No overhead in network throughput at all. Yet additional checks could add some sort of delays negligible. We will see more during the beta testing.
actually BO protection will be built into our firewall first by the end of the year.
Melih
Hi Melih, hi egemen, hi everybody!
When I think of bypassing a firewall, I would use FlashPlayer. The attack vector is huge, because almost every user in the world has it. It is actually already being done: Some sites load small pieces of ■■■■ through it, and afterwards a new version of Pinch (password-stealing and self-destructing Trojan) is created on the user’s computer without the firewall, or the anti-virus heuristics, or the HIPS ever noticing it. Will COMODO flag FlashPlayer in the future? I have never seen any alerts from any firewall about it, but still it is used to show banners and ads almost every other page. Of course I blocked it in my Firefox browser with the NoScript extension [Options - Advanced - ‘Forbid MacroMedia Flash’ and ‘Forbid other plugins’]. If I want to have it for a certain site, I can allow it with a simple click for only that site (not its third parties), but BY DEFAULT it is denied…
Paul Wynant
Moscow, Russia
You did, sorry that was my sad attempt at BO(body odor) and under arm brands. However egemen did answer a question inadvertently that I was going to ask, so thanks egemen. lol. All in all, sounds like a good plan so far. I have in the past seen Java attacks get through many securities. Also, many viruses end up in sys restore which anti virus can’t access and disabling sys restore and emptying it is one of the only ways to terminate the virus. Will Comodo’s HIPS prevent such a thing from entering itself into the restore?
Paul
I’m not entirely sure that I follow you here.You state that malicious code is able to install itself through Flashplayer and no security utility would detect this? I’m extremely doubtful that this is the case and can in fact think of at least 2 utilities that would immediately warn of suspicious activity.
Processguard monitors all the running processes on a system and since you wouldn’t allow any unknown process unfettered access to vital system resources,any attempt to create a registry key or modify security settings would set alarm bells ringing.Dynamic Seciurity Agent would also spot this unusual behaviour and warn the user.
Any trojan,no matter how potentially damaging is nothing more than a piece of code unless it can actually DO something.A correctly configured security set up will prevent 99.9% of all malware.Even a simple utility such as Sandboxie would render this type of threat vector impotent.
One point I do agree entirely with you on is that an alternative browser such as Mozilla Firefox or Opera offer far greater security against many web borne threats than IE.
2 andyman35:
It’s against the rules of this forum, I guess, to give links to malicious sites, but I’m more than sure that Process Guard doesn’t catch Pinch before it’s already too late because it uses amazing stealth techniques. Even the often praised Kapsersky Internet Security that passes all tests you throw at it was easily caught off guard by this Trojan. The issue was posted on the Kaspersky forum. If you know Russian, I can give you the link to that thread. First a malicious php script was loaded into the browser, a script that any anti-virus program would be able to detect. But this was actually just a distracting manoeuvre. The components for the actual Pinch came through the banners of the site’s third-parties. The source of the Trojan turned out to be a simple .txt file! The browser in question was Opera, but the clue was that java+javascripts+flashplayer were allowed. As soon as KIS noticed what was going on, the passwords had already gone to Pinch’s master…
To understand how this could happen, let’s do a little test:
Please, open Notepad, paste this line and save:
[QUOTE]X5O!P% [ at ] AP[4\PZX54(P^)7
[/quote]
No reaction from your AV.
Now open Notepad again, paste this on the next line and save:
[QUOTE]CC)7}$EICAR-STANDARD-A
[/quote]
Still no reaction from your AV.
Now the final part: paste, and make one line of all three statements and save.
[QUOTE]NTIVIRUS-TEST-FILE!$H+H*
[/quote]
Now your AV should react, because this is the code for the EICAR ‘virus’ test file.
That’s basically how this Trojan gets on your computer and is not noticed by anybody. Now generating the actual Trojan and make it do its dirty work goes so fast that it is only noticed when it’s already too late.
One general remark about HIPS: as soon as the user allows to install a driver on the kernel level, the game is over for ANY kind of protection. This may sound like a cliche, but one should prevent malicious stuff from getting into the computer. As soon as it manages to get into your machine, your protection is pretty helpless…
Paul Wynant
Moscow, Russia
I agree that once a malicious utility has kernel level access it becomes extremely difficult to defend against.I’ll be reading up on the stuff you mentioned and which,if any defences are available.I’d be extremely surprised if it could bypass Dynamic Security agent since it uses an extremely advanced range of methods to determine malicious activity,since after it’s initial period of baselining it monitors for variables such as CPU utilization, thread count, and others.Processguard would certainly prevent Kernel level driver installation as would DSA or samurai.
Thanks for the interesting comments though,it’s always good to hear of new potential threats (or should that be bad?)
I’m just as sad as you are about this.
DefaultDeny seems to be the only principle that works in security. You have to know the attack vectors and disable as much as possible of the AllowAll settings (‘Intuitive approach’, I believe Bill Gates called this) in Windows. It’s the default settings in ALL programs and in Windows that get attacked, ALWAYS. It makes no sense to try to defend what cannot be defended without turning it off.
