There are two interesting exploits/ vulnerabilities discovered recently.

1- .lnk exploit( involves a dll execution too).
2- dll vulnerability

HIPS and behav blockers are usually not meant to handle malicious dll execution, though many of classical HIPS can be configured to intercept dll execution/ loading but due to the insane no of pop up alerts it,s not practical at all.

I have tried the POCs for both exploits with Comodo Defence Plus v 4, EQSecure and GesWall.

CIS v 5 is great but sadly it has no control for dll execution. :'( No way to intercept both these exploits via CIS 5.

Here is .lnk exploit POC that executes a test dll named dll.dll.

222511
222512
222513
222517

Here is second POC. This is for dll exploit. I tried with VLC Media Player.

222514
222515
222525
222516

And here is an interesting dll issue.

http://www.greatis.com/security/explorer_redirection_dll_startup_hole.htm

I searched this malware and then tested with CISv 4 and GesWall. Besides the dll issue malware also installs a driver so any HIPS will stop it anyway. However the dll part of it is interesting. In case of XP, once a malicious linkinfo.dll is dropped into windows directory, then windows explorer will automatically load it on next boot.

222518222519
222520222521

And with GesWall.

222522
222523
222524

sorry to hijack your thread for an instant m8.

aigle:

-{ Quote: "I have tried the POCs" }-

POC?
i see this quite often here.
what does it mean?
i've Googled it and there's about 30-40 definitions.

from where i sit, it's either Proof of Concept or Pile of Cr*p! :o
is it something else?

Again this dll loading part can,t be tested with CIS v 5 as it has no dll control. >:(

Proof of Concept.:dry:

-{ Quote: "sorry to hijack your thread for an instant m8.

aigle:



POC?
i see this quite often here.
what does it mean?
i've Googled it and there's about 30-40 definitions.

from where i sit, it's either Proof of Concept or Pile of Cr*p! :o
is it something else?" }-
Yep, Proof of Concept. :)

You may call it pile of crap until the real malware comes out, it,s upto you. By the way .lnk exploit is already more than a Proof of concept( stuxnet worm).

tnx m8!

now back to our regular programming...

according to the article at greatis:
-{ Quote: "Affected Systems
Windows 2000, XP(SP1,SP2,SP3), 2003, Vista(SP1), 2008 Server.
Vista UAC prevents a user from creating files in the Windows folder but it may be easily skipped." }-

-{ Quote: "according to the article at greatis" }-

-{ Quote: "Vista UAC prevents a user from creating files in the Windows folder but it may be easily skipped." }-

What about a LUA Limited User Account (XP)/Standard User Account (Vista, 7)? By definition, a limited/standard user has no write permissions to C:\Windows.

Geswall - :thumb:

Yep, As always ;D If there isn't a conflict... Geswall is nice layer.

-{ Quote: "
CIS v 5 is great but sadly it has no control for dll execution. :'( No way to intercept both these exploits via CIS 5." }-

Aigle, did you try it, or only you saw the 5v Defense+ settings ? I say it because is unknow which files are checked by default, see here (https://forums.comodo.com/news-announcements-feedback-cis/comodo-internet-security-501626361135-released-t61661.195.html) 196

Yes i tried. Also officially egemen, the lead developer, himself wrote that dll control is no more there in this version.

tnx for feeding my paranoia folks! :lurking:

i think i'm gonna give Ubuntu a try.;D

-{ Quote: "Yes i tried. Also officially egemen, the lead developer, himself wrote that dll control is no more there in this version." }-

??? ??? Another good reason for don't upgrade from 4v.