Failure of HIPS?

Well this has been discussed a bit already here on wilders in two threads:

https://www.wilderssecurity.com/showthread.php?t=136452&page=14 See post no.330 by noway
https://www.wilderssecurity.com/showthread.php?t=171576&page=10&highlight=Anti-executable

I did some testing with it and it has attracked me so much that I thought that it sure deserves a separate thread, especially about the failure of HIPS in this regard.

I was a bit of testing with a driveby download site. Using InternetExplorer 6, XP SP2( not fully updated), I went to this link,( change hxxp to http):

hxxp://85.255.115.221/ind.htm?src=250&surl=www.sloantreefarms.com&sport=80&suri=%2Findex%2Ehtml
IE is somehow redirected and causes a series of drive by downloads( note that redirection is not consistant. Sometimes I have to try multiple times by emptying my browser cache and changing dial up ISP that is a proxy server). More details are here by Rmus:

http://urs2.net/rsj/computing/tests/redirect/

What caused my concern is that a spoofed .gif file is downloaded and executed( it,s a doownloader) and then it caused to download and execute a series of malware exes. SSM Pro/ Free does neither prevents nor gives any indication of execution of this spoofed .gif( although the exes later downloaded are stopped infact). I tried ProSecurity free and NeovaGuard and they also failed. On the other hand Anti-Excutable stops execution of this file.

I was thinking calssical anti-execution HIPS are supposed to stop such execution as well, but they failed here. More details by Rmus here:

http://urs2.net/rsj/computing/tests/spoofexe/
http://urs2.net/rsj/computing/tests/winantivir/

What is your opinions about this?

 

BTW I tried it with GeSWall, it did not stop any execution ofcourse but did stop some malicious actions and also files downloaded in system32 folder were isolated and marked. It is supposed to do this job.
DefenceWall, same results as GeSWall.

SandBoxie isolated all the exes etc in virtual drive as expected. An interesting thing is that duringg these drive by downloads, one exe from temp first terminated IE and then relaunches it in invisble mode( IEplore.exe running in Process Explorer but no IE window visible), IE then downloads malware exes in system32 folder.

As Sandboxie free version does not auto isolate IE, I was thinking that at this step IE will be launched outside of sandboxie and that will lead to unisolated exes in system32, but that did not happen at all, rather the driveby downloads just stoped at this point. My guess is that it happened due to the special location of malware exes in sandboxie( as they were in virtual drive, not in actual C drive where they were supposed to be present, this change in path of malware exes broke the continuous driveby download sequence). This is just my speculation.

 

Hi aigle:

One up for sandboxie and AE. I have not used AE but did use Exe Lockdown and was impressed by how light it was on my system compared to classical HIPS. Now, if AE runs as light, I can see why many members speak highly of it. As for Sandboxie, I assume that it's limitation of not being able to run legitimate programs in the sandbox is also what stopped the execution of the exe's.

 

That is why I have IE with a security policy set as a BASIC USER. (see my sig)

UPDATE: My main/default browser is FF2, but some sites require IE!

Mike

 

Very interesting aigle, have you any idea why SSM doesn't intercept the installation of the exe files, since every legitimate file I install is challenged by it.

 

Went to the above mentioned URL. The Re-Direct couldn't get past FF w/ noscript. When I allowed (temporarily) I was brought to Sloans Farms. No .exe detected.

...screamer

 

Starting at post 330, very good reading!

Broke link?

Mike

 

Should be a forward slash between com and show
https://www.wilderssecurity.com/showth...nti-executable

 

aigle,

Unfortunately I saw no sign of any "executable" GIFs.

If its possible, can you upload it somewhere, and give me the link via PM?

 

Sorry, it was:

https://www.wilderssecurity.com/showthread.php?t=171576&page=10&highlight=Anti-executable

Corrected now.

If u get redirected, u will get it in ur temp internet files( mainly) or all users start menue( not sure).
PM me ur e-mail address and I will send it to you. Not sure where to upload. My ISP blocks many upload sites.

