Sinowal drive-by dll appears to bypass Online Armour HIPS

Hi all,

I installed Online Armour free today in VMWare Player (running XP SP2) for some testing. Online Armour was set up with the wizard in "custom" mode, which scans all files against its whitelist before trusting them. I made sure learning mode was finished then tested some fresh links. Everything worked as expected, ie. unknown executables intercepted. However, I had trouble with one link:

A blackhole exploit kit causes IE to drop the file adobeupdate.dll in the root directory, then executes regsvr32.exe with the argument -s C:\adobeupdate.dll. Regsvr32.exe is trusted, and OA therefore allows this action and doesn't see the dll being run/registered. No pop-ups or alerts. I installed Comodo, set for proactive security, and while it also trusts regsvr32.exe, it picks up on the malicious dll being launched. When run sandboxed in Comodo the dll attemps direct disk access. See screenshots below.

*
Currently detected by 14/43 scanners.

Can OA be configured to block this without giving a flurry of pop-ups for every dll, or is it lagging behind Comodo here?

Online Armour Free, default config


Comodo, proactive security, default everything else


Comodo D+ log when sandboxed

 

online armor official forum

http://support.emsisoft.com/

 

Can you please send me a link via PM? Thanks.

 

We were able to reproduce the problem and it has been fixed in version 5.0.1.1276 which is currently in testing:



If someone wants to help test this new version please drop me a PM.

 

Great!

Will this be a GENERAL FIX that fixes some hole of some sort or just a "lets blacklist this file" fix?

 

Good work!

A temporary fix is to untrust/ask when launching regsvr32.exe. Doesn't seem to cause any issues or popups when installing legitimate programs. I'm not quite sure how this sneaky attack works though, as from my (limited) understanding regsvr32 only registers dlls so they are available to other programs and doesn't actually run them.

Fabian, does the fix also check for dlls with spoofed extensions? e.g:

rundll32.exe c:\adobeupdate.dll is intercepted by OA
if the file extension is changed to say dlx then rundll32.exe c:\adobeupdate.dlx is also intercepted

Will regsvr32.exe path\somefile.spoofedextention also be intercepted?

Thanks

 

Refer to http://support.microsoft.com/kb/207132
Note the LoadLibrary call.

 

It is a general fix. Handling for interpreters and host processes like regsvr32.exe has been in Online Armor for a very long time. There was just a minor bug in the handling that prevented it from working correctly under special circumstances. That bug has been fixed.

It does run them. In general registering DLLs involves 2 steps:

1. Load the DLL.
2. Execute the exported DllRegisterServer function of that DLL.

There are at least 2 possible execution vectors involved during loading (TLS and the DllMain function that is always executed when attaching or detaching a DLL to a process/thread) and one obvious one when the DllRegisterServer function is called.

The special handling for interpreter or host processes includes command line parsing that identifies the file the process was called upon. It doesn't matter where the file is located or what the extension of the file is as long as it is there.

 

How can users of OA Premium ver5.00.1100 be protected from this Sinowal drive-by dll? When will be the update available?

 

The update will be part of Online Armor 5.1 that has entered the public beta phase today. If you don't want to switch to the beta you can simply set "regsrv32.exe" to "Unknown" by selecting the application in the "Programs" list and clicking the "Untrust" button. That way you will get an alert if an application tries to register a DLL using regsrv32.exe.

 

thanks i will do that

 

Fabian, if we made your suggested change manually, once the beta is later installed over the old version, should we change the settings for "regsvr32.exe" or leave the settings in place which were carried over (per your recommendation in the quoted text)?

Thanks.

 

Thank you!

 

Once 5.1 has been released you can switch it back to "Trusted".

 

So not in the current "beta"? (5.1.0.1285)

Thanks.

 

the current beta

 

thanks...i thought so but wanted to be certain before setting it to "trust".

 

Updating to new Beta