Comodo bypassed

sd_ahmad · June 23, 2018, 5:05am

Hi all

I found a topic that talks about hacking Comodo by the URL-HTA

prodex · June 23, 2018, 7:44am

This site contains malware, blocked by my protection program - just seen - it seems it’s ransamware

miloszcz · June 23, 2018, 8:02am

Here is a youtube video: اختبار اختراق PayLoad Useing URL HTA مع 10 Comodo Internet Security - YouTube

sd_ahmad · June 23, 2018, 8:09am

It is clean

EricCryptid · June 23, 2018, 8:35am

Hmm, looking a the video I only saw two items that weren’t in my default setup. Those being the Firewall Application default rule for Windows Updater App and the default rule to Ignore Metro Apps.

I did see that the files were manually removed from the Blocked Applications and File List after each run. Was virus still evident after reboot or manually resetting the container?

I’m no expert though, just my observation from watching it.

Eric

sd_ahmad · June 23, 2018, 12:59pm

If you try to create an empty file with the same extension and then open it with a browser, the file will not be placed in the container

black007 · June 23, 2018, 2:37pm

hi all

i am owner this video

about this comment

All settings are on the default settings by company

about manually remove Blocked Applications ? this gust for to Make sure the final file (bypass.hta) is not Blocked by contained

about the virus still evident after reboot or manually resetting the container? There is no installation in the file after reboot or manually resetting the container I did it gust for testing only

any thing you ask for i will reply it and i want to send the file to company Give me the link to submit file to analysis

best of luck

Citizen_K · June 23, 2018, 3:36pm

You can send the file following the instructions in Submit Malware Here To Be Blacklisted - 2018 (NO LIVE MALWARE!).

miloszcz · June 23, 2018, 6:36pm

IMO It’s best to contact Umesh directly - please send him a PM with a link to the malware and this topic.

pio · June 24, 2018, 1:38am

I can partially agree with what “Prodex” says. The site “h**p://forum.zyzoom.net” contains some references to blacklisted domains and blacklisted links. That is why it is blocked by some applications.

[i]But there are no immediate risks on this site!

Nevertheless, an interesting report! :-TU Thank you to “SD Ahmad”!!!

References to Blacklisted Domains:

Detected reference to malicious blacklisted domain >>> /threads/307678/# > “winaso.com” > Page/File MD5: AAAC4517A897D0486BCCE65007A17ADC

Detected reference to malicious blacklisted domain >>> /threads/307627/# > “up.ibda3gate.com” > Page/File MD5: C364D0FA04208126762A8BE76458007C

Detected reference to malicious blacklisted domain >>> /forums/-/index.rss > “up.ibda3gate.com” > Page/File MD5: 043E36C0549D5549A452F729A5621661

ReeceN · June 28, 2018, 6:21am

Was this not achieved because the file was placed onto the system by the VM (which would have been comparable to writing the file to disk using a different OS), and therefore did not meet any of the default Containment Conditions, in particular the ‘File Created by Porcess(es)’ condition?