Metamorphic Viruses (the most dangerous virus for now)

Melih you don’t need to convince me that the “clean PC mode” is good, I know it and I got CFP set on it. It was a brilliant idea. I also know, and I never denied that, that when a virus goes undetected, a HIPS will be there to alarm the user that some kind of potential nasty modification is there. CFP firewall + Def+ represent indeed a first choice weapon against malware I know it. And other companies will have difficulties to outperform it. I mean that. there are more and more threads in other forums discussing CFP 3.0, people saying all kinds of things, but proving that CFP has become a major actor in the fight against malware.

But even the most advanced user won’t be able to answer yes or no to that dll that should or should not be modified by that “infected” or “not infected” process, that looks like a twin to that old good driver we’ve been downloading for years for instance, just that the new version, is safe, or is not safe… yes a white list may help…but a malware maker might be faster then the people building the white list, on new software for instance. I’m not talking about that thing that looks shiny, but about that process that looks “normal”.

Now again, I won’t complain that my Avast WebShield will intercept a virus in memory, as I explained in my above post. And of course it can fail. And if it does fail CFP will be there to block that virus at hard disk level, hopefully. If you don’t mind I’d rather keep that AV proxy as first line of defense, just in case it could work. CFP can’t detect anything in memory, it can’t detect anything actually, and it’s not its purpose. It is there to prevent files from being modified by unwanted software, and this is already very good (CFP heuristic detection doesn’t work that well, it gives many false positives, see here: https://forums.comodo.com/help_for_v3/false_positive_from_the_new_malware_heuristic_analysis-t18416.0.html;msg125772#msg125772
)
But there are other software for that, and I won’t complain about that either. In terms of prevention CFP is absolutely brilliant. Would be actually nice if you could re-implement checksum verification in it, just in case prevention would fail. And it can fail: I’ve already managed to replace executables with modified versions without getting a single alert from Def+, see here, and there are other threads from other users:
https://forums.comodo.com/help_for_v3/about_exe_files_verification_by_cfp-t18266.0.html

What worries me a bit is that according to CFP GUI, checksum verification is supposed to be implemented on the safe list, but it just doesn’t work. But there will be future releases and what’s been achieved so far is more than good, much more. The guys at Online Armor are getting nervous :SMLR, just watch their forums :SMLR

adding: I said CFP couldn’t do anything in memory and I forgot to mention protocol analysis. I probably forgot that because we hardly get alerts related to this feature, even with all related settings turned on. Although I remember I’ve had once one related to “packet checksum verification” with CFP 2.4

lets see what happens when TC is out…

btw: with the replacing file: you can’t replace it with D+ on without getting a notice. D+ watches all file i/o.

Melih

file modifications are detected, but not file replacements. The new file goes to the pending list and you get no alert. A workaround is to change the default access right settings for Explorer on “protected files/folders” and set it to ask instead of allow. But I’m sure hackers can find other means than explorer to achieve their goals.

replacing and modifying are pretty much the same things. Are you sure the above is happening?

thanks
Melih

Same here, Melih. In fact, I even switched to Paranoid Mode to test this:

1. right-clicked on the desktop to create a shortcut and renamed to abc.exe
2. created another shortcut as abc.exe from another folder
3. replaced the original abc.exe with the second and no alerts came up, only shown in Pending Files

Is it because explorer.exe has been granted access (by default, it’s assigned the Installer/Updater) to do this as this was all done via the Windows shell vs some file downloaded from the browser (as an example)?

I know it’s the same (that an edited file is replaced with the edited version, there’s no modification or movement of files on a hard disk, only files marked as deleted and new ones created) I was just talking from a Windows interface point of view. To your question about Def+ behavior: yes it is happening.

Explorer.exe is by default a trusted application but not an installer or updater. If it is so, please make it trusted only. It should not be an installer or updater.

Explorer.exe can change, modify, delete files and CFP will not ask about it. But this does not mean malware can do the same.

