Sandbox bypassed by variant of RaT Malware [M1371]

1. The full product and its version:
COMODO Internet Security 8.0.0.4314 BETA
2. Your Operating System (32 or 64 bit) and ServicePack revision. and if using a virtual machine, which one:
in real system , windows 7x64 , and in virtualbox 3.4.18 r96516 win 7x64
3. List all the configuration changes you did. Are you using Default configuration? If no, whats the difference?:
Default configuration
4. Did you install over a previous version without uninstalling first, or import a previous configuration file?:
Clean install
5. Other Security, Sandboxing or Utility Software Installed:
No
6. Step by step description to reproduce the issue. Or if you cannot reproduce it, what you actually did before it happened, step by step:
1:My friend and I agreed to test malware from Rat type, malware making by my friend
2:After operating malware , on the default mode skipped Sandbox, partially via desktop imaging and also track the clicks of the keyboard
3:The malware , to keep track of the accounts in browsers and logging passwords

7. What actually happened when you carried out these steps:
Sandbox was skipped and track clicks of the keyboard and the screen imaging
8. What you expected to see or happen when you carried out these steps, and why (if not obvious):
Prevent tracking clicks and keyboard also imaging the screen
9. Any other information:
Video to clarify the issue of my computer

Video to clarify the issue of my frined “hacker”

[attachment deleted by admin]

Hi SD

Many thanks for reporting this issue

If possible could you post a link to the malware sample, zipped with password ‘infected’

Also could you please post your active process list or Killswitch display when the malware is running.

Best wishes

Mouse

Done !

Hi SD

Sorry to trouble you further but if possible please record the Killswitch processes when the malware is running. Please also open Killswitch in advance so at the ratings are showing - some are currently showing ‘analysing’.

Kind regards

Mike

Thanks for bringing my attention, the problem occurred because of my use killswitch private CCE
I modified the first post

Same here I am afraid.

Could you please show the RAT malware running in a Killswitch display

Preferably a screenshot so I can see the process tree?

Many thanks

Mike

[attachment deleted by admin]

Thanks SD very much. OK so it’s a straightforward single process sandboxed as FV

Could I just confirm whether the malware window is in foreground or background when able to:

  1. capture screenshots
  2. Capture keystrokes
  3. Capture clicks

(Is it the on-top Window).

If it is in foreground then I think this is by design, unfortunately.

Mouse

It is already there is only one process “counter strike.exe”

Hi SD

Sorry I think we are having language difficulties

I will try with simpler sentences.

When it captures screenshots is it the foreground window?

When it keylogs is it the foreground window?

Kind regards

Mike

I am sorry for my poor English, malware keep the background only, and does not show any interface, only in the one case : if haker wants to open chat with the victim

Note: This is a malware type of njrat
Please see this topic :
http://www.dev-point.com/vb/t317519.html

OK SD, forwarding. Many thanks for the great bug report.

Mouse

JUst to double check. Does this exploit function in the release version too? 8.0 4337

The answer is yes, in all versions of CIS 8 final and beta

Thanks SD, I have raised its priority accordingly.

Thank you :-TU

Hi SD
I am from the Comodo China team. I cannot download the malware from the website. Could you please give me the malware?

Skype: robingt4805

I am send you a hacker tool yesterday

Thanks

Hi AD

I have sent mail and PM to you with the issue. Thanks for your help.

I’ve got a message, please can you give me I am your account no-ip and port open in your modem
I want to encrypt the server for you