Blackday trojan versus HIPS

Blakday trojan/ worm( W32.Whacker.A by Symantec) is a very very nasty malware. It overwrites a lot of data file types and executables with a copy of its own and makes a total mess of your system. Moreover it puts its copies with autorun.inf files on all partitions, drives and USB sticks etc. Very scary malware indeed. Let,s see how some of the HIPS fare against this malware.

 

Comodo Defence Plus - default settings but tightened the autosandbox to Untrsuted instead of partially limited

It failed. Blackday trojan successfully trashed the system..

 

GesWall- Passed. Blackday trojan could not touch any files. It did create many of its copies but these were all isolated by GW.

 

OnlineArmor- I allowed first pop up( malware execution) and denied the rest. OA stopped blackday.exe from getting list of files on all partitions and stopped from creation of any of its copy there.

Only a small glitch blackday trojaan was able to create some autorun.inf files though they were harmless as there were no associated malware files but they were sure a bit nusiance for novice users while opening the partitions and USB sticks.

 

ok try v3.12 beta defensewall just out on this site..http://gladiator-antivirus.com/forum/index.php?showtopic=117694 'THANKS'

 

AppGuard- with high settings I run Blackday.exe from C:\Program Files folder as a guarded application. AG stopped blackday.exe from infecting most of files but unfortunately still some of files were infected. It was disappointing and totally unexpected.

 

Great job aigle!

 

Aigle, what flavor of windows are you running? Kinda bummed out about CIS failing. Does the AV pick it up at all?

 

Apparently XP, according to the screenshots. The Comodo sandbox seems to fail miserably.

 

I think with new version of OA can even block the modification of autorun.inf files with its file and registry shield.

refer the attached image - http://www.emsisoft.com/en/info/oa/Resources/flist.png.

If you have time/patience, you can consider upgrading your VM to v5. Or some can confirm my guess. Again thanks for your time in letting every one know about each products strength and weaknesses. Appreciated

Thanks,
Harsha

 

Comodo has not been putting in a good showing that's for sure.

 

Check *

 

sorry for a bit irrelevant question..

does anyone know if rapport could play nicely together with Online Armor Permium? I'm considering myself to try it.

b/W i do already have a license to it.

Thanks,
Harsha

 

XP Home SP2 for testing.

AVs mostly catch these samples but it,s not the matter. Any malware write can write a sample with same capability and still undetected by any AV.

 

Not a very nice rule IMHO. It,s just a rule to intercept ANY file creation in root of C drive / Partition.

Comodo has a builtin rule that intercepts ONLY autorun.inf file creation in root of any drive/ partition etc. That,s really nice by Comodo developers.

 

Very interesting!. Very very good work there. You rock man!

Can you test it with the Avast ver6, Outpost Pro, Privatefirewall and the new Defensewall beta?

Many will be very eager to see the results.

 

Thanks, actually I have none of these installed in my PC. A lot of work to install all, understand them, configure them and then to test. My apologies.

 

Oh...the result would REALLY be interesting for the other apps. All claims to be fully equipped to handle such but as it turns out they ain't. Makes me wonder how will the apps I mentioned will fair too....

Are you also the author of this thread:

LINK ...?

I do not know if some here can further test it(willingly)....

I have VirtualBox 4 in another machine where can I get the sample of that Blackday trojan if I decided to check it out myself? That is "if" I can also accomodate it. Well, you never know

 

KIS (and KAV too) 2012 prevents Blackday (and rolls back changes) without user interaction (i.e by default, Automatic mode).
Start sample, this prompt appeared- clicked Allow (because it would be auto-allowed by def./in Automatic mode):


Afterwards, this popup appeared- clicked Quarantine as it's the action taken by def./in Automatic mode (you can also see which files were dropped at that time, in Application activity log window):


After that, I was prompted to roll back changes made by the sample- Clicked Rollback (again, as it would be the default action taken in Auto mode):


The two files that were dropped before the program was suspended by KIS were removed after rolling back; system clean.

 

Cool, nice test !!!! Thanks ...

 

Wonder how well Kaspersky sandbox will fare against this.

Actually this worms makes so many copies of itself and any classical HIPS can catch it easily.

 

yes.

 

Good work

Have you passed the info on to Appguard?

 

If this file was encountered in the wild with AG on high, it never should have launched since only guarded applications on the list will execute. (At least I believe this is how it would work)

 

Thanks Aigle, excellent work. I am a great fan of HIPS and my favorite one is Malware Defender . Can you give it a try ? Thanks again.