Efficacy of different setups at containing a userspace attack on Windows XP SP3

WebRo0t AntiVirus?

 

Is there any chance you could run these tests on Windows 7, even Windows 7, 63 bit?

 

I think you've lost a bit

 

An up-to-date Windows 7 (32 bit) system has pretty much zero usable exploits in Metasploit's database at the moment, and that's without any security modifications or software at all. Windows 7 is pretty safe if you know what you're doing with it.

That said, I may try some setups with e.g. XUL based exploits that need user interaction. Assuming a zero-day exploit in some popular application (or just a successful social engineering attempt) it would be interesting to see how Win7 holds up.

 

did not proof read...sorry...

 

Shadow Defender

Setup:
- Install Shadow Defender
- Set it to encrypt the write cache (seems prudent)
- Enter Shadow Mode
- Point IE at the Aurora exploit page

Results:
- System is instantly compromised six ways to Sunday
- Persistence looks a bit harder, but don't count on it

Comments:

This is very typical ISR software, in the fashion of Returnil, etc. Persistence might difficult to achieve without kernel exploits; then again, it might not. I think a sufficiently determined adversary could figure something out... Assuming they cared to. (SD does nothing to prevent data theft.)

I don't believe this kind of software is appropriate for use on its own. Whether it's good for use in combination with other security software is up for debate. Personally I feel the inconvenience and redundancy make it less than useful on desktops, but others may have differing opinions.

 

Because I wanted to see how other free AVs performed, compared to the giant payed suites...

Immunet Protect

Setup:
- Blocking mode on
- ClamAV offline engine and definition updates enabled
- Point IE to Aurora exploit page, etc.

Results:
- Aurora exploit succeeds
- Injection into Windows Explorer succeeds
- Fake service creation succeeds, boot persistence is established
- Every data harvesting attempt succeeds following reboot
- Immunet sees everything, and show a big fat green checkmark for every malicious file in its logs

Comments:
I think the results speak for themselves. However, I'll want to double check on an up to date copy of Win7, to make sure that API stuff isn't playing games with me.

Edit: it doesn't even start on Win7... Yeah.

 

And now for something completely different.

Malware Defender

Setup:
- Install MD
- Set to Learning mode
- Start IE 6
- Set to Silent mode
- Make sure IE actually has internet access
- Point IE to Aurora exploit page

Results:
- Exploit succeeds
- Injection into Explorer fails
- Migration into Explorer fails
- Keylogging (with Explorer or Winlogon) fails
- screenshot succeeds
- getsystem fails
- Creating fake services fails
- Replacing vulnerable services fails
- Malicious LNK exploit creates file but fails to trigger
- Persistence script fails
- ppr_flatten_rec exploit fails
- AfdJoinLeaf explot causes a BSOD (maybe not due to MD
- Can enumerate and download files, but not upload (MD needs to be in learning mode a bit longer )
- Cannot steal tokens
- Cannot dump password hashes
- Ultimately very little of Metasploit's arsenal works

Comments:
This program seems almost as painful for users as for attackers. It is capable of ridiculous levels of restriction though.

 

Thnx for testing MD. Sometimes it can be PITA as you said

Only one remark: MD by default does not protect files in user space. It is only monitoring creation and modification of executable files. Adding user space locations to global file rule and set it to 'Ask' might prevent even enumeration and download of files.

 

Some of us still relish this sort of "learning curve" and probably why there remains so few us left anymore. However "ridiculous levels of restrictions", adequately applied as a ruleset on these Marvels of Protection aka: classical HIPS, leaves very little if anything to chance.

EQSysSecure HIPS was/is another one equally equipped to cover so many internal channels of potential threat paths and would easily be integrated into my windows 8 today if compatible with 64bits.

It's still in every hdd i have with XP.


Easter

 

What about paid Avira (maybe it can do well with the new cloud)?

Also curious how badly G-Data will fail.

 

Interesting, though the exploits are not exactly new of course so I wonder whether it's more of a generic kind of protection or it just has signatures for every exploit tested.

 

System Safety Monitor too.

 

I'll try custom shell payloads against it at some point, once I figure out how that's done...

