Stuxnet .(lnk exploit malware) versus HIPS

Stuxnet is the malware that has a political background and is made not by criminals, rather it,s backed by some governments.

A very interesting aspect of stuxnet is that it not only used a unique windows vulnerability but also defeated many HIPS software. Until now many HIPS are poor against this malware.

I played with this sample and here are my findings.

1- OnlineArmor proved great in dealing with stuxnet. It successfully intercepted malicious dll execution by explorer.exe without any single pop up alert for any legit dll execution. Very well done.

 

2- CIS, of course has no way to intercept dll execution. So total fail.

 

3- GesWall has a prtial pass. It will not allow untrusted dll execution by/ into a trusted process. So it will stop malicious dll loading from NTFS hard disk/ partitions. But if dll is on a USB stick it will fail as current version still lacks a feature of USB devices isolation.

 

aigle, how would a not novice like me, know that is even Stuxnet. To me it might be Adobe and I allow it. HIPS are cool but need to be written in common day language.

 

4- AppGuard- I am not sure. Malicious dll was loaded but I have no way to know whether it was isolated/ mitigated or not( the developers claim that any dlls executed from USb devices are isolated and can,t harm the system). I saw in process explorer that it was loaded in explorer.exe and nothing in AG log.

 

5- Old CIS v 3 can be configured to intercept dlls. Configured so it does intercepts malicious stuxnet dll loading but still i will call it a fail practically as CIS v 3 doesn,t intercept dlls on default settings and moreover if you set it to intercept dlls, you get literally bombarded with hundreds of dll execution alerts and no user can stay with such settings.

 

6- Finally a little gem- NoAutoruns. Very nice interception. I love this utility.

 

7- Out of curiosity I just checked Prevx safeonline. Normall I don,t test Prevx as it,s mainly signature based( though in the cloud) but I tested it as I know that prevx scans files on execution rather than simple file read/ write( unlike most of other signature based antimalwares). I just wanted to check whether Prevx scans dlls on execution or not. And yes, it did. It scanned and caught the malicious dll.

 

Here is another test with stuxnet POC. All same results. OA- Pass. CIS fails again. OA and NoAutoruns pass. GesWall partial Pass. AG.... hmm I don,t know!!

 

Who said HIPS are for novice?

 

Sandboxie and DefenseWall handle Stuxnet, don't they?

 

Microsoft already patched this, so it's not much of a concern.

 

Aigle, if my memory serves me right, the Windows 7 OS by default only allows Autorun from CDs and DVDs, but not for example removable media like USB sticks, is that correct? Thanks

 

Yes but .lnk exploit has no relation with autoruns.

 

You are right. But it shows that malicious dlls are difficult to intercept by HIPS. Don,t forget the recent dll execution vulnerabilities and who knows how many are still there.

 

They must I think.

 

I don't think they exploit .lnk shortcuts though, which are very hard to avoid.

Anyways, I'm kind of surprised at Comodo's results, does the sandbox work at containing the threat?

 

Comodo doesn,t intercept dlls, just like most other such HIPS, no surprise in it.

 

So no alerts at all huh.

 

Could you please test CIS again by adding rundll32.exe as a limited app.

Please look at Post Nbr #21,22,24,25 for more information here

 

Nice thread
Could you check against Mamutu on normal and paranoid settings?

 

did comodo detect the Outgoing connections




great topic

Plz continue testing it


also what version of windows you're testing on

i saw XP and 7

on 7 what UAC reaction was

 

And with spyshelter?

 

Does Malware Defender pass?

 

If I recall correctly by default it fails, as it doesn't monitor loading of libraries. However if this feature is enabled in the rules, then it is able to prevent the exploit, i.e., it passes.
For the record: same thing should apply to Real-time Defender.