PDA

View Full Version : v4's feet of clay: IFEO hijacking

Bensec
November 20th, 2008, 11:42 PM
feet of clay :ouch: found in v4

the toolkit (Wsyscheck ) here uses ifeo hajaking to disable/block target program.

Operations:

1 start Wsyscheck ,
right click on ekrn.exe choose the highlighted menu item on the popupmenu as below.

http://www.nod32club.com/attachments/month_0811/20081121_13f82e658ce5e35dc642XdifAH3Ciu9S.jpg


the image file execution option entry left in registry after reboot.
http://www.nod32club.com/attachments/month_0811/20081121_94d126937998f149d9e5HX3iyAyACdqN.jpg

2 reboot your computer.

source :http://www.nod32club.com/viewthread.php?tid=58077
(your chinese official forum =)

*the OP suggested that v4 should have some driver
to implement kernel level protection that can take effect at early boot stage
to protect critical registries and files

--
oops i missed the second shot.
viruscraft
November 21st, 2008, 12:50 AM
ifeo hajaking is usually used by virus
Bensec
November 21st, 2008, 02:17 AM
{QUOTE-> ifeo hajaking is usually used by virus <-QUOTE}

yep, but Wsyscheck/icesword... are virus removing toolkits for cleaning rootkits and other stubborn virus and trojans.
they are risky at some point but they are powerful.

maybe ess and other AVs can use ifeo hijacking against virus and trojans too.
to any extent, the action of removing any single file itself is potentially risky,
so no trick is risky enough to be/deserves to be forever forbidden as "dark magic".8)
viruscraft
November 21st, 2008, 03:29 AM
{QUOTE-> yep, but Wsyscheck/icesword... are virus removing toolkits for cleaning rootkits and other stubborn virus and trojans.
they are risky at some point but they are powerful.

maybe ess and other AVs can use ifeo hijacking against virus and trojans too.
to any extent, the action of removing any single file itself is potentially risky,
so no trick is risky enough to be/deserves to be forever forbidden as "dark magic".8) <-QUOTE}

hi,x-soar
It's nice to meet you here

your "dark magic" is really a great imagery
agoretsky
November 23rd, 2008, 02:47 AM
Hello,

The issue is being investigated. Thank you for your report.

Regards,

Aryeh Goretsky
Bensec
November 23rd, 2008, 06:05 AM
ah, Glad to hear that.

really hope v4 can take eset products to a entire new level of security.
maybe ess can offer extra protection for the critical sys registery keys like Pendingoperations and ifeo as Optional protection and wrap them up together with other self-protection functions in a seperate moudle, someday.

personally i like it to be lite and focused.
I use hips to protect critical registries and files, and i dont like KIS etc.
some of their protection is redundant and inferior to profesional hips :)