Failure of HIPS?

My impression is that the rigidity you find unsuitable is actually a useful trait in their primary institutional market.

Blue

 

Post 37,

Post 47,

A "Basic User" does not have write access to %SystemRoot%, so pwxwwkrfo.exe, ipv6mons.dll, and aqtmdilc.exe can not be created in %SystemRoot%\system32.

Post 50,

How did the three files get into %SystemRoot%\system32?

My C:\Program Files\Internet Explorer\IEXPLORE.EXE runs in the context as a "Basic User".

Per http://msdn2.microsoft.com/en-us/library/ms972802.aspx, the Normal User (also named Basic User)... it only has SeChangeNotifyPrivilege privilege.

Apparently I am missing understanding something?

Mike

UPDATE: fixed MSDN URL

 

Ok, I will try again later. May be no malware files in system32, just in other locations.

 

Ok, I downloaded AE, configured it to allow copy and download of new executables but to deny their execution.

Results: spoofed .gif file is downloaded but not executed. First fiel to execute is MS_Update_0704_kb7403.exe.

End of story. So HIPS did not failed here. Howecer AE has a very nice feature to deny even the copy/ download of executables.

 

More screenshots.

 

Hi aigle,

Well, I stand corrected

I confess as to having completely forgotten about that configuration setting! I've always had it enabled.

In my use of my laptop, having copy protection disabled would be a potential disaster.

If I put a student's USB drive into my laptop and it downloads (copies) - a malicious executable to my HD and it just sits there, the next time I Turn Off AE to install something and again Turn AE back on, that malicious file is added to the White List. The student may not even be aware that this has happened. I would never be aware that this happened.

Anyway, I'm glad to be reminded of this configuration setting.

regards,

-rich

 

I just finished looking at your tests - very nice.

If you include these with the screen shots of the Geswall and AV alerts - you will have a good summary of different solutions.

More people who analyze and draw their own conclusions, means more people to outwit and protect against these malware writers!

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

"Location Cannot Be Found"

 

I rechecked my finding with DMRs. I don,t have XP Pro so can,t check it by policy restrictions.
DropMyRights doesn,t protect against this. Reason I think is that MS-update...exe terminates currently running instance of IE( that was running under DropMyRights) and starts a new invisible process of IE that is ofcourse not under DropMyRights as it is not started from DMRs shortcut. IE then downloads malware files in system 32. Confirmed now.

May be somebody can check in limited user account or with policy restrictions.

 

I agree with you.

 

Thanks.
I have no web site of my own. All the stuff that I have I posted here already.
Feel free to use any screenshots etc anywhere.

 

I think CyberHawk protects against this. See the alert when MS_update...exe tries to launch. If I deny this alert, nothing more is executed on my system. Really nice work by CyberHAwk, though the prompt is not so clear.

 

Rich,

I don't believe that's the case, except under specific circumstances.

AE/Faronics don't go into depth on the complete aspects of operation, but I believe that the malware would have to be accessed while AE is off (and I believe a file read is sufficient) for that to happen. While off, AE monitors file activity and executable files that are in that monitored list are whitelisted on AE's restart.

Blue

 

Hmmn a possible problem with this as you say it is not very clear, it seems as though Cyberhawk has simply taken exception ti IE for some reason, a novice looking at this may simply look at the alert and decide Internet Explorer is a trusted program and allow it.

 

Stupid MSDN... when I did a search for SAFER, the URL box in FF did not change... sorry about that.

http://msdn2.microsoft.com/en-us/library/ms972802.aspx

Mike

 

Sorry about not mentioning I run XP Pro.

Because of the LSP, then no matter how IE is started, it always runs in "housewife" mode (thanks Erik)... PERIOD.

If I understand the remaing posts so far, we you experts are still testing "May be somebody can check in limited user account or with policy restrictions."... right?

Side Note...

I copied C:\Program Files\Internet Explorer\IEXPLORE.EXE to D:\bin\goofy.exe
I then extracted the blue IE icon, and changed it to a red IE icon
I created a Destop short cut to D:\bin\goofy.exe using the red IE icon
IF I must run IE (Windows Update), I can use goofy.exe

Mike

 

Hello Blue,

Regarding copying from external media with AE enabled:

The case I set up this morning involved trying to copy an executable not on the White List from my CDR drive to my HD.

However, what I didn't consider is that as soon as I accessed the CDR drive, AE alerted. Evidently it "reads" - monitors - the drive as it is being accessed.

So, it's a non-issue (here, anyway!)


regards,

-rich

 

I still have a question: malware has to execute in order to be infected (that principle is valid)? There has to be an executable envolved, or an app. like IE, some Messenger, etc. could potentially be remotely exploited to infect?

It doesn't seem likely, but: were there vulnerabilities in the past that allowed this, and is it theoretically possible (javascript, whatever)?

I agree. It only says IE is acting weird- no info.

 

Ok, so the end conclusion is that a HIPS like for example SSM will in fact stop such an attack? I must say that this is a very interesting thread, because this all would be proof that HIPS are really useful against (zero day) attacks.

However, shouldn´t a HIPS also protect against this stuff?

 

Ok, I have tested it twice carefully after making a limited user account in XP SP2( unpatched). U must be happy now as I tested it and sad as it failed the test.
I can atleast confirm that multiple mlaware files were downloaded and copied inside system32. U can see these files marked isolated by GeSWall.
All of them are detected by Antivir.
I can,t however tell u if there were any malicious events prevented by limited user account. It,s beyond my capabilities.

 

Do u think it,s job of HIPS to prevent files creation?
Their job is to prevent execution not the creation of files( with some exception- copy defence funtion in some HIPS).

 

Agree but as long as there is a password for settings plus a stealth mode, it can,t hurt.

 

I 100% believe you.

I just do not understand how stuff gets written to system32. When I DL a program using IE, and then run the setup.exe, partially thru the install process, I get an error box.

Can you do me ONE last favor... I promise I will not bring up IE running as a BASIC USER.

Can you verify your system32 security settings?

Mike

 

There is no security tab in XP Home so I had to log in as administrator in safe mode. System 32 properties were as shown in snapshot 1. Limited user name account name( test) that I used for testing was not there. I added it manually like thius way: I clicked Add>Object tyypes> Users> Ok> advanced> Find now> test> Ok> Ok> Apply. Test was the limited user account. I am not fimiliar with this stuff. Just to make sure, I tested it again and same findings.

BTW GeSWall policy was running during testing. May be its poliocy overrides limited user policy somehow leading to these results, I am not sure.
I will suggest you to test it urself and let us know of ur results if possible.

Tel me if there is any problem in my setup.

 

I also did not have the Security tab in XP Pro, I had to "Control Panel > Folder Options > View > NO √ Use simple file sharing (Recommended)". I do not remember where I read about "simple file sharing", but the experts say to UNCHECK that option becasue it is more secure.

OK, will do and report back. BUT, let me make sure my back image etc is up to date!

Mike