 

Not all exe,s, only spoofed .gif file.
None of HIPS detects its execution except AE. I tested PS Pro, SSM Pro, and NG.

I made a thread at SSM forums too, much similar to this one.

https://www.syssafety.com/forum/viewtopic.php?t=944&sid=korfuf8hjrgpkkgpn7onfvhol6

 

excellent results again for geswall, defensewall and sandboxie! aigle i'm stunned that only anti-executable passed this "test". if you have time can you try dynamic security agent (DSA)? i'd love to know if that would stop this.

 

I tried but DSA will not install on my system ATM( some conflict). I tried thrice and then gave up.

If anybody needs spoofed .gif file. pls PM me. I have uploaded my Temp Internet Files in a zip n passowrd at rapidshare.

 

aigle,

Sorry for not seeing your message earlier - was busy with assignments.

Either way, I received your PM, and used cmd.exe to launch the GIF file "as is" without renaming it. SSM properly intercepted the CreateProcess API call and popped up a prompt. I'd just want to ask what rules are you using for IE - have you told SSM to prompt when IE wants to launch a new untrusted process?

 

Hi solcroft,

I think what aigle was wondering, as do I, should SSM have blocked the spoofed .gif file from downloading in the first place?

That is to say, does is have classical execution prevention as one of its features?

Or is it's job just to block it from being executed by another process?

Thanks,

-rich

 

Good going, aigle! I am eagerly watching the thread you started at SSM's forum. If SSM's proponents run true to form, they will quickly & effectively plug this hole.

It is obvious that the bad guys are well aware that lots of their intended *victims* are now running HIPS programs. It is to be expected that the bad guys will aggressively probe for ways to get around HIPS.

IMO it is well nigh impossible for any HIPS developer to keep up with ALL the new probes by the bad guys. That's why it is essential that the proponents of a HIPS program give heed to people like aigle, and encourage them to report any & all suspected weak points.

Herein is one of the MAJOR reasons why I stick with SSM. Namely, they have a forum. Most of the other HIPS do not. SSM's forum is very active and very responsive. In many cases the other HIPS -- the few that DO have forums -- either do not reply to posts such as aigle's, or else treat them with disdain and aloofness.

SSM's forum listens. SSM's team pays attention. Checks to see. Treats folks like aigle with the respect they deserve. Then ACTS quickly to verify & correct any weak areas. I have yet to find any other HIPS team that is equally as pro-active and helpful & friendly as is the team at SSM.

 

Hi Aigle,

Nice test. I went to the link with IE7, was redirected to sloan's tree farm. Nothing dwonloaded (running EQSecure, Antivi + GeSWall Pro). Checked internet temp folder and system32 for flagged files by GW, found nothing. EQ did not alert on anything written to system folders or creating executables. Could not find the gif mentioned anywere on my system. Does this only work with IE6 and unpatched XP?

Could you PM a spoofed gif?

Thx K

 

The same results here using IE7 and latest Opera on XP administrative account no less. I deleted all temp files but I keep just getting Sloan's Tree Farm and I'm positive notthing is is dowloading into my system.

Good question

BTW Aigle, thank you for your efforts and information sharing. I've been following this turn of events since last night.

 

I tried same and I get the prompt in the same way.
But during actual tresting, I got no prompts that IE is tryting to launch .gif file. Also keep in mind that on my system SSM doesn,t allow cmd.exe to start. I have though kept a renamed copy of it in another place.

I will.

@ Kees and wat0114
I think it will only work with IE6 and unpatched OS, but nout sure.

SSM will not block download of any executable. It will only warn/ stop its execution. So is true of anyother HIPS like PS, PG, NG etc.

BTW, now I suspect the spoofed .gif file was never executed so that,s the reason SSM and other HIPS don,t give a prompt. I think AE warned u about download of executable( .gif) not its actual execution( that why it is saying Reason: Copy). Gif file was never excuted on my system or on Rmus,s system. Jsut my idea, I have no way to confirm it.

