IceSword rootkit detection

The program IceSword, which I have attached, is used to show invisible applications running, hidden files on the harddrive, hidden entries in the registry, and it can show a host of other things – message hooks, loaded drivers; it can kill absolutely any process running, unload DLLs, and so forth. It’s also a hidden application itself. Nothing else can kill it, and the only real way to stop it is to prevent it from running in the first place. Now I’ve heard there are some things that can prevent it from running (Sandbox might be one of them), and some things that can prevent it from terminating applications (ProcessGuard might be one of them), but I do not know this, and it’s not of my concern.

The problem is, Comodo Defense+ isn’t able to stop this program from running. It will alert you that IceSword is running, and IceSword is accessing this and that, but it can’t stop it. The only thing it did stop was IceSword from seeing SPI services (things like mswsock.dll). Otherwise, it sees all, kills all. And with that, I tested it and killed cmdagent.exe and cfp.exe. Now, I’ve done this before, but that was when I gave permission. This time I kept clicking block on everything Comodo warned me about, but since IceSword changes its process name every time it starts up, once it’s loaded, it’s impossible to stop.

I’ve attached the application to this post so no one has to go searching for it (it can be hard to find). I believe 1.20 is the same as 1.22 except 1.22 is translated into English (the buttons, anyway, the help file is still in Chinese).

Btw, some AVs may false detect this as a trojan. It is not. I even sent it in to the team at AVG and 30 minutes later they updated their definitions to ignore it.

Anyway, I think this is very important to be fixed (if possible) since, while IceSword -detects- rootkits, theoretically, a rootkit itself could do the same thing it does to bypass Comodo…

IceSword122en.zip can be downloaded from the following site:

http://public.www.planetmirror.com/pub/majorgeeks/spyware/

It can stop the loader (.EXE). If the loader is stopped, nothing else follows.

If you allow the loader, it can bypass some aspects of the firewall as you’ve stated.

Ewen

I just removed the IceSword rule from Defense+ settings. I then ran IceSword. Comodo notified me saying IceSword was about to obtain debug priveleges. I clicked block. IceSword did not start up.

I then immediately started IceSword again, without changing anything, and IceSword started. Comodo then warned me about IceSword modifying various DLLs, I clicked block. IceSword reported, “Initialization failed,” but IceSword did not close. I then terminated cfp.exe with IceSword.

I’ll do it all from the start here. I open Computer Security Policy under Defense+. Scroll down to IceSword.exe and remove it and hit apply. I am running Version 3.0.13.268 in Train with Safe Mode. However, for the sake of this, I’ll change it to Paranoid mode.

“IceSword.exe could not be recognized and it is about to obtain Debug privilege.”
→ Block this request + Remember my answer

IceSword starts. I go to Process under Functions:

“IceSword.exe could not be recognized and it is about to access the Service Control manager.”
→ Block this request + Remember my answer

Process list is shown anyway in IceSword, I can then terminate cfp.exe and cmdagent.exe

Okay, I’m going to set the Image Execution Control to Aggressive. IceSword is not listed under Computer Security Policy, so I’m assuming this means Comodo is going to treat it like a new program, just downloaded. Okay, on Paranoid mode, with aggressive turned on, it alerts me with…

“IceSword.exe was allowed to be executed previously. However a new parent application, IceSword.exe, is detected and it could not be recognized.”
→ Block this request + Remember my answer

“IceSword.exe could not be recognized and it is about to obtain Debug privilege.”
→ Block this request + Remember my answer

IceSword starts. I click on Process list

“IceSword.exe could not be recognized and it is about to access the Service Control manager.”
→ Block this request + Remember my answer

IceSword displays processes anyway, and I can kill comodo.

Just for kicks, I went into the custom policy settings for IceSword.exe and went into Access Rights and Protection Settings. I set everything I possibly could to block, and IceSword still starts up without a hitch, and in fact, Comodo doesn’t even warn me about anything, despite everything being set to block.

That’s because IceSword changes it’s process name. Right now it’s “bjzthoA0CAC7” – if I try to terminate IceSword with Task Manager it says operation could not be completed because “invalid access to memory location.” Comodo doesn’t even report an error when I try to terminate IceSword with it. Instead, it just can’t do it.

Hmmmm? I’ll have a play with it later tonight when I get home. Sword’s a great tool, isn’t it? I’ll play with gmer as well and see how it goes.

Cheers,
Ewen

Did a quick test at work.

• Downloaded IceSword archive from the link you provided and extracted the folder form the ZIP.
  When I double clicked the executable from the folder I received a Defense+ alert (D+ running in Train with Safe mode).
• I clicked BLOCK and REMEMBER.
• Alert vanished and Windows dialogue appeared stating “Windows cannot access the specified device, path or file. You may not have appropriate permissions to access them.”.
• Further attempts to start the IceSword executable resulted in the same “Windows cannot …” message.

Curiouser and curiouser
Ewen

That’s really weird that it’s able to block it on your system and not mine. I have yet to be able to block it…

The Defense+ aleert I got was about EXPLORER.EXE trying to start ICESWORD.EXE. Did you trap it at this point, or was the root executable allowed to start?

Ewen

Okay, here’s what I did to get back to where you are (kind of, as you’ll see):

First, I restarted my computer – that seemed to play a big role in this, as IceSword creates a driver which allows it to bypass all the security I guess. I never get an explorer.exe trying to start icesword.exe message. Instead, I get icesword.exe trying to run icesword.exe, which I block. It then alerts me that it’s trying to access COM interface, which I block, and alerts me about icesword trying to obtain debug privs, which I block. The part that keeps changing now is this:

“IceSword.exe could not be recognized and it is about to create a new file/folder C:\WINDOWS\system32\drivers\wmisvd.sys”

The wmisvd part changes every time I start up icesword, but as long as I select block, IceSword fails to start. That’s good! I get an initialize fail message and icesword closes (figuratively).

Yeah, so, even though I can’t get the same results as you, it blocks it from creating the drivers (there’s a whole bunch of registry keys it creates after creating the drivers) instead of blocking the EXE (even though I told it to block the EXE).

Just goes to show how much damage can be done if you do allow something to run!

panic you are probably using 3.0.14 which now asks about explorer executing applications.
3.0.13 does not ask about explorer.

This was tested under both 3.13 and 3.14 with identical results. I believe the OP’s issue was caused by IceSword being allowed to run in the first place.

Ewen

Hrm, that’s good to know – regardless, I had to restart my computer to get Comodo to start properly blocking it. The funny thing is, once you run it a first time, you can run it over and over without Comodo being able to block it, even though all the settings in Comodo for the EXE are set to block.

I mean, there was another thread where a program was breaking through and the person was wondering why Comodo wasn’t blocking it. The answer was the same here, don’t let the program start in the first place. But that in itself is kind of weird. What happens if you DO let a program you think is safe run the first time, and then you can’t stop it afterwards? Because once you let IceSword run a first time, Comodo can’t stop it from running after that if you allow it to create all those drivers. Like I said, I tried and tried to block it, but it wouldn’t stop it. Only restarting my computer to unload all the drivers and what not worked…

That is interestng. The only thing I can think of is that if you allow it to run the first time and then manually set the applcations settings to BLOCK in CFP, the BLOCK settings are only applied to any future instance of the app starting, not to any instance already running in memory.

I’ll try and do some more testing over the weekend.

Cheers,
Ewen