Interesting HIPS leaktests/ malware tests

In a period of the last one year or so we have raed about a couple of leaktests/ malware here on Wilders that put many HIPS in trouble, proving that even the sophisticated HIPS might fail vey well to provide zero day protection.

The good thing is that many HIPS developers have responded positively and have improved their HIPS accordingly. So it,s a healthy attitude, despite the fact that these developers often don,t get enough revenue from their software and even some of them are free.

I juat wanted to recall most of them that proved the weakness of many HIPS or atleast proved to be a very interesting leaktest/ malware.

1- KillDisk virus- was the first such malware in my memory, it defeated most HIPS and SandBoxes if allowed to execute. It was more than ayear back.

2- XP Killer trojan- Defeated many HIPS after execution was allowed.

3- Most recent Cutwail/Bulknet malware- sadly the thread did not continued long enough

https://www.wilderssecurity.com/showthread.php?t=195817

4- System Shutdown Simulator

https://www.wilderssecurity.com/showthread.php?t=192099&highlight=system shutdown simulator

5- GetRawInputData keylogger

https://www.wilderssecurity.com/showthread.php?t=193247

6- Martin,s Undetectable Keylogger

7- BufferZone Trojan test- though it was buggy sure, but still interesting

8- DFK Threat Simulator

9- Phide.exe rootkit

https://www.wilderssecurity.com/showthread.php?t=152280&highlight=rootkit

10- System shutdown protection tests

https://www.wilderssecurity.com/showthread.php?t=187831&highlight=HIPS

11- A special termination protection test( by windows messages)

https://www.wilderssecurity.com/showthread.php?t=172653&highlight=HIPS

12- SSDT Unhooker tests

https://www.wilderssecurity.com/showthread.php?t=180969&highlight=HIPS

13- Advanced Process Terminator( APT) from DCS

14- Simple Process Termiantion( SPT) from syssafety.

15- KeyLogger test from SysSafety

16- AKLT by FireWall tester

17- An interesting Kill method by spy.exe discussed here.

https://www.wilderssecurity.com/showthread.php?t=184402&highlight=BufferZone

https://www.wilderssecurity.com/attachment.php?attachmentid=193130&d=1188689461

18- Prueba trojan test

https://www.wilderssecurity.com/showthread.php?t=179003

19- PassDiskProtect_C- sandbox/virtulization bypass under ring3:

https://www.wilderssecurity.com/showthread.php?t=195340

20- Robodog- password stealing trojan- not discussed heer, i just found a post by Solcroft, interseting that it bypassed many ISR solutions.

https://www.wilderssecurity.com/showpost.php?p=1145780&postcount=30

I must have forgot some, pls add to the lsit.

Thanks

 

OK Aigle, but how many of these tests required user input in like - OK -and or - Yes?

"Was Allowed"

I can kill my disk by any "Allowed" action if not in Returnil mode?

Any and all of these tests fail if run Sandboxed!

 

Yes, no execution, no harm is the rule but modern HIPS are expected to defend more than this.

Not the keyloggers! Also Sandboxie probably failed( not sure though) when first tried against KillDisk, it was fixed later.
If failed against some termination tests too!

 

Thats a great list Aigle,
Very good reference for future use.

Since there are lots of security enthusiasts here at wilders would be good if:

Someone made a page similar to Matousec's with a table of popular HIPS and sandboxes such as those on castlecops wiki against the tests you mentioned.

Now that would be cool! Anyone? All you need is a virtual machine and a free website hosted at like 110mb.com!

 

Thanks!

And a lot of time n knowledge.

 

Good work Eagle!

It's also good to remind us that "Being to comfortable" even with the best technologies on hand can sometimes prove risky...

It also shows a great deal of support from the developers when new "weakness" are reported. Helps us all sleep at night!

 

i disagree with this aigle,

sure, these threats could disable or harm a HIPS, but these files would still have executed a allow/deny/block or whatever prompt.

if the correct prompt was used, i very much doubt that any of the files listed would have penetrated past a HIPS.

