than me can post there.

"i did testing with win 7 in VBox in ubuntu host. CIS on default settings but AV was not installed.

Tried on XP under cover of CTM with same settings but strange thing appeared. Day before yesterday, it was giving a pop up alert that flash…exe wants to get unlimited access, it’s signed but not white listed by comodo, do you want to allow, or sandbox or block. If sandboxed, all is ok but if allowed rootkit is installed. Yesterday i tried again and strangely it says that this eye wants unlimited access but it’s unsigned. That is strange really. I am not able to get previous alert at all.

No such alert on win 7 or may be it’s due to vbox. Can any one test on real win 7 system or vmware?

Also tried with proactive mode with sandbox off. It gives many pop up alerts and is a pass for comodo. I wil post screenshots later. "

User has the file sample to test if the Moderators want it.

Yes please, including testing steps to take.

me as well

The user posted in Wilders. Maybe you can get these steps there.

This particular malware comes as 2 components:

1). Installflashplayer.exe (MD5:352a620c285711220073f9f9b4cefcd1) which is signed by Adobe- note that this is indeed the updater and is not detected as malicious on VT) and
2). the file msimg32.dll (4e9a37688bc1fa27397575ae9f367894)- this is the rootkit with a detection of 29/43.
(Regards to Aigle of Wilders for the sample).

Running the installer will load the dl file and drop the rootkit in system32/drivers directory (obviously) with various file names (different every time you run it). It is detected by HitMan Pro via the GData engine as TDSS.72. Detection confirmed by GMER and Sophos AntiRootkit. Manual scan with CIS with rootkit detection enabled found nothing.
This test was run under WinXP in a dedicated malware box- no VM used. CIS was in Proactive Protection mode. Execution Control was set to Untrusted.
Note that above test was run under WinXP. CIS was in Proactive Protection mode. Execution Control was set to Untrusted.

I should also note that the CIS AV will detect the dll file, so upon initial run the AV portion was deactivated.

So was there any notification from D+?

The only D+ notification is on the initial run of the flash installer- The alert is that InstallFlashPlayer is signed by Adobe and safe to run. Upon run, one will get the typical red Flash installer screen and Flash installation will proceed (Note that this IS a legit Flash installer). The only difference is that the installer will activate the dll file which drops the rootkit.

But to reiterate, the ONLY D+ alert is the one noted above.

As it stands right now I don’t think any reading this post will be fooled by this Rootkit, as along with the Flash Installer you will also see the dll. But with the amount of major websites being hacked into through stolen FTP credentials (please see Secunia’s work on this), it would be child’s play to insert this false flash installer into what was formerly a valid link. Then the download would go into a temp directory that we would never see and the installation of the rootkit would proceed.

Remember that this is not a CIS problem. As it is a trivial matter to fudge with the dll to make it a zero day file every day this thing would never be detected (even this one is not seen by the excellent Malwarebytes).

Let’s hope that this issue will not exist with CIS6.

Hi Guys,

Thanks for the feedback. With default settings, this indeed causes problems. With non-default configurations, such as proactive-paranoid, there is no problem however those will require heavy user interaction with other legitimate applications as well and average user can not be expected to cope with this himself.

A global block for protection files modification for group “All applications” as shown in the figure can block this attack as well as its future variant i presume. However, you need to be aware of the fact that this will prevent all driver infections as well as some applications which install drivers(Rare but there are).

There were similar threat vectors reported in the past and we have found an acceptable way to prevent this proactively i.e. without showing you popups and affecting your computing experience/performance.

For now, CAV should be detecting this and all of its known variants hence you are safe. We will probably done with the proactive defense part of it soon and i will update you on this.


[attachment deleted by admin]

Hi Egemen, thanks for your notice.

I wish you could somehow manage to intercept the dll execution without putting user against countless pop up alerts. Malicious dlls are the weak point for any HIPS.

Yes. We will add DLL authentication and bring aggressive image exection back in a more usable way. But it would still not be enabled by default.

This new method we are working is going to prevent the risks but can also be enabled by default for noice people too.

To Egemen,

I have asked for this before, but it would be nice to be have an option in computer security policy to force a pop-up, even for safe applications, for just certain actions. This could be used in this case forcing a pop-up when anything accessed the drivers directory. You could then get pop-ups just for dangerous activities that not many programs do. It would give much better protection with minimum pop-ups - much better than paranoid mode.

Thanks Egemen.

Egemen- Perhaps I am misinterpreting what you wrote, but Paranoid Mode does not prevent the Rootkit from being dropped. Also, one should not depend on any AV for this (or any other) infection.
Given 2 minutes I could insert an interior loop in the dll thereby changing it to a true zero day which wouldn’t be picked up by any AV.

What permissions did you give the Flashplayer once it alerts?

Seems that Online Armor also needed an update and got bypassed in some situations.

The update is available to all Online Armor users via the integrated online update Reply 59

Ronny- It shows the FlashInstaller as safe and signed. I allowed it.

When you are using paranoid mode, nothing is safe except the one you really know that it,s safe.