Bypass V6 partially limited,limited,restricted and HIPS (New Method)

  1. I double clicked on the malware.

  1. I chose “Run Isolated”

3.The FlashPlayer_11_4_update_for_Win.exe was sandboxed as “partially limited”, but the svchost.exe executed by the explorer.exe was not sandboxed.

  1. I checked the autorun entries.

5.environment:
Windows XP Pro SP3 32bit

http://valkyrie.comodo.com/Result.html?sha1=25cfd9454c7b77027a278856d539f6f88222d099&&query=0&&filename=FlashPlayer_11_4_update_for_Win.exe

http://camas.comodo.com/cgi-bin/submit?file=9f1db11106b46925bb964f35719e4362b4309dbe69653fbab2a9b8481cc485d7

  1. process tree:
    malware → nothing

explorer.exe → svchost.exe

[attachment deleted by admin]

Hmmm good one. Thanks for the report. Can you quickly send me the sample link?

what does this malware? Is it able to harm the system, i mean any changes or send data? What happen if u setup the sandbox to full virtualize?

I found a copy of this but avast blocks it. i know where to get it. But if your run it you will never really know what was done to your system…

Only “untrusted” and “fully virtualized” can block the malware.

thank u for that info. is it able to run in virtualized sandbox and do not harm the system or does it not run?

It can be run in the virtualized sandbox but the explorer.exe can not execute the svchost.exe.

thank you for that info again. that is a really nice one, interesting! :slight_smile:

That are the examples where i ask myself, is it better to make the software more usability friendly or more protective!?

I would choose the second one :slight_smile: … even the virtualized sandbox is not userfriendly at all as the default settings, but it seems u get more protection.

  1. There is one problem in COMODO Autorun Analyser.

It can not detect the autorun file, skype.dat

  1. The rating scan can not detect it.

  1. I tested the malware with Malware Defender.
2013/1/25 15:50:59 Create new process Permitted Process: c:\windows\explorer.exe Target: c:\virus\flashplayer_11_4_update_for_win\flashplayer_11_4_update_for_win.exe Cmd line: "C:\virus\FlashPlayer_11_4_update_for_Win\FlashPlayer_11_4_update_for_Win.exe" Rule: [App]*

2013/1/25 15:51:10 Access memory of another process Denied
Process: c:\virus\flashplayer_11_4_update_for_win\flashplayer_11_4_update_for_win.exe
Target: c:\windows\explorer.exe
Rule: [App]*

  1. Defensewall HIPS can block it.
DefenseWall log file

01.25.2013 20:26:13, module C:\virus\FlashPlayer119\FlashPlayer119.exe, Attempt to open process C:\WINDOWS\explorer.exe (Process)

01.25.2013 20:26:13, module C:\virus\FlashPlayer119\FlashPlayer119.exe, Open process memory allocation error (Memory)

  1. Private firewall V7

  1. Online Armor 6.0.0.1736

Failed

  1. Outpost Firewall Pro V8

Failed

  1. KIS 2013

  1. Maybe the bug is the “interprocess memory accesses”
  1. A new sample

  2. It was not detected by CAV 15039

  3. It does not request unlimited access to the PC

http://camas.comodo.com/cgi-bin/submit?file=bb72ab3ac1dc5f358391a44b2a9be333d06304d205945f04a768e63c96cb6b5a

http://valkyrie.comodo.com/Result.html?sha1=1c59320f9a179df7305ad2ff002567823016eea3&&query=0&&filename=FlashPlayer119.exe

Valkyrie is offline…again… :frowning:
Is it safe file?

CIMA can not analyse PE 64 File (malware).

http://camas.comodo.com/cgi-bin/submit?file=8fd65829c689114c2e1dfa773262e848d63d9435276b16485bc3563bed0362d4

http://valkyrie.comodo.com/Result.html?sha1=758179f25acd7310a3ffcff695afa3ad06aab2e6&&query=1&&filename=p.exe

Good to see Fully Virtual blocks this malware.

  1. New malware

  2. The svchost.exe executed by explorer.exe was not sandboxed.

  3. The situation existed in a very short period.
    (Maybe the autorun entry also appear in a very short period.)

  4. The event logs did not indicate the malware accessed memory of the explorer.exe

2013-01-27 00:30:44 C:\virus\xbldnpkeg3g6sesakuzhue\xbldnpkeg3g6sesakuzhue.exe Sandboxed As Partially Limited

2013-01-27 00:30:53 C:\virus\xbldnpkeg3g6sesakuzhue\xbldnpkeg3g6sesakuzhue.exe Sandboxed As Partially Limited

4.environment:
Windows XP Pro SP3 32bit

http://camas.comodo.com/cgi-bin/submit?file=7a827d336c0fae31a751fbca444f86c54db1fc57cf2fc7cd9441e841dbf8f620

http://valkyrie.comodo.com/Result.html?sha1=32bf4c24121eb01a2b940b5525f991e57b8ca70d&&query=0&&filename=xbldnpkeg3g6sesakuzhue.exe

[attachment deleted by admin]

  1. I enabled the HIPS and the safe mode.

  2. In the Monitoring Settings, I checked the Protected Registry Keys only.

  3. Then I added a rule for the svchost.exe.

  4. I double clicked on the malware.

5.event logs:

2013-01-27 18:23:45 C:\virus\mpneeamp66r1acnt037iq7\mpneeamp66r1acnt037iq7.exe Sandboxed As Partially Limited

2013-01-27 18:23:54 C:\virus\mpneeamp66r1acnt037iq7\mpneeamp66r1acnt037iq7.exe Sandboxed As Partially Limited

2013-01-27 18:24:06 C:\WINDOWS\system32\svchost.exe Modify Key HKUS\S-1-5-21-448539723-261903793-1801674531-1003\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell

[attachment deleted by admin]