JUST LIKE THE WRESTLING – DON’T TRY THIS AT HOME
I decided to see how Comodo Personal Firewall and Comodo AntiVirus/Spyware would work together to keep out a known infection.
The test process involved a “honeypot” (deliberately open or insecure system designed to attract attention) Windows 2000 system and a server running Windows 2000.
These two systems were not connected to the internet
The honeypot was initially configured with Windows 2000 SP2 and no security software. An image was then taken of this system. This image will be reloaded onto the honeypot system and modified for the second stage of the test.
The server was a replica of a web site, no longer in existence, that housed the Trojans and its associated applications and scripts. One of the scripts searched for vulnerable systems and pushed malware to any targets it located. The malware was a Trojan known as deloder.a, and it uses port 445 to attempt to gain access to a system.
I realize that the deloder.a Trojan is not the newest, or the most virulent infection that could be used, but it is one that can be run in a segmented, controlled manner.
HOW THE TROJAN CONTACTS AND INFECTS A SYSTEM
The server would run a port scan for vulnerable systems within a randomly generated range of IP addesses, attempting to connect via port 445 (SMB over TCP). Once it discovered a vulnerable system share (\[system]\IPC$), it then used its rudimentary password dictionary to try to establish a remote connection to it. This password dictionary was very, very simple, containing a list of around 250 commonly used words or character sequences (like “BLANK” (no password), “administrator”, “password”, “Password”, “login”, “1234567890”, “12321” etc.).
Once the Trojan had successfully connected to the honeypot, it used a program called PSEXEC.EXE (from SysInternals) to remotely copy the Trojan files to the honeypot. It then initialized the Trojan on the honeypot so that the honeypot than started running port scans on another randomly generated port range.
The files that were copied to the honeypot were:
IRC Trojan components (deloder.a)
VNC server and client components (a remote access tool for networks)
Cygwin1.dll (required for the IRC trojan)
The worm/Trojan attempts to drop the trojan installer (under various names) on the compromised system in the following share folders. This is just a way for the worm/Trojan author to add multiple ways to start the worm/Trojan during the user logon if the Trojan doesn’t start during the system startup:
c$\winnt\All Users\Start Menu\Programs\Startup\inst.exe
c$\winntStart Menu\Programs\Startup\inst.exe
c$\Documents and Settings\All Users\Start Menu\Programs\Startup\inst.exe
c$\winnt\All Users\Start Menu\Programs\Startup\dvldr.exe
c$\winntStart Menu\Programs\Startup\dvldr.exe
c$\Documents and Settings\All Users\Start Menu\Programs\Startup\dvldr.exe
c$\winnt\All Users\Start Menu\Programs\Startup\dvldr.exe
c$\winntStart Menu\Programs\Startup\dvldr.exe
c$\Documents and Settings\All Users\Start Menu\Programs\Startup\dvldr.exe
dvldr32.exe and inst.exe are the worm/Trojan package files, and are supposed to be deleted after this trojan was run from the “Startup” directories. The original copy of inst.exe in the c:\winnt\system32 was still intact. A further instance is renamed to “rundll32.exe” and is stored in the \winnt\fonts folder.
The cygwin1.dll file was placed in the \winnt\system32 folder. This file is required for VNC, and its name indicates the source was originally developed on a Linux system and compiled for the Windows platform. One instance of the trojan loader (inst.exe) is installed in the \winnt\system32 folder with another copy in the \winnt\fonts folder. All other files were copied to the \winnt\fonts folder.
The winnt\fonts folder has one odd attribute – if you open an Explorer window on this folder, it will only display files that are registered on the system as being font files, regardless of what other files are in this folder. This makes it a great place to hide things. The only ways to see non-font files are to do a Windows Search on the fonts folder for . or to use the DIR command in a command prompt window.
Registry values were added to automatically run the Trojan at the system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value: Explorer
Data: c:\winnt\fonts\explorer.exe
Value: TaskMan
Data: c:\winnt\fonts\rundll32.exe
The VNC server (V3.3.3.9) had been renamed to “explorer.exe” to avoid casual detection. When installed on the honeypot, a registry entry was created that contained the encrypted password for the VNC server - HKEY_LOCAL_MACHINE\SOFTWARE\ORL\WinVNC3. Decrypting the password showed it to be “strict”. The VNC executable was unmodified from the version that could be downloaded from the internet at the time this trojan was around.
As follows is a list the registry keys and values that the deloder.a trojan added to use the VNC server;
[HKEY_LOCAL_MACHINE\SOFTWARE\ORL\WinVNC3]
“SocketConnect”=dword:00000001
“AutoPortSelect”=dword:00000001
“InputsEnabled”=dword:00000001
“LocalInputsDisabled”=dword:00000000
“IdleTimeout”=dword:00000000
“QuerySetting”=dword:00000002
“QueryTimeout”=dword:0000000a
“Password”=hex:f3,40,bb,c8,07,36,de,47
“PollUnderCursor”=dword:00000001
“PollForeground”=dword:00000001
“PollFullScreen”=dword:00000001
“OnlyPollConsole”=dword:00000001
“OnlyPollOnEvent”=dword:00000001
As you can see, deloder.a is a busy little sucker when it gets into your system. It uses multiple locations to hide itself, encrypted passwords to prevent modificatons to one of its contact mechanisms (the renamed VNC server) and a quirk of the Windows OS to prevent casual discovery (hiding stuff in the fonts folder).
