Another interesting Defence Plus Bypass???

This is how you can reproduce this possible bypass. You must ahve more than one disk or partitions on ur PC.

Download and extract/ install XYplorer portable from here.

Put Defence Plus in Paranoid mode with Proactive Security configuration.

Open Defence Plus Pre-defined Security Policies and make a test policy. Allow only file access and Deny all other actions in this policy( see pic 1).

Now execute the malware b.css exe via cmd.exe and allow first execution pop up, allwoing execution of b.css by cmd.exe( see pic 2).

On second pop up alert choose test policy made by us( Pic 3) for b.css. Now Defence Plus will deny ecery single action by b.css without a pop up except file acess that will produce pop up alerts. Allow all file access( create/ modify/ delete) pop up alerts. Malware will create an autorun.inf file and a TPR.pif file in root directory of each hard disk partition. They will be hidden though, not visible via explorer.exe. Let the malware run and Open xyplorer by executig XYplorerfree.exe.

Navigate to one of your non-OS partitions( D, E, etc), locate TPR.pif file and double click on it to execute it via XYplorer( Pic 4).

Now here ius the point. One would expect here a pop up about TPR.pif being executed by XYplorer.exe. But interestingly instead you will first get two weired alerts about XYplorer.exe:

1- XYplorer.exe trying to access DNS/ RPC client service( Pic 5)
2- XYplorer.exe trying to access internet( Pic 6)

It,s after these two alerts that you get an alert about TPR.pif being executed by XYplorer.exe( Pic 7).

Now my question is how this malware manipulated XYplorer to access internet without any pop up alerts by Defence Plus about XYplorer manipulation or any windows message to xyplorer by the malware. Malware was never allowed to do anything excpet file creation etc. due to the test policy imposed on it?

Hope I have made my point clear. I need your opinions. Thanks

[attachment deleted by admin]

This is a pretty broad interpretation of the term bypass… :-*

Try using test policy on Pic 5 or all throughout.

Question is how the malware is able to manipulate XYplorerfree.exe and xyplorer.exe in turn starts trying to connect to a malwre site.

  • through system take over( manipulation) - - probably NOT as our test policy imposed upon malware will block this( debug privileges blocked)

  • the manipulation of xyplorer in memory – NO as our test policy blockes this.

  • through a global hook - NO as our test policy blocks this.

  • through a windows message - NO as our test policy blocks this.

This is a mystery atleast for me. Why a trusted process XYplorerfree.exe suddenly starts trying to access the internet? I wish the developers to ahve a look over it.

I was going to say the same thing.

Be good to hear from developers though.

no answers by developers?

i’m curious to see how this strange behaviour is explained…


Sorry, maybe I missed it, where is this b.css file?

One question for now. What rights does the debug privilege give to a program?

I don,t know but I guess if u allow it for a software then it can do anything. By the way, b.css was not given these privileges.

Are you sure there is no “Check for updates” option in that xplorer ?
The destination ip belongs to AKAMAI the first 2 alerts are pretty normal for “check for updates” behavior…

Did anybody get b.css TPR.pif and autorun.inf to be created on their system?

It doesn’t look they are created by XYplorer portable ( MD5 c02d4f3523fa726237e68945cad82c19) ???

BTW it doesn’t look that TPR.PIF was a real pif file as launching those would trigger a ntvdm.exe execute alert (XYplorerFree.exe → ntvdm.exe then ntvdm.exe → exe mentioned in pif file. ie: XYplorerFree.exe → ntvdm.exe → Notepad2.exe), renaming any executable to chage the extension (.exe) to .pif will have them get a MSDOS icon like for PIFs (at least in XP) and launch directly without ntvdm.exe

What about submitting those samples to CIMA and posting a link to the report?

[attachment deleted by admin]

Check for updates option in xyplorer launches a browser window, no direct intenet access.

Though you mentioned b.css in your step by step post it looks like it was not part of XYplorer, could it be that your system was already infected before you took those screenshots?

Could it be the activity you mentioned is not directly related to TPR.PIF as it occurred before its execution?

Did you submit those samples to CIMA in order to provide at least a link to the analysis reports to all those who don’t have them?

Indeed those reports could provide informations rather than conjectures about what happened on your PC.