Downadup/ Conficker worm versus HIPS

Yes LUA stops this particular sort of "attackers" with no fuss, and DW/GW/some HIPS will do it easily under admin,
but it gives way more pleasure to spot and disintegrate the sucker yourself, with autorun disabled for removable drives.

 

Actually if u are user of CFP, you will know it better. Being a classical HIPs with complex parent child relationship for executables, it,s too chatty. So I have tweaked rules( while keeping paranoid settings) to get the minimum of alerts. I will give u examples:

1- I allowed svchost.exe to creat any file anywhere otherwise I get too many alerts about it creating/ modifying file that was legit but bothersome for me.

Now here the malicious dll( vmx) and autorun files are created in USB devices via svchost.exe so during my testing it was a puzzle for me that which process is actually creating these files. I did not know until after many tries I found it out.

2- Similarly a dll in system32 is created by svchost.exe that my custom rules allowed silently.

3- I allow creation of tmp files globally without any pop up in my rules, so i never got an alert about creation of tmp file( ?driver) in this case.

4- More worse, just think of it. CFP intercept any dll execution by any process by default but it gives literally dozens of pop ups while executing legit applications, so i made a custom rule to allow any dll to be executed by any parent from anywhere.

Now if malicious dll is not spoofed as a vmx, you can guess what will happen. I will not get even a single alert and malware will execute n do its harm.

BTW, an off topic Q: I noticed that when u install CFP it intercepts execution of exe files only if u add them in image execution control settings but dlls execution is intercepted without such settings. Am I correct, if so why there is such a diffrence? Thanks

 

Appreciate everybody's results and time spent.This is real malware and not some Poc that i don't know if it can be used in real situation or not.
As Aigle & alex_s mentioned about comodo & OA's results i want to ask isn't one pop-up too litle from a classic HIPS?
I get two if i drag & drop files to my media player.
Are the same results obtained with Real Time Defender or SSM?

 

Hmmm... You are thinking some thing super natural. What will be this rule? For wat application and deny access to which HD? And how many dozens useless pop ups this rule will create. Not practical at all IMO.

 

i meant to block executable files(dll) to access to write to the disk

 

Yes, it is too little. Infact I expect a classical HIPS to contain the damage even if u allow the sample to execute.

Now I realize how simple it might be for a clever malware to bypass a classical HIPS.

 

i think it will be a good idea to have hips + sandbox type combo,i think more security

 

upon default installation of CIS(without AV) it didn't cause this.maybe it is because it installs in clean pc mode so only new files are recieving warnings

 

Yes, I think this is too little. Mike said they overlooked this problem, but in a short time they will take care of. Let us wait a bit

 

thats what came up with fresh comodo installation,paranoid mode and maxxed out image execution controll
see attached archive...
http://rapidshare.com/files/186766019/CPF.rar

(do not worry peter,its just photos here)

will test it vs md trial just for the heck of it

 

ok omg md really impressed me...
it also monitors functions that CIS does not.. like in pics 29 and 39
definately blocks it *lol* what a storm of clicking

http://rapidshare.com/files/186782286/MD.rar

if i am not too lazy i might try OA after my snack..it should itercept the .bat files creation and the .vmx but i am not so sure about the registry, it is not supposed to ,besides autorun ones

 

Yes that's why i ask.An unpleasant but common infection Vundo will get you bored till it reaches system32 using HIPS.
Also i don't know if all the damage can be contained if allowed to the end but if u terminate the process during 3-4 pop ups is gone, Nothing Happened.Yet this Conficker escapes that's why i'm puzzled.

Good to know.OA has always been quickly touch with user suggestions.CAn't wait to try the final build as i think this one is gonna work properly on my PC.

 

thanks chris for the info

 

OA gave me just those 2 :S
but still,why would a thumb drive would wanna write to system32?

with run safer option i didn't notice any payload changes
http://www.imageshack.gr/view.php?file=lylicfsepo8yfi5nrxh7.jpg

http://www.imageshack.gr/view.php?file=ipl323p2gy773b5l4qnx.jpg

 

i do not think im doing something wrong,but SRP does not block the .dll file :O
LUA itself on the other hand prevents its writing on sys32

 

Rmus,
Both Executable Lockdown and the new Returnil beta Anti-Execute can be configured for Default - Deny. They can also be configured to give an Allow - Block choice. This is handy as when password protected only the administrator / password setter can answer the call. Anyone who doesn't know the password can only block. Don't know if they block against the same range of executables as AE though.

 

Thanks for that information about those products.

----
rich

 

you are very welcome buddy!
as to answer your previous question,you do not need to disable execution of .dll from the usb drives,it is super easy to just add a wildcard execution block of the .inf files(which are the ones that launch dll and other files by means of autorun )

here is how simple it is.
http://www.imageshack.gr/view.php?file=88imgsl27v351qllsh5z.jpg
http://www.imageshack.gr/view.php?file=h4ity8p5sv0mthi5low9.jpg

cheers

 

that's very cool thanks again

 

Check whether you have applied restrictions on all files or all files excluding dll's in secpol.msc

You could add a No execute SRP to RECYCLER and TEMP dirs

Cheers

 

yes .dll extensions were added in gpedit.msc.
i know about the recycler and the temps,but i should still get that dll deny warning..hmm

 

I agree. But I like the way Prevx Edge (not a classical HIPS) intervenes the Downadup/Conficker worm, too. It shows a simple and clear alert with an eye-catching red block-button. There is no allow-button, just a unremarkable grey options-button. So everyone should easily hit the right one.

 

OA Beta 3.1.0.18,

execution alert allowed, memory tampering blocked, computer in not infected

 

Hi, thanks. That,s nice!

Is this a closed beta? Does latest public beta has similar detection?

Thanks

 

@ chris2busy

Does MD has gives pop ups about memory modification like OA as shwon by alex_s? Thanks