perfectly bypass CIS sandbox again

Comodo Internet Security - CIS Beta Corner - CIS
#1

XP SP3 32bit

double click on the malware

defense+ events:

2011-08-28 18:16:53 C:\Documents and Settings\Roger\桌面\virus\clickme\readme.exe Sandboxed As Partially Limited

2011-08-28 18:16:58 C:\Documents and Settings\Roger\桌面\virus\clickme\readme.exe Modify File C:\Documents and Settings\Roger\Local Settings\Temp\gcfscqcqfprfsmnc.exe

2011-08-28 18:17:03 C:\DOCUME~1\Roger\LOCALS~1\Temp\gcfscqcqfprfsmnc.exe Sandboxed As Partially Limited

2011-08-28 18:17:03 C:\Documents and Settings\Roger\Local Settings\Temp\gcfscqcqfprfsmnc.exe Modify Key HKLM\SYSTEM\ControlSet001\Services\Micorsoft Windows Service

open autoruns and check the registry value

svchost.exe is not sandboxed by CIS

???

[attachment deleted by admin]

Comodo 5.8 bypassed by trojan GPCODE
Comodo 5.8 bypassed by trojan GPCODE
#2

FVS report:
http://valkyrie.comodo.com/Result.aspx?sha1=b8b9e9de26e639886ad9829713680b4949d98b05&&query=1&&filename=readme.exe

CIMA report:
http://camas.comodo.com/cgi-bin/submit?file=066eb02b81d8d96975e67ef2b64730e7ffd64fa3ddb0ba68bcb8bcf97cb9b7fa

#3

CIS sandbox version 5.5.195786.1383 is also bypassed by this malware.

:o

[attachment deleted by admin]

#4

waiting for the mods’ reaction

#5

I would like to know if the malware is active in ram? I ask because have left-over that won’t do any damage. Did the malware start after you restarted?

malware also uses commando like svchost.exe in order to achieve it’s goal, which means that commandos such as svchost.exe are used in malicious way but the aren’t malicious themselves.

when you see that something is flagged as Modify key it means that the program tries to modify the certain key but fails

#6

In the sandbox of CIS, the svchost.exe did not inherit the rule of the malware.

???

#7

This malware updates >:-D

FVS report:
http://valkyrie.comodo.com/Result.aspx?sha1=cbdff57a6b4a40a9da1b2a761f40429cf5881e1f&&query=0&&filename=contacts.exe

CIMA report:
http://camas.comodo.com/cgi-bin/submit?file=b202d25644c5743e4a547f93db39c39b08b170716452042959b676998d7ba1ea

[attachment deleted by admin]

#8

what you see is normal if the malware intends to use svchost.exe. Does the malware start after you restart the Wmware (I assume you’re using Wmware)?

#9

Do you mean that it is normal to have sandboxed/Partially Limited “svchost.exe” able to modify protected directory and registry in D+?

#10

Yes (I do not use virtual machine)

;D

I think that is a bug for the inheritance of the sandbox.

:embarassed:

#11

I dont see any bugs. svchost,.exe is SANDBOXED and its actions are limtied whether it is trusted or not.

Can you please clarify what you eman by it bypassed?

I have analyzed the rpevious sample you sent as well and i could not see anything done by malware.

Bypassed how? Did it infect all your drives? Did it changed any protected folders? Did it infect the memory of other programs?

Please incidate all these changes while reporting such issues in order for us to take the reports into consideration for the future.

#12

I double clicked on the malware

http://i.imgur.com/1D7Xf.png

I checked the defense+ events

2011-08-31 01:14:57 C:\Documents and Settings\Roger\桌面\virus\clickme\contacts1.exe Sandboxed As Partially Limited

2011-08-31 01:15:06 C:\Documents and Settings\Roger\桌面\virus\clickme\contacts1.exe Modify File C:\Documents and Settings\Roger\Local Settings\Temp\gcfscqcqfprfsmnc.exe

2011-08-31 01:15:08 C:\DOCUME~1\Roger\LOCALS~1\Temp\gcfscqcqfprfsmnc.exe Sandboxed As Partially Limited

2011-08-31 01:15:16 C:\Documents and Settings\Roger\Local Settings\Temp\gcfscqcqfprfsmnc.exe Modify Key HKLM\SYSTEM\ControlSet001\Services\Micorsoft Windows Service

I double clicked on the autoruns.exe, then checked the registry values

http://i.imgur.com/oI2Gi.png

valkyrie report:
http://valkyrie.comodo.com/Result.aspx?sha1=6f58c0df4b5a2f892ba36f30ac30d99a38ae8ba5&&query=0&&filename=contacts1.exe

CIMA report:
http://camas.comodo.com/cgi-bin/submit?file=ca5d1bf0f6290a2097c77932217daa89f92b05c3438f4dea0a216d8f55090bd7

System environment:
XP SP3 32bit

Problem:

(1)the malware executed svchost.exe

(2)svchost.exe created the autorun entries

(3)CIS sandbox did not block the svchost.exe

#13

But after restart the computer the changes remain?

#14

From “Introduction to the sandbox” in the forum;
Automatic sandboxing does not virtualise software Files and registry keys created by the software are NOT stored in a separate place on your hard disk. (Instead, to protect system integrity, the sandboxed program is prevented from writing to protected folders, pre-existing files, and registry keys…

So those startup directory and resgistry keys should not be changed in the first instant.

By the way, I think a256886572008 already show very clearly in his first post that where is the bypass. The question is whether it can be duplicated by Comodo.

#15

So you can not sandbox anything if you don’t allow virtual changes because you will get error messages, if after restart the changes remain, is a fail, if after restart the computer is clean comodo sandbox is doing it’s job

#16

LEt me see. Can you please send the sample to me?

#17

What are you talking about? It is written in Comodo’s Sandbox and D+ Help forum that Automatic sandboxing does not virtualise software Files and registry keys created by the software

#18

I restarted the system

I double clicked on the autoruns.exe and checked the registry value

http://i.imgur.com/TIM6T.png

I checked the active process list

http://i.imgur.com/NsHvk.png

http://i.imgur.com/bjUmG.png

I checked the active connections

http://i.imgur.com/lkeR0.png

I double clicked on the XueTr.exe and checked the installed drivers

http://i.imgur.com/k5fTk.png

The maware installed the driver successfully.

:frowning:

#19

Send me the sample please. What you are describing is just not possible unless you explicitly allowed something or disabled something in CIS.

#20

CIS did not popup any alert windows.

I enable all the modules of CIS.