probably bypass the firewall (.vbs file)

Comodo Internet Security - CIS News / Announcements / Feedback - CIS
#1
  1. The configuration was CIS.

716×649 37.9 KB

  1. I unticked the option.

715×647 46.5 KB

  1. I double clicked on the .vbs file.

It was sandboxed as partially limited.

1024×768 140 KB

4.COMODO firewall did not block the iexplore.exe for accessing the network.

1024×768 106 KB

  1. defense+ logs
2012-12-25 22:24:19 C:\virus\vfd\'Home.vbs Sandboxed As Partially Limited

2012-12-25 22:24:34 C:\virus\vfd'Home.vbs Access COM Interface C:\Program Files\Internet Explorer\IEXPLORE.EXE

6.environment:
Windows XP Pro SP3 32bit

  1. The content of the .vbs file.

The url contains a user name and a password.

Image of script in editor removed by moderator. This test case can be used to harvest IP addresses of our members. Please provide another test case by linking to an innocuous url like for example yahoo.com. Eric

#2

I tried your script on Win8 but with target yahoo.com (ie.navigate(“http://yahoo.com”) but I get an error. That is running Proactive; I will test with defaults after this.

What is odd is that we would expect IE to be sandboxed because the script is sandboxed but it is not. I can see a possible leak when starting IE hidden and connecting to a web site related to the malicious intentions of the malware.

Did you try this in Proactive Configuration as well?

Edit. I changed to the default Internet Security Configuration and get the same vbs error. See attached image.

[attachment deleted by admin]

#3

The configuration was CPS.

  1. I clicked on the allow button.

  1. The result is the same.

1024×768 115 KB

#4

Can you change the script to open yahoo.com instead? That way it becomes an innocucous script that can be used by other members for testing.

#5 
set ie=createobject("internetexplorer.application")
ie.visible=FALSE
ie.navigate("http://yahoo.com/")
do until ie.readystate=4
loop
set ie=nothing

  1. The sandbox levels, restricted and untrusted, can block this one.
    (In the sandbox level, the iexplore.exe is not executed.)

  2. This one is like the EXPLORER AS PARENT of CLT.exe.

  3. In the sandbox level, fully virtualized, the iexplore.exe can be sandboxed.
    But the firewall does not popup an alert window for the IE.

1024×768 107 KB

defense+ logs:

2012-12-26 09:20:30 C:\virus\vfd\'Home.vbs Sandboxed As Fully Virtualized 2012-12-26 09:20:35 C:\Program Files\Internet Explorer\IEXPLORE.EXE Sandboxed As Disabled
What is it?
#6

Thank you for the adapted script. I tried it and the scenario goes down like you described.

3. In the sandbox level, fully virtualized, the iexplore.exe can be sandboxed. But the firewall does not popup an alert window for the IE.
With the firewall set to safe mode I don't get alerted when IE gets run. With the firewall set to custom policy (and no rule in Application Rules) I do get a pop up from the firewall.

I sent egemen a pm about your findings and asked him to comment on it.

#7

Can you please send me the scrıpt? it looks like a legitimate case to me.

#8

It doesnt work here, my settings for comodo FW 5.12 are extremely restrictive.
the .vbs cannot start because of unrecognized file set to “blocked”.
I tried with partially limited and allowed the .vbs then it opens IE.

#9

It should be stopped with blocked, wouldn’t it? :wink:

#10

yes, with “blocked”, or I have to set Defense+ into paranoid mode but it’s too much rules for each process.

#11
  1. This method was done by the malware, called QQpass.

(1) The user had logged in the account for the QQ IM software.

1024×768 236 KB

(2) The user run the malware in a package.
(The sandbox level was set as partially limited, limited, or fully virtualized.)

(3) The window of QQ IM software was hidden by the malware.

(4) The malware showed a fake window.

1024×768 191 KB

(5) The user typed in the password to the fake window.

(6) The malware run a script file.

The url in the script code contains a user name and a password.

1024×768 113 KB

(7) The password was sent to the internet by the process, iexplore.exe.

  1. If the sandbox level is set as restricted, then the malware will not hide the window of QQ IM software whether the QQ.exe is virtualized or not.

[attachment deleted by admin]

#12

Yes. CIs needs to block COM communication between sandboxed wscript.exe and non=sbxed iexplore.exe.
Needs checking.

#13

Okay, I changed the advice in my article to Restricted instead of Limited. I’m keeping an eye on this topic to see if a change is made to the way CIS works such that I can advise Limited again.

#14

Another malware

The iexplore.exe is not sandboxed by BB.

http://valkyrie.comodo.com/Result.html?sha1=c6a4743a8e4ae39249b56b80f347a8a77cb30a38&&query=0&&filename=13010503.exe

http://camas.comodo.com/cgi-bin/submit?file=108bad99aa1a13995e7f6fae4f526a42fcc30d45c29be4dc5f8793152547d157

[attachment deleted by admin]

#15

Can it still be blocked by the configuration which I now recommend in my article?

#16

In the sandbox level, restricted, svchost.exe did not execute the iexplore.exe.

#17

  1. I opened the virtualized IE.

  2. I double clicked on the malware.

  3. It was sandboxed by BB.

  4. I opened the kill switch and checked the modules of the virtualized web browser.

  5. The BBed malware can inject a .dll file to the virtualized web browser.

[attachment deleted by admin]

#18

Has this been fixed for the most recent version?

Can information still be snuck past the firewall component without an alert being given?