Another interesting Defence Plus Bypass???

aigle · September 3, 2009, 4:45am

This is how you can reproduce this possible bypass. You must ahve more than one disk or partitions on ur PC.

Download and extract/ install XYplorer portable from here.

http://www.portablefreeware.com/index.php?q=xyplorer&m=Search

Put Defence Plus in Paranoid mode with Proactive Security configuration.

Open Defence Plus Pre-defined Security Policies and make a test policy. Allow only file access and Deny all other actions in this policy( see pic 1).

Now execute the malware b.css exe via cmd.exe and allow first execution pop up, allwoing execution of b.css by cmd.exe( see pic 2).

On second pop up alert choose test policy made by us( Pic 3) for b.css. Now Defence Plus will deny ecery single action by b.css without a pop up except file acess that will produce pop up alerts. Allow all file access( create/ modify/ delete) pop up alerts. Malware will create an autorun.inf file and a TPR.pif file in root directory of each hard disk partition. They will be hidden though, not visible via explorer.exe. Let the malware run and Open xyplorer by executig XYplorerfree.exe.

Navigate to one of your non-OS partitions( D, E, etc), locate TPR.pif file and double click on it to execute it via XYplorer( Pic 4).

Now here ius the point. One would expect here a pop up about TPR.pif being executed by XYplorer.exe. But interestingly instead you will first get two weired alerts about XYplorer.exe:

1- XYplorer.exe trying to access DNS/ RPC client service( Pic 5)
2- XYplorer.exe trying to access internet( Pic 6)

It,s after these two alerts that you get an alert about TPR.pif being executed by XYplorer.exe( Pic 7).

Now my question is how this malware manipulated XYplorer to access internet without any pop up alerts by Defence Plus about XYplorer manipulation or any windows message to xyplorer by the malware. Malware was never allowed to do anything excpet file creation etc. due to the test policy imposed on it?

Hope I have made my point clear. I need your opinions. Thanks

[attachment deleted by admin]

HeffeD · September 3, 2009, 5:29am

This is a pretty broad interpretation of the term bypass… :-*

Bizarre · September 3, 2009, 7:02am

Try using test policy on Pic 5 or all throughout.

aigle · September 3, 2009, 1:33pm

Question is how the malware is able to manipulate XYplorerfree.exe and xyplorer.exe in turn starts trying to connect to a malwre site.

through system take over( manipulation) - - probably NOT as our test policy imposed upon malware will block this( debug privileges blocked)
the manipulation of xyplorer in memory – NO as our test policy blockes this.
through a global hook - NO as our test policy blocks this.
through a windows message - NO as our test policy blocks this.

This is a mystery atleast for me. Why a trusted process XYplorerfree.exe suddenly starts trying to access the internet? I wish the developers to ahve a look over it.

MetalShaun · September 3, 2009, 4:22pm

I was going to say the same thing.

Be good to hear from developers though.

kronos · September 9, 2009, 9:56am

no answers by developers?

i’m curious to see how this strange behaviour is explained…

Regards

system · September 9, 2009, 10:06am

Sorry, maybe I missed it, where is this b.css file?

Citizen_K · September 11, 2009, 12:51am

One question for now. What rights does the debug privilege give to a program?

aigle · September 11, 2009, 2:32am

I don,t know but I guess if u allow it for a software then it can do anything. By the way, b.css was not given these privileges.

rhgtyink · September 11, 2009, 9:59am

Are you sure there is no “Check for updates” option in that xplorer ?
The destination ip 79.140.80.82 belongs to AKAMAI the first 2 alerts are pretty normal for “check for updates” behavior…

Endymion · September 11, 2009, 11:16am

Did anybody get b.css TPR.pif and autorun.inf to be created on their system?

It doesn’t look they are created by XYplorer portable (xyplorer.zip MD5 c02d4f3523fa726237e68945cad82c19) ???

BTW it doesn’t look that TPR.PIF was a real pif file as launching those would trigger a ntvdm.exe execute alert (XYplorerFree.exe → ntvdm.exe then ntvdm.exe → exe mentioned in pif file. ie: XYplorerFree.exe → ntvdm.exe → Notepad2.exe), renaming any executable to chage the extension (.exe) to .pif will have them get a MSDOS icon like for PIFs (at least in XP) and launch directly without ntvdm.exe

What about submitting those samples to CIMA and posting a link to the report?

[attachment deleted by admin]

aigle · September 11, 2009, 1:53pm

Check for updates option in xyplorer launches a browser window, no direct intenet access.

Endymion · September 11, 2009, 2:25pm

Though you mentioned b.css in your step by step post it looks like it was not part of XYplorer, could it be that your system was already infected before you took those screenshots?

Could it be the activity you mentioned is not directly related to TPR.PIF as it occurred before its execution?

Did you submit those samples to CIMA in order to provide at least a link to the analysis reports to all those who don’t have them?

Indeed those reports could provide informations rather than conjectures about what happened on your PC.