 

That would be nice, thanks

 

To be just a tad bit more fair, I've updated the VM to IE8 (which still has plenty of vulnerabilities). Also I'm now using the Metasploit console, due to certain limitations of Armitage. Learning curve is a little steeper, but it works better.

Avast Free
Setup:
- Heuristics to high
- PUP detection on
- Hardening to aggressive (I don't know what this does but it sounds good )
- Scan trusted sites
- Run updates

And the exploits...

ie_cbutton_uaf
Success, but requires SSL and plenty of obfuscation to evade the web shield. Avast says it blocked the threat... Not fast enough obviously.
- Running getsystem succeeds
- Installation of fake services is detected and blocked
- Avast service can't be killed or migrated to (even with SYSTEM and SeDebugPrivilege)

The good news is I spent the better part of an hour trying to kill Avast from userspace, and failed. The bad news is that everything on the filesystem is completely visible. Also, I suspect (but currently can't prove) that I might be able to do something nasty with a direct disk write.

That'll be it with AVs for a while; the ones that work all seem to be boringly similar.

 

Alright, next up will be Faronics Anti-Executable. Now that I've got a vague idea how to interact with the kernal API (props again to Hungry Man), I think we'll see somewhat more interesting results.

Screenshots will be provided as well...

 

GJ, if I understand your 'Results' (above), I would submit the following...

- In all likelihood it was the virtualized system (i.e., Shadow Mode) that was 'compromised six ways to Sunday'.

- Even in Shadow Mode, SD is not meant to prevent (or even detect) malware intrusions. The entire premise of SD is that any and all intrusions will be contained in Shadow Mode and completely eradicated upon system restart. In fairness to the product (SD), that is what should have been tested.

TS

 

Tell you what, I'll try the SD test again with kernel-level unhooking, after I finish with AE.

My point though isn't that SD is bad; my point is that it's not sufficient by itself to provide protection from data theft. It does a fantastic job preventing malware persistence, but other software can do that with less inconvenience. IMO anyway.

(Meanwhile, FAE's GUI crashed on me when I tried to run GMER. I can tell this is going to be fun...)

 

thank you for your tests Gullible Jones

 

Well unfortunately Metasploit's support for the Win32 API is very far from complete, which leads to some serious problems for me interacting with the kernel. The idea of unhooking security software from an interactive shell is attractive, but for now it's going on the back burner; I'll try the exotic payload route instead.

(Tomorrow, all tomorrow. Right now my brain is about to throw an OOM error. The folks who designed the Windows kernel API must have been on something potent.)

 

@Gullible Jones

Those tests so far certainly have peaked curiosity and clearly exposed obvious weaknesses in some security apps, Strength in others. Amazing.

If you don't have it i will try to muster up EqSecure 4 with Alcyon's (Super) Rulesets to make available for testing at Aurora.

Would love to see the results and if it can hold ground on most if not all points of attempted entry.

Please let me know and I'll sure dig it up for a throw at this test.

And thanks for these tests. Really interesting results to be sure.

Regards EASTER

footnote: 5000th post W00T! √√√

 

Thanks all...

It looks like Metasploit recently added support for Python interactive shells, and Python's ctypes does offer a complete interface to the Windows APIs (AFAIK). I'm saved! If I can get this working anyway... Let's see.

 

For the record, I tried running another test with OA free; and found that, with proper settings, none of the kernel vulnerabilities in Metasploit's repertoire worked. Looks like blocking vulnerable syscalls may be a viable strategy... For now.

Settings for IE 8 were as follows:
- Runsafer
- Allow spawning other programs (sadly this is necessary, otherwise IE won't start)
- Allow use of the DNS API
- Allow creating executables (so you can download programs)
- Everything else disallowed
(Including enumerating files IIRC. I left that off by mistake.)

Again, I reiterate: don't use unsupported OSes. But if you absolutely must use a legacy OS, then IMO you should use a product such as OA or PrivateFirewall, and configure it to restrict threat gate applications. This will at least reduce your attack surface a bit.

Next up, Deep Freeze, and hopefully some real kernel stuff...

 

The Python meterpreter payloads are in fact written in Python, and require Python to be installed on the target system... OMG. Back to the drawing board.