Malware bypasses Comodo with proactive profile

Tested with 4.1.150349.920 (paranoid mode, sandbox disabled) on Win XP SP3.
When I start the malware Comodo doesn’t give any pop up and svchost.exe connects to 77.78.240.88:80.
Like you can see here it’s the ip of a malware site:


http://www.ld-host.de/uploads/thumbnails/24c4a8509f4609739c87877e8435c5eb.png

Online Armor warns correctly:

http://www.ld-host.de/uploads/thumbnails/2f7025190c798021c5e94159c05f42f6.png

http://www.ld-host.de/uploads/thumbnails/13bd7f62b358477e403378945eca1255.png

http://www.ld-host.de/uploads/thumbnails/c9bf2ac0b1a5be59fe8d1527cd8a5865.png

Download the sample (you need to be member of the malware research group):

It was Ovidiu G.'s submission.

I tested debot.exe with Sandbox enabled, I was not notified of connection to the outside and I could not see that there is a connection established with those IPs. I checked including with avz4. The only connections that I’ve seen with those IP were from firefox.
Can anyone else confirm this?

[attachment deleted by admin]

yup ovidiu G , that’s because any sandboxed application can’t access any other processes in the memory .

so there is no bypassing after all and as you can see comodo actually blocked the trojan without a single pop up :slight_smile: , thanks to the default setting :slight_smile: so if you allowed me to compare i’de go with comodo since it did the job without annoying the user with unnecessary pop ups :slight_smile: , I can say that’s OA is comodo 3 or something similar :slight_smile: though , !!
hint : you can switch off sandbox + D+ and you will definitely bypass comodo << believe me it worked with me :smiley:

knk2006

Precisely! With disabled Sandbox and Proactive Security Mode, I had 5 pop-ups from D +, which were two attempts to access a Svchost.exe and one attempt to access Firefox. In this case can not be said that debot.exe bypassed Comodo

[attachment deleted by admin]

so leave the sandbox enalbed and avoid such a pop up that we usually go with deny for malware >:-D and that also proves that sandbox is a good thing for noob and advnaced users

:comodorocks:

knk2006

it proof the sandbox stop running all executables, and defense+ is not working anymore.

Until now Sandbox has done its job well, at least from my experience so far! :-TU

Ovidiu

You didn’t test accurately.

1.) The malware can’t connect to the internet when it’s sandboxed because automatically sandboxed programs run with limited Windows rights. If you disable virtualization (like it’s the case for the auto sandbox) and run the application unrestricted sandboxed it will be able to start svchost.exe and to connect to the internet via this way.
So Defense+ failed. Just the use of Windows rights dropdown blocks the malware in the sandbox. If you don’t use the sandbox Comodo fails.

2.) I said I tested on Windows XP SP3. Let me add that on Seven x64 Comodo blocks this sample like it should. But not on XP. I tested in an absolute clean VM. And it’s not a VM issue! Or why should D+ not be able to block some things in a VM? Absolute nonsense. If I would install a real Windows XP x32 I could reproduce this issue.

Every time I report a vulnerability to any company I have to discuss against a bunch of unversed fan boys and that’s very strenuous…

I tested with VirtualBox and VMware:
XP x32: Fail
Seven x32: Pass
Seven x64: Pass

Btw: Outpost and KIS have troubles on XP x32 with this sample too.

I posted test results on Sandbox intended to emphasize the role of protection against malware that are not known as a signature. There are many posts in which minimizes the role of Sandbox.

I forgot to mention that the test was made Win 7. The same test rebuilt on Win XP SP3 (x32) with Sandbox disabled and Proactive Security mode (no Virtual Machine), same result, ie debot.exe do not bypassed Comodo: below you can see all the 6 pop-ups.

Here you are right, I admit I’m not so versed as you are, but maybe in time…

[attachment deleted by admin]

Tell me your secret how you did this.
I can’t make Comodo pass this sample.