Malware has to use explorer.exe to modify files in order to bypass the protection. And to use explorer.exe, it must still bypass CFP somehow.

You should make a clear distinction between malware tampering and users’ legitimate actions.

The scenarios you list above are legitimate scenarios. You, as a legitimate user, changing something manually(note that this is not a user installing something etc. This is simply the user copying/renaming a file manually).

CFP calculates the SHA1 hashes for the files when it is in “Train with Safe” mode and it does not know what to do with the file(i.e. no rule exists i.e. a popup is about to be shown). This hash is used while scanning the file in the safe file database.

Hope this helps,
Egemen

thanks Egemen for those useful clarifications. I 've been actually wondering whether CFP could make the difference between an action initiated by the user and an identical one that is not. Now that you confirm that CFP makes that difference between the action origins (and actually makes a checksum verification in all cases), I kinda feel better about Def+.

remains that it’s difficult to test that. I’m not personally ready to introduce a trojan to my PC to see how CFP reacts :SMLR

V3 is one of the, if not the, most powerful protection you can get today!
and it will get stronger and easier

melih

we know that already, we don’t really need this advertising :-)))))

be careful, some people say hips like defense+ is just glorified signatures except signatures for behavior.

Not by hand you can’t!

still, i CAN determine whether alert is generated by malware or not :-))) it's just pure experience and a bit of logical thinking :-)))) for example, why would a game install a driver?))) if you know that it installs it e. g. it is commercially protected, comes on DVD and asks a serial number - that means no threat. But in all other cases... you see the point?

Not really, since metamorphic viruses do not need to install drivers… Since you are so experienced can you tell me what prompts a metamorphic malware would produce?

Also that hackhayed argument about installation of drivers only works in some cases, and you are still at best guessing… Say someone posted about this new antirootkit… how you would judge whether it is safe or not? I know many perfectly innocent games that evoke prompts about dangerous activities from HIPS that are far less noisy than defense+

I notice that people who make that argument about drivers, usually don’t want to talk about the dozens of other prompts hips generate. They seem to make it sound like deciding whether to allow a driver is the only decision a user of hips has to make (besides deciding what to allow to execute)…

Of course we know HIPS like defense+ alert on a lot more questions… if it’s so obvious, how come i have never seen one of these “experienced” users draw up a table telling me what prompts are expected for what classes of software? Instead all i see is the same whole driver installation argument over and over again…

But with defense+ you monitor not just uncommon activities but dozens of frequent common activities (keyboard/mouse related events, registry modifications etc),
how would one decide? After all even if you run notepad, you will get prompts about hooking and all that (or rather you would if it wasn’t digitally signed)… That’s the whole idea really behind using digitally signatures, because NO-One not even one with "pure experience " will be able to answer all the prompts correctly…

So no, I don’t buy the whole, "prompt about X is easy to figure out because
it’s obvious what types of apps should do X, and what shouldnt)

well, you’re right at some point, a driver installation is just a colorful example of what it shouldn’t do. But! For example, run notepad. What alerts does it generate apart from execution? I guess - none. Load up a game. Is it expected that a game modifies files in system folders, launches Internet Explorer, accesses startup registry entries? Hardly. That’s the point. When i ran a pure infector virus (one that only infects files and nothing more) - it generated alert about every file in system directory it was about to infect. When i ran trojan horse - it still generated alert about accessing system folders and modifying files. Is it normal for a game? Oh come on! What about interprocess activity? Global hook other than ctfmon and PuntoSwitcher? Process termination? You see, most malware hides itself among system files with wannabe-system-files filenames like “ntndis.exe” or maybe “winupdate.exe”, so if you have a little of a common sense - you’re well protected.

