Classical HIPS and policy based HIPS discussion

Discussion in 'other anti-malware software' started by BoerenkoolMetWorst, Jan 28, 2015.

Thread Status:
Not open for further replies.
  1. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    411
    Location:
    router
    thank you
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    As long as people are dumb enough, they (and others) will continue. What I found interesting from the Trend Mico report, is that they use password recovery tools from Nirsoft, combined with process hollowing. So most people won't notice that these tools are running. Here is where Outpost's Application Guard may come in handy, as it protects against password stealers.

    http://www.agnitum.com/support/kb/article.php?id=1000283&
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I'm also not sure why these fake mails are not spotted that easily. But from what I've understood, the moment that the HawkEye Trojan is installed, they hijack legit mail addresses from the company, so it will look like the mails are coming from a certain department or manager.
     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Well, the Trend article notes that Hawkeye .exe's are dropped into the AppData folders. So existing policy or HIPS rules covering Cryptolocker should also prevent these from getting installed.
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    About this report: "Webroot SecureAnywhere Versus Trusteer Rapport Comparative 2015"

    It was interesting to see the various "DLL injection code" and "API Hooking" methods that were used in these tests. I never heard about the "Windows Application Compatibility" feature being used to load a malicious dll file. It was also interesting to see that HIPS can not protect against malicious Firefox extensions.

    The "VNC hidden browser" method and installation of a rogue "trusted root" certification (+ changing of proxy settings) are other clever methods to bypass protection. And lastly, it seems that most HIPS fail when it comes to "DNS hijacking" and "Cookie stealing", so there is certainly room for improvement.

    https://www.mrg-effitas.com/current-tests/
     
    Last edited: Jul 11, 2015
  6. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    What HIPS did they test with? I don't see how one can conclude what a HIPS is capable of from this test even if a HIPS is not capable of protecting against malicious FF extensions. They didn't test Comodo, Online Armor, SpyShelter, etc. SpyShelter has a hook used to prevent malicious extensions from capturing keystrokes. Are you basing your statement on the HIPS Trusteer Rapport uses? Kaspersky has a decent HIPS if you take the time to configure it, but I doubt it would cover this type of attack. I think more testing would be needed to say for certain if a HIPS is not capable of protecting against malicious extensions. What would happen if a HIPS developer decided to focus on protecting against malicious extensions? Do you think it would not be possible?
     
  7. Sordid

    Sordid Registered Member

    Joined:
    Oct 25, 2011
    Posts:
    235
    PDF: https://www.mrg-effitas.com/wp-content/uploads/2015/07/Webroot-SecureAnywhere-Versus-Trusteer-Rapport-Comparative-Analysis-2015-Q2.pdf

    They tested Trusteer and Webroot. Extensions were added as a trojan ie manually but assume there are other ways to drop the extension outside of social engineering.

    A classic HIPS could simply monitor changes to the extensions folder. SS and Comodo go beyond this. Chrome and webstore +GPO is also gravy.
     
    Last edited by a moderator: Jul 11, 2015
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Good point, my comments were about HIPS in general. If a specialized tool like Webroot can't protect against some of this stuff, it's most likely that other HIPS can't either. Don't get me wrong, I'm not saying that it's not possible to implement protection against these methods. It seems like both Webroot and Trusteer have simply missed certain attack vectors, or perhaps they decided that the risk is mostly theoretical.
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Application Compatibility uses shims.

    As a result, you cannot use shims to bypass any security mechanisms present in Windows. For example, no shim is available to bypass the Windows 7 User Account Control (UAC) prompts while still running the application with elevated permissions. You can shim the application not to require administrator rights, or you can shim it to demand it, but in order to receive administrator rights with UAC enabled, the user will have to approve the elevation. The same is true for code that you write yourself.

    Ref: https://technet.microsoft.com/en-us/library/dd837644(WS.10).aspx
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Well, at least Webroot and Trusteer blocked the code injection, so perhaps it's not a big deal.
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    You do know that my hourly rate is $120/hour USD? Just kidding ............................

    Note this excerpt:

    The malware checks to make sure a copy of the BOOTRASH installer is not already running on the system. It also checks to see if the Microsoft .NET 3.5 framework is installed on the system - a prerequisite for the malware. If the installer is already running or the .NET framework is not installed, the malware will quit.

    Proper HIPS rules to monitor .Net execution will prevent this.

    -EDIT-

    Another way to stop this malware is just uninstall .Net 3.5 unless you have some software that uses it. I believe it is pretty much disabled anyway when you install .Net 4.x. I see no reference to its .Net 3.5 service, mscorsvw.exe, on my WIN 7 build. The malware is probably using csc.exe to build its .dlls.

    I also believe that the malware could be detected with a HIPS rule to monitor direct disk access on the OS installation HDD. On this topic, do you clear your pagefile on a regular basis? It is also a great place for malware to hide.

    Also a HIPS rule to prevent modification of this registry key will help:

    HKEY_CURRENT_USER\Identities\*
    The malware will write to the registry if it can't store it's malware on the VFS.

