Autorun viruses Versus Comodo's Safe mode

Learn about Computer Security Leak Testing/Attacks/Vulnerability Research
#1

Defense+ is in Safe mode since its installation. During this period a ruleset for rundll32.exe was automatically created by D+: everything is “allow” without block exceptions, except:

  • “run executable” (allow exception is “%windir%*”);
  • protected registry (1 allow exception - no details);
  • protected files/folders (allow exception is “…system32*”).

There was infected flash drive with superhidden folder RECYCLER under root directory and file inside this folder - pLElVwkIV.dll.
Under root directory there was Autorun.inf file:

 
[autorun]
Open=Rundll32.exe .\RECYCLER\pLElVwkIV.dll,Setup

pLElVwkIV.dll is so called Trojan.Winlock.499 according to DrWeb classification.

According to this info Setup is a function which is taken from pLElVwkIV.dll. It looks like it is a malicious instruction.

Question is:
HOW to configure D+ in Safe mode to trigger alert before allowing rundll32.exe to process this kind of instructions?

Taking into account that:

  • D+ rules (mentioned before) are created automatically for rundll32.exe;
  • Proactive Security configuration, Image execution is Aggressive, everything else are at defaults of Proactive Security.
#2

Just a quick though before hitting the bed. Add **.ini to CSP to prevent the autorun.ini in the root of a USB stick from running.

#3

Hi EricJH,

sorry for my ignorance…what is “CSP”? ???

(:WAV)

#4

Hi SS26 :slight_smile:

I don’t know if I’ve understood correct.
The first alert of D+ will be of explorer.exe to open rundll32.exe, then it depends from as you have configured rundll32… for this motive I put D+ in Paranoid Mode and configure rundll32.exe all on ask.

#5

It looks like that the above mentioned configuration should already trap the loading of the DLL.

AFAIK D+ address rundll32.exe in a particular way and use the “Run an execuatable” access right rules to control loading of those DLLs.

Nevertheless automatically running applications from usb keys/removable devices has been subsequently disabled by past windows updates or already featured in latest OSes whereas there is also a recent patch that prevent any (already not auto-running) application to be launched using an entry of the auto-play menu (feature abused abused by worms like conficker) to have older windows behave like the new windows 7.

#6

Maybe it worth to check by playing with **.inf. Thanks for idea.

Not sure what sequence explorer.exe <–> rundll32.exe or other, i plugged in my infected flash on W7 machine, which is not affected by such autorun problems, hence virus was unable to start.
Indeed, Paranoid mode is a solution, but it is not convinient/usable mode (imo).

Good if it is so. Worth to check.

Thanks for the links. It is probably best solution.

PS. I SAVED that virus (in encrypted archive). Willing to test? Not me, not now…

#7

Then you might be interested in an easy way to test a rundll32 scenario with a PoC that was tailored against windows 7 and do not rely on Autoplay

Windows 7 auto-elevation mistake lets malware elevate freely, easily

#8

Computer Security Policy (Defense + → Advanced).

But I spoke too quickly there. The rule should be added to My Blocked Files and not to CSP. That error showed I really needed to go to sleep… :smiley:

#9

Thanks. Will have a look :-TU

#10

The best solution for this problem is surely that suggested by Endymion.
I use D+ in Paranoid Mode because for me it is good and I understand better thing happens in my PC… yes, perhaps are a little paranoiac ;D

#11

(:NRD)

But I spoke too quickly there. The rule should be added to My Blocked Files and not to CSP. That error showed I really needed to go to sleep..... :D

Thanks :wink:

#12

Maybe I’m wrong, but since you say the rule for running executables is already on ask with the only exception being the one stated, wouldn’t D+ alert you to the file on the flash drive trying to be executed? Isn’t it saying that only files in the Windows directory are allowed to be run by rundll32 without producing an alert?

#13

Somebody else please confirm this as well, maybe starting with 3.13 Rundll32 behavior was changed.

I rolled back to 3.12 and I get Run an executable alerts for DLL loaded by rundll32 but I get none with 3.13 ???