Other HIPS are a bit different from AE as they don,t stop download, copy of execuatbles, they just block the execiution of theses.

If I manually run gif via CMD.exe on my system, SSM gives a pop up warning. Moreover normally SSM on my system does not allow even start of CMD.exe( I allowed it to run gif file and got prompt for gif execution).

If it is true, then I wonder what was the purpose of driveby download of this spoofed gif file?

 

I end up at Sloans Tree farm with both IE6 and Mozilla. Nothing happens, no matter what my browser settings or what security apps I bypass or disable.

I'd like to know that as well. It doesn't work with IE6 or Mozilla Sea Monkey 1.07 on a 98 box. If anyone has this spoofed gif, could they send me a copy?

I'd very much like to test SSM on more of these sites if I can ever find one that works as intended on this box. I keep seeing posts about how SSM fails to defend against different web delivered malware but none of them even try to function when I go to them. This is getting to be a recurring theme. So much for how vulnerable and insecure 98 is supposed to be.
Rick

 

guys i can't explain it but aigle is right. i downloaded DSA to test it vs the drive-by website that aigle mentioned. i enabled powershadow and disabled geswall and comodo firewall so i can run the test on DSA without any interference. i entered that website in IE and lo and behold, i was redirected to another site and MASSIVE amounts of pop-ups were being issued by antivir.

i had STUPIDLY left antivir on. i closed IE, disabled antivir, and cleaned my cache using window washer and tried to test DSA again. but amazingly i wasnt' taken to the original webpage, i was taken straight to the "tree farm" page. i tried rebooting my machine and trying again, but no luck.

no matter what i can't seem to get to the original infected page!

 

It will not run again so easily. I use dial up and I just change my ISP no. each time to get it work, sometimes trying after half an hour or so works. Try again later. Run CCleaner before as well.

 

I checked that website and tested with ProSecurity and SSM. Both block the loading of the executable just fine. Aigle, I'm sorry, but I believe this whole thread is based on a misunderstanding on your end. The .gif which gets downloaded is never launched, instead the exploit copies the contents of it to a new file named MS_update_0704_KB74073.exe and then tries to launch this one and not the original .gif file. There is no hole in ProSecurity's or SSM's execution control as you suspected in the beginning.

 

All I can determine - and I went to the site again earlier today - is that if cnte-oiduuyes.gif does not download, I don't see any other executable files cached or installed. If I let cnte-oiduuyes.gif download, then the whole scenario is set in motion, including the launching of the hidden process of IExplore.

The Host Server for the Sloan web site was sanitized earlier, so the redirect from Google no longer works. You will have to use the direct link which aigle posts above.

Here are screenshots of the files, both at the point of blocking cnte-oiduuyes.gif, and after it is allowed to download.
Using IE6 on Win2K SP4:

http://urs2.net/rsj/computing/imgs/winantivir/

So, that .gif file has some purpose. Note that cnte-oiduuyes.gif and MS_update_0704_KB74073.exe are the same file probably just being renamed-copied, as I show in the scans.

(EDIT: I see that Kenjin draws the same conclusion)

If there is no cnte-oiduuyes.gif, the exploit can't get started. Otherwise, why don't we see any other executable files? I may be wrong, but that is the way it appears.

I checked AE's Log and it shows only one executable - cnte-oiduuyes.gif - attempting to download, so there were no blocks in the background.

Until someone can analyze more thoroughly each step of the exploit, including those convoluted javascript coded pages, we are left to guess what is really happening. This is no longer a straightforward task, where one could use a simple CharCode-to-ASCII Chart, or an Unescape converter.

See here for a current example of the difficulty:

Analyzing an obfuscated ANI exploit
http://isc.sans.org/diary.html?storyid=2826

@Herbalist: Spanner over at DSLR uses Win98 and most of the recent exploits don't work for him, so this maybe the case with you.

If so, Too bad... you will have to get an XP box to play with these things


regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​