Thread split from an AppDefend forum thread (http://www.wilderssecurity.com/showthread.php?t=188431) as the topic changed focus.

___________________________
Did somebody tried it against other HIPS/ sandboxes etc?

Thanks

-{ Quote: "
Yes it is a bit crazy that I missed it. I shocked myself even.

It possibly could have been a bit more hidden until the malware started to use it recently, since pretty much every product was vulnerable.
" }-
yes lol :)
the funnies thing is kav proactive is still bypassable after all this months
so , what was the result was that physical\memory thing :)
did you find out what it is exploiting?

EQsecure
Ng
GW- all passed I think. See the pics.
Also have a looke here( they are same).

http://www.wilderssecurity.com/showthread.php?t=179003&highlight=SSM

Also see tests by nicM( SSDT Unhookers tests).

aigle,nice to see your product passing.. :)

lol, it,s not mine!
I am just a user.;D

deadly wrong it failed my test
i only allowed process execution and blocked the rest here is the result :D lol
bifrost sucessfully unhooked the SSDT
EQSecure for System 2007 v3.41 Result
ntcreatekey
ntcreatesection
ntcreatethread <----- unhooked
ntdeletekey <------ unhooked
ntdeletevaluekey <------unhooked
ntloaddriver
ntopenprocess
ntopensection
ntprotectvirtualmemory <----- unhooked
ntrequestwaitreplyreport
ntrestorekey
ntsetcontextthread
ntsetsysteminformation
ntsetsystemtime
ntsetvaluekey <---- unhooked
ntshutdownsystem
ntsuspendprocess
ntsuspendthread
ntsystemdebugcontrol
ntterminatejobobject
ntterminateprocess
ntterminatethread
ntwritefile
ntwritevirtualmemory <-- unhooked
====================================

so what was the alarm up there agile posted was it blocked ? naaa if the server was configured to unhook ntsystemdebugcontrol
all will be Silent lol :D
so EQsecure is too INSECURE

Hi gangABang, thanks for ur testing. It,s interesting. Sorry if I have posted wrong results.

1- I did not check for all SSDT hooks( it was my fault). I just had a glance on SSDT table in IceSword and saw most of hooks there, so I thought EQS passed.

2- If I remember well, NicM has tested Bifrost recently and according to him, EQS (but it was version 3.4 not 3.41 ) passed the test- SSDT unhooking tests.

I am not sure at the moment. I will repeat the test today or tomorrow by God,s will and post my results here. Will also see how GW and NG beahve.

Please let me know which toll you used to see SSDT table hooks.

Thanks

i used rkunhooker btw i tested it only xp sp2. i duuno how sp1 behave so test it there too.

I tried on XP SP2.

Give me some time and I will report back, may be tomorrow!

-{ Quote: "see how it restores the service discriptor table to ntoskrnl.exe lol it kicks Process guard and various firewall like zonealarm etc...
P.S. bypassing is limited to xp systems." }- You talk about version 1.21?
I thought it is pretty buggy... imho bifrost does not represent such a great danger nowadays.. as far as I remember, but maybe you are talking about a newer version..

it is not bifrost that makes it dangerous the theqniques used to bypass are what make it dangerous since every other virus or tr0jan could take advantage of it.

-{ Quote: "it is not bifrost that makes it dangerous the theqniques used to bypass are what make it dangerous since every other virus or tr0jan could take advantage of it." }- You mean this little checkbox that allegedly should unhook everything? Beside Bifrost isn´t open source so why do you think other trojans will use this too? Bifrost was the only sophisticated Rat as far as I remember there is no serious opponent, but Bifrost is still very limited and imho not to take seriously. Since Bifrost nothing really new has happened except these exploit kits I guess, so where are all those so called super dangerous tools? Rootkit.com does not publish anything new... actually the defenders are much more productive then the aggressors in my opinion.. at least related to public productions.

Bifrost is to be taken seriously and the team developing it surely has friends as they are a group who seem to mostly have their own individual releases besides Bifrost.