[attachment deleted by admin]

#14

Theory. Question is How it works on practice ??? :-\
I couldn’t force that virus to TRY to instruct rundll32 to “setup” that dll :-X

How do you get that alert on your screenshot: setting Image Execution to Aggressive and adding *.dll to execution list? If these two requirements are not met than alert is not triggered?

I can check (running 3.13. .574) once i would know some portable exe (which i can download) tries to load dll with rundll32.
[PoC from Win7+Autorun article didn’t work for me, dropping error “…error during program’s initialization…”]

#15

Whenever I found out I’m not able to reproduce the (old? ??? ) behavior with 3.13, previous versions should address rundll32 as I mentioned earlier.

When I told you that the config you described in your first post should have been able to trap rundll32 DLLs I didn’t mention that even “Comodo - Internet Security” default configuration should have been able to (at least up to 3.12 I took that screenshot with).

It looks it was mentioned that rundll32 approach was going to change though I don’t know if the change I reproduced on my PC affects other users as well or even in that case if this change is actually the one implied in that rundll32 quote from CIS lead developer.

That appeared to work also in 3.13 though it will trigger for many other applications as well and not only rundll32. I didn’t test it properly but the overall behavior of such custom settings reminds me of CFP 2 component monitor (which IIRC defaulted to learn all), nevertheless CIS lead developer mentioned this is not really recommended/intended to be used in CIS 3

Too bad I was particularly interested in the result of that win7 autoelevation PoC :frowning:

On the other hand there are few video-card/keyboard/mouse apps/brands that rely on rundll32 and launch their DLL at startup by modifying a protected registry entry (My videocard and mouse rely on such approach) anyway if you are willing to invoke rundll32 from the commandline there is an article that provide a DLL fit for this (the command line is mentioned in its How to Use paragraph):

Screen Event Recorder DLL/Application (require registration of account free of charge) and the dll can be launched on XP as well in case it won’t work with windows 7

#16

Seems like i was wrong about theory :frowning: and that’s how it works (some screenshots + one in this thread). What i was thinking of >:-D :cry:

#17

So, launched that virus mentioned manually:
rundll32.exe name.dll,setup

Prior doing that removed rundll32.exe from computer policy of D+ and set D+ to paranoid.

Alerts followed:

  1. rundll32.exe tries to modify protected registry key HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore ;

  2. rundll32.exe tries to modify protected registry key …\ShowSuperHidden;

  3. rundll32.exe tries to modify user interface (sends windows message) of csrss.exe;

  4. rundll32.exe tries to execute explorer.exe;

  5. rundll32.exe tries to create new file or directory c:\windows\system32\weird_name.dll ;

  6. rundll32.exe tries to modify protected registry key HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

  7. rundll32.exe tries to modify protected registry key HKUS.…\Policies\System
    8 ) rundll32.exe tries to terminate ctfmon.exe;

  8. rundll32.exe tries to obtain elevated priviledge (Debug priviledge)

  9. rundll32.exe tries to execute ctfmon.exe;

That viral dll did not instruct rundll32 to load it :-
Seems alerts #3, 5, 8, 9, 10 would be allowed silently if D+ policy was of that mentioned in the first post .

[attachment deleted by admin]

#18

Not sure about alerts #1, 2, 6, 7. Because cannot tell exactly what protected registry units were under allowed exceptions for rundll32 :-X

#19

Rundll32 is a way to run a dll function whatever purpose such function has.
Whenever another DLL could have been used to test a RunDLL32 DLL loading alert, it looks like these DLL execution alerts are not triggered with 3.13 anymore.

Up to 3.12 the first alert whould have been a Run an executable one with Rundll32.exe on the left side and the involved DLL on the right side.
Blocking such alert would prevent any further action carried by the DLL to be executed through rundll32 and this would work even with the policy mentioned in the first post.

#20

Hi Endymion,

if you are speaking of the popup you mentioned here, I have them also with the v3.13.