On my system Defence+ failed against SSDT unhooker rootkit( rootkit EZ). I allowed execution and denied all other behaviouirs of rootkit but it is able to destroy CFP, install hidedden drivers and CDP doesn,t give alerts about execution of any new executables after this.
I allowed execution of Sohand IM worm and denied all other actions of this malware but it was able to bypass Defence+ making Task Manager and RegEdit disabled.
Pretty disappointing. I have the samples. Anyone needs, PM me.
What behaviours did you block that you expected to prevent the harm?
Rootkits by nature have powerful abilities inherent in that status.
I am curious to hear from our Comodo folks, but allowing the malware to execute seems a highly dangerous behavior and playing with fire is a good way to burn fingers.
This is because HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ isn’t added in My Protected Registry Entries by default.
The virus adds the REG_DWORD’s DisableTaskMgr and DisableRegistryTools and set them to 1.
Also, could you please PM me the files so that I could run a test with Defense+?
Than how is possible to pass this rootkit test?
I thought CFP 3.0 protects its files and processes against all kinds of attacks by default, inlcuding the registry files you mentioned above.
Here is couple of registry tests which CFP doesnt completely pass by default (download in attachment)
BTW on regtest phase2 CFP crashes…
Note: for successful testing of regtest you need to allow: regtest.exe to execute regtest.exe and to regtest.exe access regtest.exe in memory, every other request should be denied.
I’ve uploaded the tests here in a zip file, containing one avi file (Xvid) for each test.
The unhooker was pretty owned by Dr Watson and DEP.
Tested on a virtual XP PRO SP 2 with DEP enabled for everything and CFP 3 with firewall in Custom Policy Mode and Defense+ in Paranoid Mode.
Hi, Ragwing!
I want to thank you for your answer. I saw your testing in avi format. But one thing I don’t understand.
Does CFP 3.0 pass these tests you tried or not,because I didn’t see if it said that CFP passed or not?
What does Windows ask you in the end?
Dat har programmet avslutades for att skydda datorn- what does it mean if you don’t mind.
There is also choice:
Andra installnigar and Stang meddelandet (you choose this option)
Does it mean like Windows ask you do you want to and are you sure that you want to install this RTKT Agent EZ. SSDT Unhooker and Sohand.e IM Worm coolpics?
Also, from where I can download these tests and WILL THEY HURT MY COMPUTER IN CASE CFP 3.0 DOESN’T PASS THEM?
Also, what to allow and what to exactly block?
You have allowed rundll32.exe, drwtswin.exe and dumprep.exe and blocked everything else?
How come Aigle (poster who started this thread) failed to block these rootkits tests?
Thank you for your time and patience, again!
I’d say it passed the first one, but for the other one, I can’t say it did, since I couldn’t test it properly with CFP 3. But DEP will protect you from it.
It means that Windows has terminated the program to protect my computer.
No, it means Edit settings and Close this message
I can send them to you. But they will harm your computer if CFP 3 fails to block them. That’s why I tested them in a virtual PC.
You should only allow executions.and block all other actions.
We used different versions of CFP 3, and we both have different system configurations
Again thanks for your time and patience, but what do you mean by DEP?
Also, could you please retest the second for which you’re not sure if you passed or not?
And how do you know you passed the second test (the one you’re not sure that you passed)?
That sounds alarming. I dont think it is possible unless there is something wrong with your configuration. Can you please urgently PM me this rootkit?
I allowed execution of Sohand IM worm and denied all other actions of this malware but it was able to bypass Defence+ making Task Manager and RegEdit disabled.
That should be because of the registry key Ragwing mentioned. Need to check to see. It can be easily added to my protected registry keys by default though. It is not bypassing D+. It is just that D+ does not protect that key. Thats all.
But this issue is not really important compared to the first one in which you claim a driver is installed. That would really be a serious problem. Please urgently send me these samples so that we can protect our users if there is something wrong.
Ok i have just reviewed the videos.
As I see from the AVI videos of Ragwing(Kudos!), there are 2 popups which prevent this rootkit.EZ. first one is about privilege escalletion:
1 - rootkit is trying to obtain debug privilege. This is blocked and hence it crashes because it assumes it can obtain such a privilege without being intercepted. So if it is allowed, i believe we can see other things such as interprocess memory access etc. Since it is blocked, it just crashes.
2 - rootkit is trying to access the Service Control Manager. This is another important alert because it is trying to install a driver, which, if installed , could be a serious problem.
There are other popups like rundll32.exe etc which could be a problem later on. Thank you for the AVI Ragwing. It was really cool.
Other than that, we can also see in video 1, CFP D+ detects Sohand IM Trojan as a virus! This demontrates another aspect of what a powerful engine Defense+ is against the unknown malware.
I thought DEP prevented it, but it looks like Microsoft can’t do anything right after all…
And most users that know what they’re doing would never give Debug to a completely unknown process. That’s just insane!
Yes, but if you allow it, it should say that it’s trying to create name.drv in system 32 or some other location.
Yeah, but it’s because of Dr Watson, I guess
No problem.
Yes. But you can’t properly test a HIPS if you allow suspicious stuff like giving it Debug.
Does it work by scanning the behaviour of the files or does it analyze the code?
As an update to this topic, the default configuration of CFP, needs to be modified slightly to provide a complete defense against this type of rootkit. One should add \Device\LanmanRedirector to the my protected files in Defense+ to see the real harm that can be caused by this rootkit. Fortunately, CFP clearly warns the user with the heuristics before it is run. Experienced users may try adding this file and deny every single popup shown by the rootkit. Experinced users only! In a VM only!
We will be making the necessary changes and update the default configuration next week. But until that time, I strongly warn the novice users to avoid running this rootkit in their PCs.
Remember, this is not a harmless test. It is a real rootkit and without making the above changes, it can seriously damage your computer.
I don,t agree with ur. Disable DEP( or put rookit exe in excluion list) and then run the rootkit and u will see Defence+ failing clearly against it. From ur movies, seems rootkit was actualally stopped only by DEP.
Defense+ is not failing. It is not catching with its default configuration. There is no highest security in D+. It can be configured as high as we wish.
It requires a small configuration change as i stated above. Just add the entry i said to the protected files and you will be able to see the alerts in detail.
On the contrary, CFP, IMHO, is the only one which can properly prevent the harm from this rootkit.
I have played with the rootkit: A very malicious one. If i am not wrong, it uses the “blue pill” technique originally proposed to circumvent Vista!!!
Without D+ protection, the rootkit loads the driver. It does not attempt more serious harm thats why the others seem to catch something simple like running an application etc. But the fact is it is able to drop some files to windows folder if it succeeds with its malicious driver. It could very well infect a system file(say ntoskrnl.exe) and no hips could detect it. Then it would not need anything else.
The critical point here is to detect the driver before being loaded. When a driver is loaded, then the game is literally over.
