Efficacy of different setups at containing a userspace attack on Windows XP SP3

Can DW be set to auto-block outgoing requests or is it user-dependent?

 

Didn't look. By default it waits for user input, but blocks it if nothing happens within 30 seconds.

 

I'm not surprised at all that DefenseWall did well. Ilya has always seemed like one of the (very) few developers who can write a decent security program.

 

Would that mean it needs a 64-bit support?

 

Yeah, it's 32-bit only at the moment. Too bad, but better safe (with kernel hooks) than sorry (with userspace rubbish).

 

Thanks for running these tests GJ.
Nice results from DefenseWall.
Ilya 's one hell of a programmer/developer.
DW's been my main security now for 5+ years.

 

Just one more before tomorrow...

NoVirusThanks EXE Radar Pro

Setup:
- Install the software
- Point IE to the Aurora exploit page
- You know the drill

Results:
- Aurora exploit is successful
- Keylogging with Explorer is successful
- Screenshot is successful
- Files can be freely viewed and manipulated
- Can successfully migrate to SYSTEM services, including ERP's own
- Can successfully inject into SYSTEM services, including ERP's own
- Can view tokens, steal them, and impersonate users
- Cannot kill ERP service
- Cannot persist using VBScript
- ERP claims to block establishing a fake service, but Metasploit says it worked. We'll see later...
- Finding services with vulnerable permissions seems to hang indefinitely. Not sure why. [Edit: because I didn't wait long enough ]
- Looks like the fake service trick almost worked; rundll32.exe was intercepted and blocked on reboot. Good on the devs for remembering that one at least.
- VSS hijinks are blocked because they invoke cmd.exe
- Local psexec is blocked (obviously)

And for the grand finale... Oh dear. I'd set myself up a bit of a challenge to bypass ERP without invoking kernel privileges, and it looks like I succeeded.

[edit: redacted]

The error at the end shouldn't matter, the EXE appears to be overwritten... And indeed, on reboot, meterpreter is running and ERP is not. Not good at all.

Comments:
As you can see, anti-executable software with no other features does not work as a sole means of defense, even if it uses kernel level hooks. But you already knew that, right? RIGHT?

(And I'm off to the ERP thread. I think this needs to be reported.)

 

These tests are fascinating!

Have you thought about other test conditions under XP SP3, such as with EMET installed?

 

I may try that at some point. It'd be interesting to see how much of an impact EMET has.

I think next up will be one of the big AV suites - maybe NIS or ESET. Let's see, which of the major paid AVs has a HIPS component?

 

How about testing Shadow Defender, it's the most popular LV app (by far) amongst Wilders members.

 

+ 1 The tests you did and feedback you gave have been very informative and helpful. Big TY!

 

I would also like to see MalwareDefender and VoodooShield.

 

Will you also retest Outpost Firewall/suite with your changed HIPS testing method?

ESET has a HIPS since a few versions and Kaspersky has a very good HIPS, though both need to be configured as they allow pretty much everything on default settings.

 

I think that SpyShelter is worth to consider in such tests

 

please test SpyShelter Firewall
with ask user level and high security level

 

Slow down, guys. I have a lot of time at the moment, but these tests are time-intensive.

 

ESET Smart Security 7
Setup:
- Enable HIPS and set to Policy mode (allow by rule, default block)
- Point IE to Aurora exploit page

Results:
- Aurora exploit fails over HTTP. The web filter catches it. WTG! However, it works over SSL.
[Edit: ESS has an SSL filtering option, which should prevent this exploit from working over HTTPS.]
- Processes can be enumerated, etc.
- Filesystem can be browsed and modified (mostly) freely
- Screenshot works
- Tokens cannot be stolen
- Code injection into other processes running as same user is silently blocked
- Migration to other porcesses under the user account is blocked
- Keylogging (through explorer or winlogon) is blocked
- Keylogging in compromised IE process is blocked
- getsystem() is blocked (access denied)
- VSS hijinks are blocked (can't start necessary services)
- Persistence VBScript fails (ESET AV finds the dropper)
- current_user_psexec fails (can't execute process)
- Can't delete files beloning to ESET
- Dumping password hashes fails (by all methods)
- Many services have weak permissions, but ESET finds the fake services and deletes them as soon as they appear.
- Starting executables (even known good ones) fails

And the heavy stuff:
- ppr_flatten_rec fails (can't create new process)
- hwnd_broadcast fails (can't create new process)
- AdfJoinLeaf exploit fails ("socket is not in the correct state")

Comments:
When properly configured, ESET blocks all userspace attacks and renders some kernel attacks unusable; and the web filter prevents a lot of exploits over HTTP connections. Very cool. Data theft is possible in userspace, but persistence proves to be extremely difficult (at least for me).

 

Nod32 antivirus

 

Thanks a lot ! Great work - not only AppGuard - for all Wilders.

 

This was ESET Smart Security, which includes web filter and HIPS components. I didn't try the standalone NOD32 antivirus, but I suspect it might not fair so well.

 

Hello,

Https (SSL) protocol filtering is not enabled by default. If enabled, I imagine it would fail it also...

 

D'oh! I didn't notice that. Thank you for mentioning it!

 

NOD32 has HIPS component too

Also, i will review ESS configuration and see if i need to enable SSL filtering.

 

Hello,

You're welcome. It is hid a bit in the advanced settings . Most AV's that do scan SSL now have it disabled by default due to the MITM approach usually taken in order to be able to scan SSL and the big debate over whether it is a good or bad option to use.

 

Norton Antivirus 21.1.0.18

This is going to be a short one, but probably not for the reasons you think...

Setup:
- Install NAV
- Point IE to multiple exploit pages

Results:
- Every exploit is detected by NAV's web filter and instantly blocked, even with SSL and/or obfuscation
- The offending IP is then automatically and irrevocably firewalled for 30 minutes

Comments:
It seems to me that web filtering proxies are the most powerful components of modern AV suites. Identifying browser attacks early on, before arbitrary code execution is achieved, appears to be very effective; it worked well for ESET, and it works even better for Norton. I still don't know how effective the AV engine itself is, but finding out would probably be more trouble than it's worth.

The mandatory 30-minute firewalling is a nice touch, since it gives users a large window for avoiding additional exploits that the proxy might not recognize. It's possible that the filtering proxy itself could be compromised; but (un?)fortunately, I'm not clever enough to figure out a means of doing that.