WHAT HAPPENS WHEN THE TROJAN RUNS
When the deloder worm is started, it launches “\winnt\fonts\explorer.exe”, which is, in reality, just a VNC server. It opens TCP port 5800 and 5900 and starts listening for VNC requests. If a VNC client requests a connection to the honeypot, and provides the right password, the remote user of the VNC client can remotely control the honeypot or simply spy on every single keystroke and mouse move there.
When this worm/Trojan runs, it attempts to remove the following network shares:
ADMIN$
IPC$
C$
D$
E$
F$
This worm/Trojan attempts a connection to many different IRC Servers. As there is no available internet connection to or from the honeypot, no valid connection could be made. Because of the age of the deloder.a trojan, all of the IRC server connections is it programmed to try and connect to have been rectified. During its most active period, there could have been up to 18,000 IRC connections from this one installed instance of the trojan.
Due to the lack of an internet connection on the honeypot or the server, the honeypot would simply suffer the infection and the Trojan would simply sit there, repeatedly trying to contact the IRC servers to report home and/or receive additional files or commands. The activity caused by the Trojan consumes approximately 20% of available CPU time, causing a noticeable slowdown on the affected machine.
The end result is that your system can be easily monitored or even controlled by anyone who knows your IP address and the password for the VNC server. Deloder.a doesn’t harm your system as such, but it lays your system open for whatever abuse the controller of the trojan chooses to push down to your system.
He/she can whatever they feel like to your system.
WHAT HAPPENS WHEN COMODO FIREWALL IS INSTALLED
The next stage of the test will repeat the infection process but only after Comodo Personal Firewall has been installed. The two systems were disconnected from each other while the honeypot was prepared for this next test.
The pre-infection image was restored onto the honeypot PC and Comodo Personal Firewall (V2.3.6.81) was installed in its default configuration.
The honeypot was then re-connected to the server so infection could re-occur. As soon as the server attempted a port scan of port 445, the scan failed as CPF had correctly stealthed the required ports (135 and 445 TCP/UDP). Since CPF effectively hides the PC from the infecting agent, the infection cannot take place. Score 1 for Comodo.
WHAT HAPPENS WHEN COMODO ANTI VIRUS/SPYWARE IS INSTALLED
The next stage of the test will repeat the infection process but only after Comodo Anti Virus/Spyware has been installed and Comodo PersonalFirewall has been uninstalled. The two systems were disconnected from each other while the honeypot was prepared for this next test.
The pre-infection image was restored onto the honeypot PC and Comodo Anti Virus/Spyware BETA with HIPS (V2.0.0.1) was installed in its default configuration
The honeypot was then re-connected to the server so infection could re-occur. As soon as the server attempted a port scan of port 445, the scan succeeded as we have no firewall currently installed. Once a remote connection had been established to the honeypot, the server attempted to copy the Trojan files to the honeypot using PSEXEC.EXE. The HIPS component of CAVS immediately popped up a dialogue warning of PSEXEC.EXE attempting to start, and asking whether it should be permitted.
Score 1 for CAVS.
Even when PSEXEC.EXE was allowed to start, CAVS immediately reported the creation of the files that were being copied onto the honeypot and asked for approval. If these files are allowed to be written to the hard drive, the attempted initialization of the Trojan loader was immediately reported by the HIPS component.
Score 2 for CAVS.
Allowing this loader, CAVS next detected the VNC server being started (under the name “\winnt\fonts\explorer.exe”).
Score 3 for CAVS.
A full CAVS scan of the honeypot’s C: drive resulted in the successful detection and removal of the deloder.a trojan and its components.
He shoots. He scores! It’s all net!
SUMMARY
Separately, Comodo Personal Firewall and Comodo AntiVirus/Spyware were able to successfully and pre-emptively detect and prevent the deloder.a Trojan entering the test system. Even if I explicitly allowed the trojan loader in, CAVS was able to detect the file creations, deletions and executions required for the trojan to do its stuff.
With either of the Comodo applications, one click on the DENY button is sufficient to prevent the access or infection of the honeypot.
While the traditional two-layer anti-virus model (1)detection and 2)removal) has served us well, the three layer model introduced by CAVS (1)prevention, 2)detection and 3) removal) reinforces the concept of a secured, hardened perimeter around your PC with advanced detection monitoring the “interior” of your PC.
We hope the above article was useful to you and would like to invite you to join our forums and discuss this or other issues you may have with security, get your questions resolved or just help Comodo community.
[i]Thank you,
Sincerely, Comodo[/i]
