Behavioral detection of mass mailing worms

I have made a thread about this on Comodo forums. I don,t want to duplicate it word by word. So here is the link if any one is interested. Pls post your comments here on Wilders about this.

https://forums.comodo.com/leak_test...s_in_cfp_for_mass_mailing_worms-t25180.0.html

Thanks

 

Hi aigle,

I thought all software firewalls alerted to unauthorized outbound connections.

Here is Netsky from several years ago - the old double extension trick. Letting it execute,
it immediately attempts an outbound connection.

If the firewall rule for Port 25 has custom addresses, it should alert when connecting to any other address:




---

 

Hi Rmus. Thanks for ur comments. Two things:

1- CFP does not give SMTP Port 25 access alert on default settings9 low pop up mode) as there was a DNS or HTTP port acccess alert in both cases and it u allowed that alert, no more alerts. But it seems Ok as user is asked to grant oiutbound access in any way.

2- Ordinary user has no idea of all these alets. An alert from ZA FireWall is much clear that an Inernet Mailing Program is asking fpr out bound access.

Even more clear are pop ups by TF- suspicious e-mail sending activity.

I like such alerts.

 

Your Comodo post also showed that ZA can be configured to alert alert about mass mailing in short time. I really like that capability.

Does anyone know of any other HIPS or FW that can be configured to alert for mass mailing attempts?

 

I realized that users who are not logged in at Comdod forums, can,t see the screenshots. Thread is almost useless without screenshots. so i will post them here too. They are mostly self explanatory. I will post the screenshots with Netsky Worm only. Wazer worm gives almost same pop ups etc.

First some NeovaGuard alerts by NG about mass mailing behaviour of it.

 

ThreatFire alert. You need to disable blacklist to get this alert.

 

Pop ups by ZoneAlarm Pro( I used ZA AS).

 

And finally pop up alerts by CFP. I omitted the alerts by Defence plus module just like i did in case of NG and TF.

U will not get second pop up on default settings. You need to adjust Alert Settings to atlaest High level to get this pop up alert with Netsky.

 

DSA, Private and Webroot FW

 

All are actually one product I think.

 

At least the same kernel, branded and sold differently

 

Hi

I think Webroot Firewall uses an older engine of Private, though I'm not sure.

 

Why do you need more than an alert that an unauthorized application wants to connect out to Port 25? -- As I showed above.

--

 

For the same reason when users need one or more alerts, after the Execution alert, to stop a malware by these HIPS and the user.

 

CA Personal Firewall 2008 appears to have this capability also, though I have no personal knowledge of it.

 

Hi aigle,

Well, you seem to contradict what you said above, about ordinary users not understanding these alerts -- which I completely agree with.

Netsky is triggered by a user opening an email attachment - in many cases, having to extract from a zipped file.

You can make the case that a family computer with several users including children, is prone to an inadvertant mistake out of curiosity.

I agree, and so have installed Anti-Executable on family computers, which prevents unauthorized extracting (copying) of executables from zip files. Here, an early Netsky variant:


__________________________________________________________

Why do you need more?

I understand that your thread is examining the many features of today's HIPS stuff, but I think, in light of your email worm example, that basic preventative measures should be mentioned, which preclude the need for behavior detection.

Preventative measures can also include email programs which quarantine such attachments.

--

 

what about outpost?

 

I agree with you. I just wanted that HIPS have some way to tell this in a better way. There is no guarantee that such malware will always come via e-mail? Why it can,t come via driveby download?

I like the way TF and ZA Pro give alert about this. Ofcouse AE will stop all such stuff nut AE is not suitable for most of home users practically.

 

DSA is the HIPS & firewall component of both PrivateFW & Webroot FW. Thus, you can use DSA, stand-alone, as both a full-on SPI firewall, plus a *mostly classical* HIPS.

The other component is an expanded GUI for DSA's firewall component. DSA offers limited configuration capabilities. The *full-on* PFW offers greatly expanded configuration capabilities.

Together, these 2 components make up what is called Private Firewall (PFW). Webroot is simply a re-branded PFW. Webroot uses the latest version of Private Firewall.

There is considerable discussion of PFW in the "Other Firewalls" topical category of Wilders forums.

 

That is even easier to prevent - the user has no chance to click on anything because nothing is downloaded to the cache:



--

 

As I said earlier, most home users will not like AE.

 

OK.

---

 

U know I have friends with kid. They always complain about their problem. They get their PC re-format every month or so. But if I put something like AE on their PCs, their kids will not accept as they can,t run anything like games etc from net or any other software they want to run.

These people have no sensitive data on their PCs, they don,t do online banking, shopping etc, so they don,t care for malware except that their PC becomes slow and performs poorly.

They ofcourse even can,t sue any HIPS at all. The only solution for them is an AV, preferably one tyhat works in silence.

AE will stop anything but even it,s not my choice as well as I isntall software so often. Moreover it,s my hobby, just trying to make a system where any thing even if allowed to run, can,t damage the system unless allowed to do so.

So don,t take my posts so serious.