Defence+ failed against malware

adric · February 10, 2008, 11:25am

Could someone please explain the purpose of \device\LanmanRedirector? I understand it has something to do with protected files/folders, but I don’t understand what the device level means and how this is used by the system. So far, I have received two alerts since I added it. One from Thunderbird and another for my download manager.

Thanks, Al

egemen · February 10, 2008, 8:41pm

It is related to raw disk access i.e. accessing the disk directly.

salmonela · February 10, 2008, 10:12pm

So, which is the group in which could be fitted best?
Important Files/Folders or…?

aigle · February 11, 2008, 4:02am

Ok, will try! Thanks

Ultra-Bot · February 11, 2008, 6:54am

egemen post:20:

Hi Aigle,

Defense+ is not failing. It is not catching with its default configuration. There is no highest security in D+. It can be configured as high as we wish.

It requires a small configuration change as i stated above. Just add the entry i said to the protected files and you will be able to see the alerts in detail.

On the contrary, CFP, IMHO, is the only one which can properly prevent the harm from this rootkit.

I have played with the rootkit: A very malicious one. If i am not wrong, it uses the “blue pill” technique originally proposed to circumvent Vista!!!

Without D+ protection, the rootkit loads the driver. It does not attempt more serious harm thats why the others seem to catch something simple like running an application etc. But the fact is it is able to drop some files to windows folder if it succeeds with its malicious driver. It could very well infect a system file(say ntoskrnl.exe) and no hips could detect it. Then it would not need anything else.

The critical point here is to detect the driver before being loaded. When a driver is loaded, then the game is literally over.

Hi, Egemen.

I wanted to ask you how to configure to protect all reagistry files at once, so CFP doesn’t fail any test anymore when it comes to self-protection?

Also, let’s suppose you click always allow for everything so that rootkit EZ is allowed to crash CFP 3.0-will then CFP 3.0’s self-protection be able to prevent unhooking caused by rookits (in this case rootkit EZ?

The good example I saw with Online Armor where an rootkit in test (real rooktit) was able to terminate HIPS of Online Armor, but Online Armor’s self-protection was able resist unhooking caused by rootkit.
What do you think?

Thank you for the reply.

salmonela · February 11, 2008, 2:45pm

Sorry, I am not Egemen, but I am interested in something, How Online Armor’s self-protection was able resist unhooking caused by rootkit? What is its HIPS, Part of some other application?
I think that rootkit isn’t interested in OA fancy GUI at all…
If rootkit loads its dirty *.sys, nobody can stop it from causing damage.
At “ring0” level everything can be “unhooked” and crashed…
Somebody correct me if I am wrong

Ultra-Bot · February 11, 2008, 3:36pm

See the link of the 10 HIPS, one of them is OnlineArmor:
http://membres.lycos.fr/nicmtests/Unhookers/unhooking_tests.htm

See the Rootkit Agent.EY test- Online armor detects the attempt to install a service/driver, but is not able to prevent its loading. But although service is running, Online Armor is not ‘killed’, thanks to its self-protection. No full SSDT restore.Its detection abilities are partially affected (4 hooks gone to the rootkit; those related to registry protection), but the rootkit couldn’t ‘kill’ Online Armor, unlike what this rootkit does with some other programs in this comparative. It is an illustration of the self-protection mechanism implemented in Online Armor.

I will send e-mail to this guy who tested those HIPS once again to finally see how does Comodo’s HIPS fare against these malware (these are real maklware by the way, I honestly don’t know how did he test them)

But I seek for help here as well. I need someone who who knows english more than I do (more professional in language and vocabulary) so this guy named Nicola (I think that’s his name) finally tests Comodo’s HIPS
Any help is welcome.

For example from where did Ragwing download these tests the same tests all of them you can find on Nicola’s website, also I’d honestly like this guy tests Comodo’s HIPS with the same malware samples as Dynamic Security Agent:
http://membres.lycos.fr/nicmtests/Dynamic-Security-agent-tests/DSA_index.htm

I’d honestly be grateful if someone could post this.

egemen · February 12, 2008, 2:49pm

Yep. Once the driver is loaded, the game is literally over. The others are probably refreshing their SSDT hooks which is a useless trick. if you load a driver, you can always bypass a HIPS. So drivers must be prevented from being loaded in the first place. That driver is doing much more than it is shown in the test web site. It is literally infesting the system without being detected.

So the harm was done. It can even update itself without being caught after that point just to bypass known HIPSs.

Edit: Please update to CFP 3.0.17.304 if you havent done so yet

aigle · March 4, 2008, 7:56pm

Hi egemen, I still don,t see \Device\LanmanRedirector added to my porotected files in latest version. Does that mean CFP is still vulnerable to this rootkit?

Thanks

salmonela · March 4, 2008, 10:33pm

As egemen already said it is now part of direct disk access monitoring.

aigle · March 5, 2008, 12:25am

So they included it in Disk Access in latest version? I don,t see any such info from egemen. He just seemed referring to the meaning of \device\LanmanRedirector. Are u sure?

Thanks

adric · March 5, 2008, 12:41am

Is this info enough? ;D

Al

salmonela · March 5, 2008, 12:54am

Yes, It is here since 3.0.17 (thanks for linky adric) and some other improvements are added like additional reg. keys monitoring, also in that build.

aigle · March 5, 2008, 12:29pm

Thanks adric and salmonela.

obperryo · September 23, 2008, 1:43pm

Regtest.exe still crashes, was there ever a fix for this. The test restarts your system, so I can’t fill in the and send the problem box that CIS is giving. Man, this sure drops my confidence in this software, failing the first test I try.

forcespawn · August 16, 2009, 5:14am

egemen post:18:

Hi Guys,

As an update to this topic, the default configuration of CFP, needs to be modified slightly to provide a complete defense against this type of rootkit. One should add \Device\LanmanRedirector to the my protected files in Defense+ to see the real harm that can be caused by this rootkit. Fortunately, CFP clearly warns the user with the heuristics before it is run. Experienced users may try adding this file and deny every single popup shown by the rootkit. Experinced users only! In a VM only!

We will be making the necessary changes and update the default configuration next week. But until that time, I strongly warn the novice users to avoid running this rootkit in their PCs.

Remember, this is not a harmless test. It is a real rootkit and without making the above changes, it can seriously damage your computer.

Egemen

egemen, you are right that once the driver is loaded, it is game over basically. my concern then, is over the method used to prevent the driver from loading. defense+ seems to rely on 3 different filters to prevent the driver from loading:

device driver
registry
protected files/folders

is it not possible to update defense+ to rely only on the first module? the number of registry entries that could be used to load drivers is vast! to include protection against every possible such entry would greatly increase the number of popups. the same is true of #3. plus, couldn’t someone modify the trojan slightly and take advantage of another line in the registry or another vulnerable folder directory that hasn’t yet been added? if the device driver filter was strengthened, wouldn’t that stop such rootkits far more effectively?

Dennis2 · August 16, 2009, 7:26am

Please do not post in topics which are outdated September 2008

Topic Locked

Dennis