P.S.: If you want to know more about stealth malware, you could consider contacting Joanna Rutkowska (you remember the lady with the Blue Pill, who hacked Vista before the very eyes of the makers?). She knows a lot about the subject and answers all e-mails (except for SPAM, of course). Here’s her site:
invisiblethings.org
Paul Wynant
Moscow, Russia
Hi Paul,
The reason of this thread is to analyze and discuss such techniques. A good case indeed. I will try to find that pinch trojan and see what it does. Or alternatively i would really appreciate if you PM its link if you have.
Thx,
Egemen
2 egemen:
Done!
Paul Wynant
So I assume since I mentioned OLE a while back , this is not an issue? What about OLE remote code execution? Some OLE attacks will shut down anti-virus and firewall applications . Could it do this with hips? If a trusted OLE is allowed, caught, modified and attached with malicious code, couldn’t it be allowed right back in or do the previously stated? Assuming it could shut down HIPS that is, then run the code? It is a sneaky way in but could be done without a doubt. And has in the past. I would think hijacking the OLE would be a better term in my opinion. Just a thought.
Paul
It could shut down certain HIPS by my understanding,but not the behavioural based DSA I mentioned before.Such an attack would undoubtedly be flagged up as activity outside the normal bassline.
Paul is there any chance you could email me the link to that site? I’d be most interested to run some tests.
2 andyman35:
Assuming you were talking to me, and not my namesake, I sent a link to your PM. Be careful to go there with either java+javascripts+flash disabled, or in a sandbox environment!
Paul Wynant
Moscow, Russia
Hi Paul.
Thanks for sending the link and don’t worry I only ever run suspect stuff from a secure isolated environment.I have a specific hard drive for the purpose which I restore to a clean image after each testing to avoid any residual contamination.
I have tried PC security test previously,I was using it to test Prevx at the time.I assumed that it bypassed the Prevx defences until I realised that the utility is in the Prevx safe/false positive list so the test was invalid.
Personally I’d never rely on just HIPS but I’m a touch obsessive about security since it’s a large part of my work,I use something like 17 separate defences which took a while to configure I can tell you.Anyway thanks for the info,your inputs to the forum have been very informative.
I will say I’m very excited about the future development of CPF and CAVS,the team here have an unmatched desire to listen to their customers and provide constantly improving products. (B)
From my initial investigation this particular trojan variant has been around some time and is listed by the various AV vendors under different names.I wasn’t actually able to initiate the malicious activity since I kept getting 404 errors.This may have been down to my bad URL filtering or an issue with the site itself.I know that many of these Russian ■■■■■/warez sites are riddled with malware and drive by downloads but rather than the specific trojan mentioned I find the potential delivery method most interesting.
What really amazes me is sites like this host cracked versions of retail security products!! Surely no one could be that stupid to install such a thing!
Those are tactics I don’t like from certain security vendors: add the test applications to the black list instead of solving the problems it tests. I heard rumors, that pcflank.com is in ZoneAlarm’s black list as a malicious site. If this is the way they think to bypass the pcflank leaktest, well, that’s silly…
In order for me not to invent the wheel again, could you share your info with me/us? How I’d like to see that list!
This is indeed remarkable. I hope they will never go the way of the competition…
Paul Wynant
Moscow, Russia
Thanks for the reply. So what you are saying is, if an OLE send is controlled from an outside source, DSA will catch this and then prevent it? That would be great.
Paul
From my understanding,yes it would but wish a slight proviso.Upon installation DSA goes into learning mode for a pre-determined length of time (I set 14 days to limit unnecessary pop ups).Of course any attack during this time wouldn’t be spotted,hence the proviso.
I quote from the user guide:
"SYSTEM ANOMALY DETECTION
The DSA System Anomaly Detection layer analyzes the normal use patterns of running applications and generates alerts as it detects unusual activity. The System Anomaly Detection Engine applies a sophisticated algorithm to establish a baseline of normal use based on several system variables such as CPU utilization, thread count, and others. These variables are monitored over a specific period of time, called the ‘Training Period’, which can be set to 7, 14, or 28 days within the Main Menu (the default period is 7 days). The ‘Enable Detection’ checkbox, must be selected for Training to be active. Upon installation, Training is enabled by default and commences immediately upon installation.
Sensitivity Threshold: The DSA System Anomaly Detection layer generates alerts as it detects system activity that deviates from normal. The sensitivity with which DSA applies to system anomaly detection can be tuned by adjusting the Sensitivity Threshold. Decreasing the threshold increases the sensitivity, meaning that smaller deviations will generate alerts. Increasing the threshold will allow greater variance from normal activity. By default, the System Anomaly Detection Sensitivity Threshold is set to 60%. In simple terms, activity deviating more than 60% from normal will generate an alert. "
Thanks for the reply andyman35, very informative! 
This is from the DSS then I assume? I like the sensitivity threshold tuning ability along with the training period ability. Very nice! What about weak signatures though? Is there or wasn’t there a 768 or 786, (something like it) bits or higher standard or it was then flawed? Or was that with DSS? This may be an old school question and no longer a concern. “IF I REMEMBER” lol, slight chance, the weak key or signature going under the 786\68 bits standard could be easily attacked which is why I ask if that was DSS or DSA has this\had this as well.
Thanks agian,
Paul