But this “rogue” anti-rootkit is a whole different story, but i myself for example don’t see ANY reasons to test it on my real machine, i do all testing inside a VM. Yes, it’s a great possibility for malware writer to advertise his new rootkit as new antirootkit software, so even advanced users press “Allow” everywhere… but this is the point where a common sense comes in - you just shouldn’t go to doubtful sites and download something questionable…

You lose then. Defense+ does generate prompts for running notepad (some promtps about mouse/keyboard and hooks and what not) only reason it doesn’t is because it is whitelisted. See discussion on wilders. It needs to be in paranoid mode…

Try a instant messenger in paranoid mode, or a irc client in paranoid mode, I bet you will see a lot more incomprehensible prompts than you expect based on a gibe “understanding”

But you might ask, why use paranoid mode? Paranoid mode simply simulates the case where you run something not covered by digital signatures/whitelisted… You claim you can tell what is good or bad, a fair test of this would be in paranoid mode, where you make decisions unaided…

Load up a game. Is it expected that a game modifies files in system folders, launches Internet Explorer, accesses startup registry entries? Hardly.

Wrong! Some games don’t, some do. It depends on the type of game… There is nothing wrong with games setting itself to autostart… for example.

That's the point. When i ran a pure infector virus (one that only infects files and nothing more) - it generated alert about every file in system directory it was about to infect.

it’s trivial to change the behavior so it doesn’t infect system directory…
The point here though is that your game can be easily made to do its dirty work by altering files that wouldn’t leave you suspicious…

When i ran trojan horse - it still generated alert about accessing system folders and modifying files. Is it normal for a game? Oh come on!

I have run perfectly safe games that want “low level disk access”
, want to do global hooks, want to do something with mouse, with physical memory etc (something to do with the graphics I’m told)…I’m really amazed your games do nothing of that sort. are you playing tic-tac toe?

Another comment, is games the only only application you run on your system?

All i can say is to pick the following that you do not have installed and run them

1. web browser
2. mediaplayer
3. IM client
4. image viewer
   etc.

Predict before hand, how many prompts and what prompts you expect. Run them and see how many prompts you actually get…

Why do i insist you predict before hand? because it is very easy to rationalize your way after the fact into …“oh that prompt kind of makes sense because maybe it needs …” and “that prompt makes sense cos…”

As i have shown already, you were wrong on notepad…

But this "rogue" anti-rootkit is a whole different story,

Here’s another real life example, i was running this freeware none-security tool and i noticed it doing some kind of inter-process thing, i emailed the author and asked him why and he told me some somewhat plausible reason, but how do i know if he is really telling the truth?

The problem isn’t only just that I don’t what to expect, but rather even if i know it is “supposed” to do it, i still don’t know if that “supposed” to is good or bad…

OK OK you win i give up. yet, HIPS is more secure than anything else right now. Everything has it’s strong and weak points.

btw about notepad. i don’t count CTFMon hooking as an alert since this alert is generated by EVERY app on my system. I also don’t count accessing Service Control Manager when opening Open/Save files dialog, since this is also generated by EVERY app that has these dialogs.

PS i simply don’t play games that much :-))))

I couldn’t agree more, and could have written that myself. As I said in a post above in the same thread even the most experienced user won’t be able to evaluate a threat when the process associated with it just seems normal, and some among the “bad guys” (the bad guys… :SMLR) are certainly clever enough to make it look more than normal when mixed to a bunch of other alerts in the same setup of a program you wouldn’t suspect to be infected.

No its not!

It does have heuristic capability but not as its first line of defense. We use heuristic to provide better information, security comes from Defense+!

hmm, no comments from Melih on that one… :-)))))

well, another true story, though not with CFP, i was using ZoneAlarm Pro 6 back then… A girl sent me a 200kb exe saying it’s the slideshow. I wasn’t cautious enough, but ZoneAlarm displayed and alert when this “slideshow” tried to send emails. I know - this alert was not generated by HIPS, but nevertheless - most of the time malware isn’t that complicated as you describe it :-)))

PS turned out it was a guy who was payed to steal my email… he never managed :-)))