I just got hacked! - Viruscope and the concept of whitelisting

I just got hacked!

Okay, let me explain. A friend of mine works with forensics and penetration testing, and we agreed to do a little test of the latest version of Comodo Firewall with the setting “Clean PC Mode”. We simulated a drive-by attack and he ran a script on my PC. The script did not execute any actual malware on my computer but instead manipulated the Windows component powershell.exe to do the dirty work. Through Powershell he got full access to my microphone as well as webcam, and were also able to execute other programs etc. Not a single pop-up from Comodo Firewall.

The explanation must be that Defence+ was set to “Clean PC Mode”, thereby trusting all currently installed programs, including of course all build-in Windows components such as PowerShell. What caught me by surprise was that he could hack my PC this way, without any actual malware executing on my PC. Of course any new executables would have coursed a reaction from Defence+, but PowerShell was already a whitelisted program.

So perhaps the whole concept of whitelisting programs, which CIS is based on, does have it’s limitations against a skilled attacker.

Any comments so far?

I now wonder how much better the Defence+ will handle this kind of attack if I choose Safe Mode or Paranoid mode.

Also, here is a question I really hope some of you know the answer to:
Is the sensitivity of Viruscope (a behavior blocker if I’m not mistaken) influenced by choosing Safe Mode or Paranoid mode rather than Clean PC Mode? Or can it be made more sensitive in some other way, so that perhaps it will react when a program like Powershell performs potentially dangerous actions?

Was the malicious file on the computer when you set to clean pc mode?

Was the file put in autosandbox?

Didnt you get any question about this file doing something?

Clockwork, thanks for responding. To answer your questions:

Was the malicious file on the computer when you set to clean pc mode?
No. In fact, the only malicious "file" was a script that triggered Powershell to do pretty much anything the penetration tester wanted to.
Was the file put in autosandbox?
I don't think Defence+ saw the script at all, as it was not an executable file. I looked in Unrecognized Files as well, but there was nothing found.
Didnt you get any question about this file doing something?
No, there was absolutely no-reaction or pop-up to be seen from Comodo Firewall. But again, the actions were perform by injecting this script into Powershell, and Powershell being a Windows component was already whitelisted.

Makes sense?

Describe what actually happened.
What placed or executed the script? How did it enter?
What does it do?

Was the script at place when you entered clean pc mode?

Also you could post the script text to a moderator in a message.

What happens if you upload the script to virustotal?

How large is the script file?

What happens in safe mode? Which configuration do you use? Proactive?

Is autosandbox enabled?

Can you describe step by step how you simulated a drive by attack? Are you using the Internet Security suite?

I am using Comodo Firewall, not the whole Internet Security Suite.

I cannot give you all details about the script being used and I cannot upload it to VirusTotal, as my friend relies on it to remain undetected in order to use it for future penetration testing. I can say however that it does not look complicated or fancy at all. In fact, it is only two lines in a .vbs file that I clicked on (he emailed it to me). It’s about 200 bytes. Setting up a server that I should then visit as in a drive-by-attack would have taken longer for him, but the result should be the same. So the idea was to simulate that I visited a website that exploited some vulnerability on my system. By exploiting the vulnerability the script would run. The script calls back to my friend who (as I understood it) used an interpreter to add extra functionality to Powershell. This enabled him to access webcam, microphone, execute other programs etc.

I had Comodo Firewall enabled with Clean PC Mode for about a half year before the script was emailen to me. And again, there was no reaction from Defence+ not even in Unrecognized Files. I assume Defence+ simply does not monitor .vbs files. Is that correct?

I have not tried Safe mode yet and I think I might go directly for Paranoid Mode from now on. Perhaps at some point we can do some further testing.

Proactive Security Mode was activated and the sandbox was enabled.

Does all this make some sense now, considering the security level I had chosen at the time?

The Key factor for me here is ‘Clean PC Mode’. Which doesn’t sound to be much different then training mode. I think Safe Mode would have been enough to pop an alert about the script.

Btw how did you ‘simulate’ this ‘drive-by attack’? i.e how was the vbs script deployed and then executed?

It is actually much different, Training mode will add allow rules for all applications run, Clean PC Mode when activated will assume that all files present on the system at activation are safe but any new files introduced to the system will go through the normal lookup and get untrusted/unknown/safe rating etc. So if the information in this thread is correct, then I’d assume it wasn’t because of Clean PC Mode.

I don’t think Safe Mode would be enough to pop an alert about the script, because apparently the script was not visible to Defence+ at all.

As I recall, I simply clicked the .vbs file, thinking it would be unrecognized and hence either sandboxed or would cause some pop-ups. Instead my friend just got total control of my PC.

As I understand Clean PC Mode it should protect against any new files on the system, so it should be very effective against any normal malware which enters the system as normal executable files. This all make sense to me… IF I am correct in assuming that Defence+ does not see .vbs files. Can someone confirm if that is the case?

I don’t know the script that was used in this case so I can’t comment on that, however I created a .vbs file with the following code.