Edit: Interesting information on the origins of Bifrost's chosen name: http://en.wikipedia.org/wiki/Bifröst

-{ Quote: "deadly wrong it failed my test" }-
Then I suggest you investigate your testing measures, because EQSecure passed with no problems on my end, as did ThreatFire.

-{ Quote: "
Then I suggest you investigate your testing measures, because EQSecure passed with no problems on my end, as did ThreatFire.
" }-
i am very sure it is insecure the same for neoavaguard beta2. ;D
on xp sp2 system

-{ Quote: "i am very sure it is insecure the same for neoavaguard beta2. ;D
on xp sp2 system" }-
Nice try. EQSecure blocks the unhooking attempt, does not get unhooked, and then proceeds to monitor the trojan's subsequnt behavior. AntiBot/PRSC and ThreatFire block and quarantine this trojan as well.

which version of eQsecure did you try?? i ttested eqsecure 3.41.

ok i have test this again on a different machine xp sp2 still eqsecure only warns "Debug at system level" repeatidly then i block it checking "remember this action" and all become silent and the server connected back to me i looked the ssdt the same result unhooked and has kicked eqsecure ass lol ;D
i am 101% sure it bypasses eqsecure 3.41, appdefend alpha version and neoavaguard beta2 :)
i donno about theatfire since i dont have the software.
if you dont believe ask someone to prove this for you. ;D

//edit : are you sure you are on admin account(it needs admin account).

-{ Quote: "if you dont believe ask someone to prove this for you. ;D" }-
I don't need someone else to prove it for me. EQSecure is working perfectly as advertised on aigle's and my system as well as another member on another forum who just tested this sample as well, so it's up to you to investigate your own test methods and find out why they're giving erroneous results.

-{ Quote: "
so it's up to you to investigate your own test methods and find out why they're giving erroneous results.
" }-
no they are proven and twice tried so i will not accept this.
maybe i have to disagree with you ;D

Hi here is my testing.

I used XP SP2. Used RKU( RootKit Unhooker) to examine SSDT. Loaded a fresh image of my working system. Uninstalled NeoavaGuard. Uninstalled older EQS v4. Installed latest EQS version 4.1.
Other software on system are ShadowSurfer and Antivir. I did testing under SS as I have no VM. Remember on my system due to overlap between security softwarre, RKU doesn,t show all hooks of EQS. Also when I am in ShadowMode, EQS hooks are even reduced and there are unknown hooks on SSDT which are probably sue to ShadowMode.

I tried GW and let Bifrost to run inside GW and to do whatever it wanted until it launched IE. I then killed IE and also killed isolated untrusted instance of explorer.exe launched by server.exe. Then I examined SSDT via RKU.

I then deleted an isolated9 GesWalled) copy of server.exe from program files> Bifrost.

Now I tried server.exe outside of GW.
EQS gave popup that server.exe is being executed-- I allowed.
2nd EQS popup -- Debug at system level -- I denied( with option to remember temporarily).
3rd popup -- explorer.exe memory modification -- I denied( with option to remember temporarily).

No more popups. Examined SSDT with RKU.

I am posting results as text files, so u can examine. These are 5 text files.

1- Base-line SSDT shwon by RKU without Shadow mode
2- Base-line SSDT in ShadowMode
3- SSDT after running server.exe inside GW
4- SSDT after running server.exe against EQS
5- GW log of server.exe isolation

Please tel me ur opinions and analysis of results.

Thanks

I did not try NG yet as it,s not yet installed on my new image and also as far as I know NG is still not supposed to protect against SSDT unhookers. I hope Arman will add this protection in future. I have already suggested this feature to him on their forums.

-{ Quote: "no they are proven and twice tried so i will not accept this." }-
Personally, it's none of my concern.

-{ Quote: "Hi here is my testing.