    Finally, VBR manipulation is not new. Go to this link and then scroll down to the Grayfish section: http://arstechnica.com/security/201...sa-hid-for-14-years-and-were-found-at-last/1/

    Will comment on the other two links when I get a chance.

    Eset has a signature for this. I am sure most other AVs do also. The malware is quite old.

    Looks like new variants exist. Here is a detailed analysis of the Rovnix family: http://www.malwaredigger.com/2015/05/rovnix-dropper-analysis.html . The registry key to monitor using a HIPS is:

    The Registry key that is created and used to store various information that is related to the bot functionality is:
    HKEY_CURRENT_USER\Microsoft\Installer\Products\B<VolumeSerialNumber>

    If the dropper has sufficient privileges it will create the key under HKEY_LOCAL_MACHINE.
    Note that Eset also has bot protection.

    Eset has a create presentation on this type of malware here: http://go.eset.com/us/resources/white-papers/Rodionov-Matrosov.pdf . Bottom line:

    To resist bootkit attacks we need the root of trust be above point of attack:

    TPM
    UEFI Secure Boot
    And if your PC or motherboard made by one of the following after 2005, you're possibly covered. Only newer m/b's have UEFI BIOS's and only certain ones contain TPM chip:

    TPM is implemented by several vendors; Acer, Wipro, Asus, Dell, Inc., Gigabyte Technology, LG, Fujitsu, HP, Lenovo, MSI, Samsung, Sony, Eurocom Corporation, and Toshiba provide TPM integration on their devices.

    Ref.: https://en.wikipedia.org/wiki/Trusted_Platform_Module
    Finally, BootTrash is a TDL rootkit. One easy way to get rid of it is to restore the drive from an image backup. As noted in the following Wilder's discussion, traces of the rootkit will remain in the VBR and possibly the VFS it created at the end of the partition. However, they are just inactive remnants. These can be removed by using the "wipe unused sectors" option during the image restore.

    https://www.wilderssecurity.com/threads/tdl4-rootkit-and-imaging-apps.344358/
     
    Last edited: Jan 27, 2016
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    @ itman

    Thanks for the info. To clarify, I was wondering if HIPS can block modification of the MBR and VBR with direct disk access monitoring, I just wish I could test it. It's also frustrating that malware analysts never seem to mention anything about how to block malware techniques with pro active technologies. And BTW, I posted the second link to give some more technical background info.

    About link number 3, I wonder if it's possible to block apps from hooking other drivers like ndis.sys. Tools like Zemana and SpyShelter have proved it's possible to block user mode hooking of the browser, so you would think the next step is to block kernel mode driver hooking.
     
    Last edited: Jan 30, 2016
  14. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Only way to know for sure is disable your realtime AV scanner so its not detected by signature, download a malware sample of Rovnix, and see if the HIPS direct disk access block rule catches it.

    -EDIT- Comodo Leak Test has four rootkit tests. I pass the first three with the HIPS direct disk access monitoring rule. I failed the ChangeDrvPath test because I allow svchost.exe direct disk access to prevent getting bombarded with alerts. CLT is 32 bit only but gives you a rough idea of the effectiveness of your rootkit protection. BTW - 64 bit rootkits are extremely rare; I only know of one currently in existence.

    Does not x64 PatchGuard already do this?
     
    Last edited: Jan 28, 2016
  15. Cabville

    Cabville Registered Member

    Joined:
    Feb 19, 2014
    Posts:
    66
    That was a very long way of saying yes. Not that I am against being thorough. Just an observation.
     
  16. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Sorry. I do get carried away at times.:geek:
     
  17. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
  18. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,789
    Please don't stop. Continue being carried away. Interesting conversation between you and Rasheed.
    Wow, that event reported at bleeping is amazing.
     
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
  20. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    From what I have read that is true. However, you want to wipe all used sectors as part of the image restore as I posted previously.
     
  21. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
  22. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    When I do that, it mains a full restore, not just changed sectors so that should do it.
     
  23. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
  24. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Am I correct in assuming that before these jewels can mess with the mbr, etc, that they first have to get on the system and run, so wouldn't the best way to prevent them is to prevent them from ever running.
     
  25. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    From the "BadBIOS" article:

    Based on the information we have reviewed so far, we have not identified any new vulnerability used to bypass SPI flash protections. Some of the leaked messages clearly discuss using physical access and a SPI programmer to program the infected image to the SPI flash. There is also mention of a USB image that installs the malware using a UEFI application. This application (which appears to have been ported from an old and modified version of chipsec) erases and re-programs the SPI flash image from software. This method should only work on a system that is not configured to protect writes to the SPI flash. This serious configuration issue has been discussed by multiple researchers over many years, including A Tale of One Software Bypass of Windows 8 Secure Boot, Defeating Signed BIOS Enforcement, and Speed Racer. It is possible that HackingTeam (or others) could have other vulnerabilities that can be used to bypass protections and infect the SPI flash, but so far we have not seen it. This means that physical access and insecure configuration are the most likely attack vectors.

    Note the above highlighted portions.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.