A developer comment would be welcome. Even if this issue maybe doesn’t apply to all users at least in my clean and IMO very representative tests D+ fails.

I don’t have a clue.

Believe me, it’s not any secret, simply works :). It would be good to try this test from others users in Virtual Machine and Real Machine to see in which cases worked by accident and what was the reason?

I have verified that there is no rule of debot.exe created earlier in D +,I redid the test second time, and debot.exe not bypassed comodo.

i was sure about that because i’ve already tested the sample and comodo handled it perfectly , :slight_smile:

if there is any bypassing , believe me i’m gonna b the first who posts here :slight_smile: not because I hate comodo every1 here knows that I love it :wink: but I want the ppl ,whom I recommended comodo for them, to be protected 100 % :-*

knk2006

How I proceed:
I install Comodo onto a clean Win XP SP3 x32 VM snapshot (both VMware 7.1 and VirtualBox 3.2.4) in which never any other security software was installed before. I install Comodo without AV and Threatcast in proactive security mode. I do a restart, add the LAN zone to the trusted one, disable the sandbox and start the sample. Comodo doesn’t give any pop up and svchost.exe connects to malware domain. Fail.

I don’t see that I could have made a mistake.
Could a moderator please inform the developers?

And sorry for my harshness, but it’s really strenuous to explain every little bit. No offense though.

bump

I am not a member of MDL.

Could one of you mail me the said malware executable so i can test what it passes or not (i have no sandbox, cis v3/avira av)?

Hello? :-TD

I just tested debot.exe

I am running standard xp pro sp3, french version.
The only resident protection softwares (if i except some disabled xp services and firefox scripting protection) are avira free as an av, and cis v3 (of course, no sandbox).

cis is set to proactive mode.
firewall is custom level, highest frequency alert, everything checked.
d+ is paranoid mode,everything checked.

Avira intercepts debot.exe as “TR/Dldr.Ag.53248-1”, whatever that means, and i suppose that every other av does.
But let’s be dumb, and assume i would have no av whatsoever: i deliberately choose to ignore, and altough warned again by the av, i deliberately click debot.exe.

D+ only warns me that debot.exe is unknown, what should i do?
Let’s assume i am dumb a second time, i never heard about anything called debot.exe, but i deliberately allow.

Next, explorer.exe calls for svchost, firefox asks twice for permissions (including for crsss), and asks last for ntuser.mssec.exe: i deny all of them.

Nevertheless, my downloaded debot.exe has automatically deleted, while a 19.tmp file is written to my
\current user\Local Settings\Temp folder, debot.exe.pf to Windows Prefetch and, altough i don’t use IE and that it is firewall forbidden ( but the firewall shall never intercept whatever) a debot2.exe to Temporary Internet Files.

Running procexp, autoruns, checking task manager brings nothing; however, avira intercepts ntuser.mssec.exe in \current user\start menu, altough browsing both the menu and the folder itself shows nothing.
Manual deleting of the 3 files talked of supra, without any locking or difficulty.
The ntuser entry remains intercepted by mbam when i launch it (it is NOT resident) and successfully deleted altough it seems to be prefectly inexistant.

(My) conclusion:
-it is not true that OA intercepts anything more then CIS, as d+ also warns, after explorer, for system and crcss.
-assuming one has no av and allows only, as i did, the first d+ explorer requests, the malware maybe writes 2 or 3 files altough the start menu issue is very inconsistent, but is unable to express itself.
-last, and assuming that most people, if not running avira av, run whatever other av including cis, one must be more then dumb to allow not only the av, but defense+ for at least 4 requests:
it can’t be considered in these conditions that anything failed in this test, excepting the user himself.

nicely done ,

thanks … !!

knk2006

No, he didn’t get the point.
It’s nice for him that D+ blocks this sample on his PC but why not in my absolutely clean VMs? That’s the matter.

I don’t know why no mod is informing any developer. Usually this happens for every trivial leaktest. But why not for this malware sample???