Dim objShell
Set objShell = WScript.CreateObject( "WScript.Shell" )
Set objShell = Nothing

And upon double-clicking it I received an alert that Explorer.exe was trying to execute the .vbs file in question, then a bunch of verbose alerts for the vbs script and then was alerted that the .vbs file was trying to launch Powershell; So no, Defense+ does actually monitor .vbs scripts.

Is it possible you had the sandbox enabled? In CIS 8 the sandbox is enabled by default and will sandbox files as fully virtualized, files in fully virtualized sandbox do in some ways have more freedom than in partially limited but they can’t touch the “real system” the downside is however that things like webcams can easily be monitored in this mode.

If your friend would be able to supply a modified script or something similar so that we could test it, that would be preferable but I understand if that isn’t possible, although without the file in question it’s hard to come to a definite conclusion, it seems to me however that this is a possible issue with configuration?

If you have time, it would be most appreciated if you could start a completely new config and then enable HIPS and disable Sandbox and then do the test again without any further configuration changes, that would provide a clear answer on if it’s your configuration that has something that would allow it. Please do remember to keep a backup of your actual configuration so that you won’t lose it in testing, if you choose to test.

Edit: Is it perhaps possible that you had HIPS in Clean PC Mode, downloaded the script and then changed HIPS to another mode and then back to Clean PC mode? I believe that that could perhaps reset the Clean PC mode so that all files on the system previous to enabling it the last time are then trusted, but I’m not sure about that.

Edit 2: Also if you have auto-sandbox enabled, it could possibly have given you an alert about the vbs script wanting unlimited access or something similar, answering to run it unlimited will let it do just that, not sandboxed and no HIPS alerts even if HIPS is enabled. (Just throwing out possible things that could have resulted in the scenario you’ve reported)

Okay, so .vbs files ARE monitored, thank you for the clarification.

Yes, the sandbox was enabled. So as you say, the .vbs file may have been fully virtualized, hence the lack of pop-ups? I think this may be the explanation, although it seem like inadequate protection when an unrecognized file that is run virtually, are still able to monitor webcam and microphone, execute other programs etc. To me it seems like a good argument for not using “Clean PC Mode” and/or the sandbox.

Also, if the .vbs file was run “fully virtualized”, shouldn’t it show up in Unrecognized Files? I looked for it, and it certainly was NOT there.

As a side-note, my friend also have tested Comodo Firewall in default configuration and were again able to gain the same level of access to the test-PC as he did with my PC. So how to prevent this? I wonder if disabling the sandbox is all it takes, or if choosing Paranoid Mode is also required. I would love to hear you guys opinion on that.

As of now, I agree that this seems like an issue with my configuration, and I have now disabled the sandbox. I initially saw the sandbox as an additional layer of protection, but apparently is has really just given me a lower level of security. At least with this combination of the Sandbox and “Clean PC Mode”.

Oh, and thanks for taking the time to help me figure this out (goes for all or you of course). Your time and assistance is most appreciated. Thank you.

You should have received a notification that the .vbs script had been sandboxed as fully virtualized (unless you’ve turned off logging)

Fully Virtualized sandbox is mainly for protecting the host computer from infection, if you get infected in the FV sandbox it will contain all changes within the sandbox so that you can easily reset it, an issue is however that you can’t really “virtualize” a webcam in the same way so CIS either has to allow programs to use it or block them and I believe they chose allow for usability, I do however believe that programs in the background would be prohibited(?). CIS 8 uses FV sandbox as default whereas before it was Partially Limited, I believe Partially limited would give a basic protection of webcam and such, in the new CIS 8 policy based sandbox you can now set it up yourself so that files run in Fully Virtualized with Partially Limited (or higher) restrictions.

I personally don’t see where Clean PC Mode comes into this, HIPS can’t act in the Sandbox, it’s either the sandbox that deals with the file or HIPS, not both. You can’t get the sandbox to virtualize a file and then get HIPS to show alerts for that file (Although I do have a wish for that, but I don’t expect them to implement it) You can change the Sandbox settings yourself to get a better protection from various forms of data stealing malware.

If the file is unknown then it should get added to the unrecognized files list and hence also be sandboxed as fully virtualized (by default) upon execution, however as you mention that the file wasn’t added to the unrecognized files list I think that it is possible that the file in question was somehow trusted, could you please provide the SHA1 hash of the file in question, if possible? Also, is the file signed with a digital certificate?

As I don’t have the test file in question I can’t comment on that, it’s possible that the file in question is actually in the trusted files list, or that the file has been signed and that the signer is in the trusted vendors list.

Honestly, all I can do is speculate if I don’t have access to the file in question, but as you mention that the file wasn’t in the unrecognized files list, I do believe it is possible that the file is somehow trusted although I don’t know how or why.

As for logging I believe I had enabled ”Write to Local Log Database” but disabled ”Write to Windows Event Logs”. Not sure if that explains it, but if the pop-up was only there for a few seconds I may have missed it while looking at my friends screen when he fired off his attack.

