Defence Plus bypassed by Kraken botnet? [RESOLVED]

Learn about Computer Security Leak Testing/Attacks/Vulnerability Research
1

I am not sure if my results are correct. Seems as file protection feature of Defence plus is bypassed. Here is how I reproduce it.

I executed malware.exe( Kraken botnet). I get these pop ups:

1- Exploere.exe trying to execute malware.exe- I allowed.

2- Malware.exe trying to modify itself- I allowed.

3- Malware.exe trying to create a randomly named executable in system32 folder- I denied but the executable was still created in system32 folder.

4- Malware.exe tries to execute the newly created execuatble in system32 foilder.

I noticed that if I deny second pop up and then deny 3rd pop up also, malware.exe is not able to create an executable in system32 folder but if I allow second popup and deny only 3rd pop up, malware.exe is able to create an executable in system32 folder. It seems so weired. Can anyone confirm this? PM me to get the malware.

BTW I did thid testing under Shadow mode of ShadowSurfer and I am still using an older version of CFP 3.0.18.309.

(:m*)PM an online mod to open thread should this issue re-emerge(:m*)

[attachment deleted by admin]

2

Do you have system32 folders in the my protected folder list of d+. And running in paranoid ?

3

Ofcourse, otherwise how can I get that pop up.

4

Can you please urgently send this malware to me so that we can make sure there is nothing wrong?

thanks,
Egemen

5

Ah yes; didn’t look at the pictures too carefully. I haven’t been running Version 3 consistently for periods over 2 weeks either. Anyway it looks like when you allowed the second popup that the file modifies itself and has system privileges at that point. Guess we’ll have to wait for Egemen and co. to look at it.

6

I PMed u the link to download it. Thanks for your response. I am still not sure about my findings, I wonder if anyone can confirm it.

7

Would you mind sending me the link too?

Josh.

8

Hi Guys,

Seems NOD32 detected this “malware.exe” as a Win32/Srizbi.Gen trojan as I was moving the file from the Zip to my desktop.

I will post back my results, After I disable NOD32 and see what CFP does.

Cheers,
Josh.

9

If third.jpg is true, it is one of major issue so far,
Mr. egemen, please inform us with your analysis results

10

Yep. I have verified the bug. No worries. We have a scheduled release next week: Tuesday or Thursday. We fixed the issue and it will be available with the update.

This happens under some rare circumstances. So Next week should be just fine for the update.

Thanks for the feedback,
Egemen

11

One of fastest response we have here at COMODO some AV companies can not deliver AV base update in that time
Many thanks Egemen :-TU :BNC (V)

12

Aigle,

I have a couple questions

  1. If you block malware exe from modifying it
  2. When you block the execution of pls.exe is this successful
  3. If pls.exe is allowed to execute what does CFP.exe see after this point
  4. I assume this this was done in a VM as I hope to test it in one as well

Ps Would you be interested in joining the testing forum

Thanks OD

13

1- If I block malware exe from modifying itself, it,s blocked.
2- Yes, successful
3- Some more alerts, auto-start reg entery, outbound access etc
4- Tested in shadoiw mode of ShadowSurfer.

Take care

14

Thanks for the very quick response and the fix. Much appreciated.

15

Well,

I am not even going to be bothered with CFP 3. Thanks for the Fast reply, Egemen! and fix.

Josh.

16

aigle,

Thanks for that malware. I receive exactly same results as you described in your first message when testing in my XP VM with CFP 3.0.22 BETA.

17

I can also confirm your findings aigle (VMware ,CFP 3.0.21.329, D+ paranoid, Image execution control - aggressive),
After allowing Malware.exe to modify itself, randomly created .exe is created in system32 folder (whatever your answer is), if you denied to Malware.exe modify itself, Malware.exe can be denied from creating randomly created .exe in system32 folder.

Thanks for your valuable findings here at Comodo forum :-TU

18

By the way same findings with NeoavaGuard and ThreatFire though TF later caught the execuatble when it started from system32.

19

Hmm it seems pretty common failure among “HIPS-like” defense,
What about our Chinese friends: EQsecure, Netchina S3, did you or someone from Wilders test these against Kraken maybe?

20

EQS was OK.