D+ Engine could not able to intercept malware properly

harsha_mic · June 8, 2009, 7:26pm

Hi,

I have an malicious sample which i believe it is bypassing D+ execution engine partially. Pls. find the steps to re-create the issue -

double-click install.exe (new variant of Antivirus Pro)
D+ prompts stating that “install.exe wants to run you computer”. and clicked “ALLOW”.
From the second prompt onwards, i have clicked “BLOCK” for all the follow-up prompts.

Result: Rogue program could able to modify host file successfully but luckily could not able to start.

Note: I have run above malware sample under Sandboxie 3.38 version. So, luckily it couldn’t harm my system.

CIS 3.9 Proactive Mode
XP SP3
NOD32 v4

If anyone really finds this as an bug wants to further look into the issue, then i can provide the malware sample.

Thanks,
Harsha.

[attachment deleted by admin]

OmeletGuy · June 8, 2009, 7:53pm

Can you PM me a link to the malware please thanks

Also what Security mode did you use? proative or internet security?

It does, the problem is you hit allow on the first one!

languy99 · June 8, 2009, 8:02pm

proactive security should block the host file from being modified.

harsha_mic · June 9, 2009, 1:11am

OmeletGuy, pls. check you pm folder. sent you the sample. password is infected

languy99, thats the problem. i guess it needs to be fixed.

i’m using proactive internet security and more importantly i could able to see below entry under D+ → My Protected Files = %windir%\system32*. So, logically i guess an alert or entry should be blocked. or else am i missing some thing??

Can any mods look into this…

Thanks,
Harsha.

OmeletGuy · June 9, 2009, 1:36am

I got it harsha_mic thx i will start testing soon and post results if i can copy this!

OmeletGuy · June 9, 2009, 2:02am

Yup the same thing happens, i will also submit this rouge to AV analysts should be added soon!

Some dev please look into this.

harsha_mic · June 9, 2009, 2:07am

thanks friend. but the important thing is the D+ bug(probably) should be rectified…

OmeletGuy · June 9, 2009, 2:12am

Yes it should

J2045 · June 9, 2009, 7:54am

Has anyone tried it in a VM (without ‘Sandboxie’)?

PM it to me if not, thanks.

egemen · June 9, 2009, 2:15pm

Can you please send me PM me the link for the malware? Also can you please try without Sandboxie inside a virtual machine? IT is quite possible that Sandboxie redirects the file system requests and the actual file modification is not really the hosts file but something else. This might be the reason.

However lets be sure. Pls PM me the link and let me test.

Thanks,
Egemen

harsha_mic · June 9, 2009, 5:10pm

I have sent you the link for the malware sample and password is infected

Thanks,
Harsha.

egemen · June 9, 2009, 5:49pm

Thanks Harsha.

I have tested in a VM and CIS produced expected popups. I think it is related to Sandboxie.

Interestingly, CIS reported many buffer overflow attacks in this malware too.

[attachment deleted by admin]

jeremysbost · June 9, 2009, 6:10pm

CIS may have alerted, but if you block the alerts was the host file still modified?

BTW, it looks like you have CIS 3.10. ;D

(See attached.)

[attachment deleted by admin]

languy99 · June 9, 2009, 6:18pm

yeah what is that about :o what do I have to do to get it :-* jk

egemen · June 9, 2009, 6:38pm

Yep. Thats our bug fixed version to be released soon. It will address some of the issues with antivirus engine.

foxman · June 9, 2009, 6:41pm

There we go again… hey man, this guy is LAUNCHING an INSTALLATION program! So what did you expect? wanna install something and then tell D+ to block it??? While I am using CIS3.9 and love it, still think Comodo could/should something about this kind of passing the ball back to user situation… and my threatcast still not working… ■■■■… >:(

foxman · June 9, 2009, 6:44pm

UUH!! Can’t wait… hope it fixed the threatcast problem also! :o

egemen · June 9, 2009, 6:53pm

We are working on TC problem.

J2045 · June 9, 2009, 7:01pm

I think the problem could be very similar to this harsha_mic… (See Screenshot)

Though I wouldn’t worry about your System (if you are that is), ‘Sandboxie’ is a great program! :-TU

[attachment deleted by admin]

J2045 · June 9, 2009, 7:32pm

i'm using proactive internet security and more importantly i could able to see below entry under[b] D+ --> My Protected Files = %windir%\system32\*[/b]. So, logically i guess an alert or entry should be blocked. or else am i missing some thing??

The install.exe did not try to access this Path…

[b]%windir%\system32[/b]

Because it was running in the Sandbox, it tried to access this Path instead…

[b]C:\Sandbox\Harsha\DefaultBox\drive\C\WINDOWS[/b]

It seems that ‘Sandboxie’ allows it to make changes INSIDE the Sandbox, and then Defense+ Stops it because it thinks its about to try to do something OUTSIDE of the Sandbox.

This would explain why you saw the Host File had changed INSIDE the Sandbox.

I could be wrong, I’m just guessing here… ;D

Hope this helps.