 

Only issue I can see with it from my perch, is those prompts require user intelligence to be effective. Unfortunately user intelligence is often on holidays...

 

if in doubt, deny/block.

i really wouldnt label this as being intelligent.

if a user does not understand those words, forget using a HIPS, infact... forget the internet in general.

 

Mmmh... a bit dire a verdict.

I would throw that ball back at the developers. It is in the communications between the user and the utility that the issue is sourced. Not the user so much. I think most would make the "Right" choice if given clear governance and the right information... in clear contextual and simple fashion.

 

Have a look at your sig: It is a good idea to provide a test centre central page (ON YOUR WEBSITE MAYBE ) where you can download test progrs, with the correct warning off course (don't try this at home when you have not got VM or Image backup in place).

AIGLE

Regards Kees

 

Thanks Kees!

 

Just added two more:

No. 19 and 20.

 

You can of course just do it on the castlecops wiki. The wiki is free for editing to anyone..... you dont have to be cc staff...

 

Can somebody send me this "Robodog" malware sample with a short description of it and its job- I haven't tested it?

 

Peter may be able to.

 

I also want it also. I PMed solcroft but he does not have it ATM. Coldmoon might have a copy of it. I PMed him but so far no reply!

 

I have finally tested it and Neoava passes the test. And what´s so special about the EICAR file creation? If it can´t execute it´s no problem, right?

It was nice to see that SSM´s protection against "low level keyboard access" stops this.

What´s so special about this one? I can´t remember.

I know SSM failed (older versions) but what about NG?

If I´m correct, tzuk claimed that SBIE failed because of a conflict with SSM.

I´ve checked out this test but it behaves weirdly on my VM, it won´t make my machine unbootable for some reason. But SSM could stop it anyway.

I would also like to know if it uses some kind of special technique to bypass HIPS/ISR´s.

 

I still don´t know if PS can stop this or not? And if not, has it been fixed? Strangely enough I couldn´t find any info on the PS forum. If it failed it was really quite a big flaw.

When I run this malware I don´t get any alerts form SSM/NG and I still don´t know if it actually tries to perform any malicious behavior. As you can see in the thread, PS and TF also didn´t make a sound.

https://www.wilderssecurity.com/showthread.php?t=184520&highlight=threatfire

Most HIPS don´t protect against this, both NG and TF can´t completely stop the damage.

 

Rasheed! u want me to go through all the threads and bring out the cooked meal for u? Have u read all these threads in detail?

File infectors - I agree will bypass many HIPS but any HIPS with full bloen file protection will stop them

 

This is file protection test!

There was a thread here. It bypassed many ARK tools.

https://www.wilderssecurity.com/showthread.php?t=152280&highlight=rootkit

Then u must also know that nicM did not test NG. Did u read the tests?

Did i say that SBIE failed here?

I don,t know.

 

From PS board,
"I have analysed this rootkit again today, now i know why this occured.
It inject into kernel with two steps:
1. Modify or replace ip6fw.sys and then start it(PS don't block a existing driver from starting). Then the new ip6fw.sys remove all SSDT hooks of PS.
2. Load its driver runtime.sys from ZwLoadDriver.

So if we block it from modifying ip6fw.sys, then PS can detect any action of this malware well. But if not...

I will change the default file/folder rules from v1.42 to block all writing/deleting *.sys *.exe *.dll... actions to windows folder and files..."

http://www.proactive-hips.com/yabb/yabb2/YaBB.pl?num=1199083771



However, we are waiting for 1.43 which should be a significant step forward (IMO) compared to what is possible today* (which is already considerable )...
Jie is working very WELL to improve its product and he listens really to its customers...



*at least, in the fight against Rootkit malicious behaviour...

 

That,s great!

 

Are you saying that F-PROT (or any AV) blocks all of these?