I used XP SP2. Used RKU( RootKit Unhooker) to examine SSDT. Loaded a fresh image of my working system. Uninstalled NeoavaGuard. Uninstalled older EQS v4. Installed latest EQS version 4.1.
Other software on system are ShadowSurfer and Antivir. I did testing under SS as I have no VM. Remember on my system due to overlap between security softwarre, RKU doesn,t show all hooks of EQS. Also when I am in ShadowMode, EQS hooks are even reduced and there are unknown hooks on SSDT which are probably sue to ShadowMode.

I tried GW and let Bifrost to run inside GW and to do whatever it wanted until it launched IE. I then killed IE and also killed isolated untrusted instance of explorer.exe launched by server.exe. Then I examined SSDT via RKU.

I then deleted an isolated9 GesWalled) copy of server.exe from program files> Bifrost.

Now I tried server.exe outside of GW.
EQS gave popup that server.exe is being executed-- I allowed.
2nd EQS popup -- Debug at system level -- I denied( with option to remember temporarily).
3rd popup -- explorer.exe memory modification -- I denied( with option to remember temporarily).

No more popups. Examined SSDT with RKU.

I am posting results as text files, so u can examine. These are 5 text files.

1- Base-line SSDT shwon by RKU without Shadow mode
2- Base-line SSDT in ShadowMode
3- SSDT after running server.exe inside GW
4- SSDT after running server.exe against EQS
5- GW log of server.exe isolation

Please tel me ur opinions and analysis of results.

Thanks

I did not try NG yet as it,s not yet installed on my new image and also as far as I know NG is still not supposed to protect against SSDT unhookers. I hope Arman will add this protection in future. I have already suggested this feature to him on their forums." }-

OMG this is really wierd from the log it seems everything is okay.
i dont understand how come it bypasses unhookes eqsecure it not once not twice three times lol in my systems.

maybe i could be believe if some one more expreinced maybe Jason ofcourse if he is interested test this and find out with eqsecure. :)

-{ Quote: "i am very sure it is insecure the same for neoavaguard beta2. ;D
on xp sp2 system" }-I think by mistake u have tested an older version of NG.
Latest version is beta 3 build 302.

http://www.smokey-services.eu/forum/viewtopic.php?t=6157

-{ Quote: "Bifrost is to be taken seriously and the team developing it surely has friends as they are a group who seem to mostly have their own individual releases besides Bifrost." }- If they use browser injection it is very easy to detect so I don´t take it serious. It´s stealthiness leaves a lot of traces.

Sure it is the only non-commercial remote tool that can be taken serious related to features and functions but nevertheless easy to detect. But I still think this trojan/rat scene is very weak, because since bifrost nothing better ever appeared, 3 years and people only talk about bifrost because nothing else is really good. So in reason there is nothing really scary out there, except this purple pill, shadow walker and rustock.c myth that even isn´t proven and only poc.. so hackers outthere where is your munition I don´t see anything really scary! Show us something scary and proven... not just proof of concept. The last strike from the scene was bifrost and hxdef, since then nothing real. So we come to the conclusion that 2004 was the last productive year with non-poc and non-beta results of the black hats.

@aigle ok i will download it thank you.

Pls let us know of ur results. NG beta 3 has some install problems, so during install before you reboot, mark all ur security software as trsuted to avoid any problems.

Were you able to know the problem of ur testing with EQS? Are u testing in VM/ shadow/ real system?

Tried NG beta 3 under ShadowMode of SS. It seems to pass the test.

Examined SSDT using RKU. On my system under sahadow mode, it showed 33 hooks by NG.

1- I executed server.exe, NG gave execurion pop up- allowed
2- NG gave baloon alert from tray area that server.exe is stopped from accessing memory directly( direct memory access is denied by NG for any executable by default without any popup).
3- NG gave popup that server.exe is trying to modify memory of explorer.exe- denied

Nothing more and server.exe was dead.

Again launched RKU and examined SSDT.All the hooks were in place, no unhooking at all.

As before I am posting results as text files, so u can examine. These are 2 text files.

1- Base-line SSDT in ShadowMode before running server.exe
2- SSDT after running server.exe against EQS

If I allow direct memory access to server.exe via NG, it removes 7 hooks of NG on my system.

Thanks