Hmm... still another rootkit bypassing CFP?

aigle · #1 August 2nd, 2008, 03:21 PM

I tried this rootkit installer detected as Win32/TrojanClicker.Agent.BCI by NOD32 on VT( the only detection on VT for it). It installs a hiddden driver via windows installer, so I removed pre-defined rules for windows installer in CFP, marking it as untrusted. I used max paranoid settings.

Hope some one can confirm my findings. I allowed all pop up alerts.

Here are my settings.

Name: 3.jpg
Views: 810
Size: 70.4 KB

aigle · #2 August 2nd, 2008, 03:23 PM

Here are the popups by CFP, no pop up about driver install/ loading though there is pop up about a new sys file craetion and services registry modification( probably showing ne service install but it must be more obvious like other HIPS). Even no popup alert about SCM access alert.

Name: 1.jpg
Views: 800
Size: 49.8 KB

aigle · #3 August 2nd, 2008, 03:24 PM

Alerts by EQS about driver install/ loading.

aigle · #4 August 3rd, 2008, 07:34 AM

They have repsponded to all other queries and in all cases it was a real bug, nothing wrong on my side.

Only this issue is not addressed so far and I am almost sure that again here it,s a bug in CFP.

baerzake · #5 August 3rd, 2008, 08:57 AM

It is a bug of cfp, I just want it be fixed as soon as possible

Rasheed187 · #6 August 3rd, 2008, 10:16 AM

But if you block the new file creation, I suppose the driver gets blocked? But yes it should give the alert about driver loading anyway. I think the problem with CFP is that it´s giving way too many alerts, it should get smarter.

CogitoErgoSum · #7 August 3rd, 2008, 12:50 PM

For those who are interested,

I can personally confirm that DefenseWall v2.45 successfully blocks and contains install.exe's rootkit driver, dll's and malicious new program installation. I have attached both my DW events log and rollback list as proof.

Peace & Gratitude,

CogitoErgoSum

Alcyon · #8 August 3rd, 2008, 01:15 PM

Code:

HKLM\SYSTEM\ControlSet001\Services\msliksurserv.sys

There's something wrong with the registry path.

ambient_88 · #9 August 3rd, 2008, 01:25 PM

Quote:

Originally Posted by Alcyon

Code:

HKLM\SYSTEM\ControlSet001\Services\msliksurserv.sys

There's something wrong with the registry path.

What's wrong with it?

Alcyon · #10 August 3rd, 2008, 01:36 PM

Code:

HKLM\SYSTEM\ControlSet001\Services\(?..)\msliksurserv.sys

Unless this is intentional!

aigle · #11 August 3rd, 2008, 01:56 PM

Quote:

Originally Posted by Alcyon

Code:

HKLM\SYSTEM\ControlSet001\Services\(?..)\msliksurserv.sys

Unless this is intentional!

From where u took the two paths?

Alcyon · #12 August 3rd, 2008, 02:18 PM

Just by looking at the pics you posted, isn't the path supposed instead to be something like HKLM\SYSTEM\ControlSet001\Services\ServiceName\ImagePath\msliksurserv.sys ?

Btw, I'm planning to try CFP with D+ soon. I haven't tested D+ since MANY months.

zopzop · #13 August 3rd, 2008, 02:46 PM

good job on these tests aigle, they should be paying you for all this work

quick question though, which eqsecure are you using? 3.41 or 4.0 beta?

Coolio10 · #14 August 3rd, 2008, 04:20 PM

I am guessing this isn't going to be fixed in CFP, but in CIS when it comes out in 3-4 weeks.

aigle · #15 August 3rd, 2008, 06:16 PM

Quote:

Originally Posted by zopzop

good job on these tests aigle, they should be paying you for all this work

quick question though, which eqsecure are you using? 3.41 or 4.0 beta?

Thanks zopzop.

I was using EQS 3.41.

aigle · #16 August 3rd, 2008, 06:18 PM

Quote:

Originally Posted by Alcyon

Just by looking at the pics you posted, isn't the path supposed instead to be something like HKLM\SYSTEM\ControlSet001\Services\ServiceName\ImagePath\msliksurserv.sys ?

Btw, I'm planning to try CFP with D+ soon. I haven't tested D+ since MANY months.

Hmmm... I think only Comodo people can tell about this.

trjam · #17 August 3rd, 2008, 07:23 PM

Kudos to Eset. See.....

How did GW do against it.

HURST · #18 August 4th, 2008, 11:41 AM

Just tested SBIE 3.28 against it.
Rootkit safely contained in the sandbox.

Click image for larger version

Name: sbie.JPG
Views: 9
Size: 100.8 KB
ID: 201964

aigle · #19 August 4th, 2008, 01:47 PM

Thanks for the testing!

Rasheed187 · #20 August 5th, 2008, 11:56 AM

Hi,

I´ve tested this malware on two VM´s and I got strange results. First of all both SSM Pro and NG pass the test. However, on one of my machine I saw the strangest thing, it looked like Windows Installer was sort of infected by this rootkit, because everytime I tried to launch a .msi file, it was trying to infect my machine with the msliksurserv.sys rootkit!

So this means that if you didn´t pay any attention (and even if you did) you could end up infecting your system when executing a harmless app. I never saw this before, seems to be very advanced malware. Rootkit Unhooker also reported seeing stealth code on the system, it also detected a parasite inside itself. The question is how to stop this rootkit from modifying/infecting Win Installer, NG couldn´t do it, but I didn´t get to see this behavior when I tested SSM Pro.

aigle · #21 August 5th, 2008, 06:11 PM

Quote:

Originally Posted by trjam

How did GW do against it.

GW stops it but ATM there is a small problem. U mighht fail to launch trusted applications untill u reboot or kill the malware process manually.

In any way system is not compromized at all. I hope that the minor issue will be fixed as it is being investigated.

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search