Also, I have to correct myself. Checking again the script IS in fact in Unrecognized Files. So my mistake, and mystery solved it seems.

I think you are right. Clean PC Mode may not have anything to do with this. It seems to be me who should have looked more closely at the changes made to CIS 8 before upgrading. The difference between the previous ”Partially Limited” and the current ”Fully Virtualized” seems to be important to get right.

Good point about using either sandbox or the ”classical HIPS” in CIS 8. I’ll stick to HIPS for now.

This of course is about my friends previous attack against CIS with default settings, so Safe Mode. I don’t think the file used in this attack was in the trusted files list or that it was signed (the .vbs file used against my PC wasn’t, I just checked), but perhaps a similar or identical method was used where the malicious script-file was unrecognized and hence became Fully Virtualized. My friend is new to CIS so when he saw that he had access to webcam etc. he must have concluded that he had bypassed CIS. I’m not sure if he also restarted the PC to check if he then still had root. So perhaps we now have the answer to this mystery too.
He did notice by the way, that in Paranoid Mode CIS responded with pop-ups when he tried to hack the PC (I guess he still had the sandbox enabled). But apparently the default mode was not enough to stop the attack, only to prevent his access from being persistent on the system. At least, that’s how I currently understand it.

Since I have now disabled the sandbox, I assume that running the script again (as it is still unrecognized) will now cause a pop-up about whether I would like to run it. I also assume that it should work like that even in Clean PC Mode. Agree?

Yes, as long as the file isn’t present on the system when you switch to Clean PC Mode.

I just tried clicking on the script-file again, and as expected it is now stopped and causing a pop-up. I would expect so as I am now running in Paranoid Mode with the sandbox disabled. Interestingly, the pop-up is not about the script-file itself trying to execute, but about the script-file trying to execute powershell.exe. As if the script-file is first allowed to execute and then stopped once it tries to do something.

Is that intended behavior? Shouldn’t I also receive a pop-up about the script-file itself executing?

To quote the manual:
“With Defense+ activated, the user is warned EVERY time an unknown application executable (.exe, .dll, .sys, .bat etc) attempts to run. The only executables that are allowed to run are the ones you give permission to.”

It depends on your other HIPS applications rules, for example I assume that you are trying to launch the application by double-clicking on it from explorer, this means that explorer.exe will be trying to launch the script; if you go to your HIPS applications settings then scroll down until you see %windir%\explorer.exe then check what it’s treated as, Windows system application? Custom ruleset? If it’s set up as Windows system application then that means that explorer.exe will be allowed to execute applications (whether or not they are trusted); If it’s set to custom ruleset then right-click the entry and click “edit” and then in the new window you should see “Run an executable” and to the right of it there should be “exclusions” click that and see if the script in question is entered into the exclusions.

Explorer.exe is indeed set as a Windows System Application, so that makes sense.

I guess in a real drive-by attack with a vulnerability being exploited on my system, it would be the exploited program that tried to launch the script-file. So it would probably be something like Adobe Flash Player trying to execute the script, which would then be blocked and cause a pop-up about the activity. And if I made the mistake of allowing Adobe Flash Player to execute the script, then I would get the pop-up about the script trying to execute powershell.exe.

I think I’m running out of questions for now, but comments are both welcome and appreciated.

How was the script file executed? Comodo watches program behavior, not user behavior. If the user executes the script, then it was intended to be executed and allowed by Comodo.

I think the explanation is as described by Sanya. I simply double-clicked the file, so if I understand it correctly, that means that explorer.exe was executing the script. I had explorer.exe set as “Windows System Application” meaning that it had permission to execute other programs (even if the other program is unrecognized). So that explains how the script could execute although I had not explicitly given it permission to do so.
In a drive-by attack it would probably not be explorer.exe that got exploited and tried to run another program, so in a real attack I would most likely get a pop-up and the chance to block the attack. So although this may at first glance seem like a security issue with CIS, I now understand that it probably isn’t. It would only be a potential issue if an attacker could exploit a vulnerability in explorer.exe, which seems unlikely to me (any different or supplementing opinions?).

Interestingly, even programs that are set to “Allowed Application” WILL cause a pup-up when trying to execute other programs. This makes good sense I think, because you might choose to have your browser and plugins set as “Allowed Application”. Vulnerabilities in such programs are commonly exploited and could cause the “Allowed Application” to try to execute a malicious script or other malware. But this will be blocked by the HIPS and cause a pop-up about, say, your Firefox trying to execute evilscript.vbs.
And even if you allow that, your should also get a pop-up about the script trying to execute powershell.exe, if that is what it wants. Just note that for this to work in CIS 8, the auto-sandbox need to be disabled. Otherwise the unrecognized script will be run “Fully Virtualized” and still be able to do its evil deeds, at least until your next reboot. Quite important to understand I think, because the auto-sandbox is enabled by default and may not give the user the expected security.

That’s how I understand it. I’d love to be corrected if any of this should not be correct of accurate.