POC of Terminating Processes

Discussion in 'other anti-malware software' started by MagisDing, Jul 21, 2009.

Thread Status:
Not open for further replies.
  1. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,156
    yes it bypasses MD.

    can some one test with defense wall ?? I think defense wall will block it but I could be wrong.
     
  2. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    My results.
     
  3. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    uuhm... tried on ZA GUI and test.exe hangs... ZA GUI does not close or froze and VISTA continue to work just fine...

    This time running it on notepad cause notepad to close, but there is no sign of application crash in logs

    Fax
     
  4. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    It doesn't do jack on my XP, tried it on Metapad and IE, nothing ? Which is good news i suppose, but i wonder why ?

    aigle

    Ok just posting what DSA showed, but the others didn't !
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    it's just simple execution alert that all other give as well.
     
  6. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,156
    well sad fact is it also bypasses defense wall. seems gesWall is the only winner here. these poor results with our favourite security products is not good. I'm pissed off with this test.
     
  7. 3xist

    3xist Guest

    It's becoming more and more clear to me. There are REALLY only 2 things we can assume about this based on the information around us:

    1) This is a new malware technique introduced and is starting to be used in the wild of new malware. (Unlikely)

    2) This is simply a useless Windows Message POC, All it does is freezes applications. It's much more of an inconvenience then it is of a threat that ALL vendors need to secure against NOW. (Likely)

    I'm leaning towards Number 2 to be honest.

    Cheers
    Josh
     
  8. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    well lets hope its not the 1st then :D
     
  9. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    Not even, it has an advanced self freezing feature :D
     
    Last edited: Jul 25, 2009
  10. 3xist

    3xist Guest

    That's exactly way (Default Denny Protection) I have CIS in Parental Control with Defense+ and Firewall Alerts SUPPRESSED. :) When I try this thing, I get the picture below. :) (And Still can run my current apps with zero alerts).

    Is it fair to say CIS blocks this in Proactive-Parental Control Configuration? Nope. Because people are saying this bypasses even when CIS is in Proactive. It's an odd piece of code! Grrr! :) (Still awaits results from CIS devs...)

    This is one reason why Sandboxing is coming in CIS ver 4. ;)

    Cheers,
    Josh
     

    Attached Files:

  11. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,156
    well if vendors make a fix then it wouldn't matter if it is the 1st


    but the sandboxie vendor never made a patch with all those stop.exe tests bypassing sandboxie from the "some test" thread did he.
     
  12. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,156
    of course they will make a fix they normally do, its only what's his name? Tuzac the sandboxie vendor who doesn't make fixes.

    Even tho its more of an Inconvenience than a security risk, I personally class Inconvenience as a security problem as well. I would Hate it if I was playing World of Warcraft and the game kept on crashing because my HIPS or Sandbox was unable to control the behavior of other running processes.

    Next thing people will also be saying that if your OS got infected, that's its just an Inconvenience. OH just restore a back up Image no permanent damage done.
     
  13. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    363
    Yes, this is just a Windows Message POC. Though, I can't rule out buffer overflows(unlikely).

    Eqsecure v.4.* gave alerts from what it termed as "Process Message". The POC will just try to overwhelm a target application with a flood of Windows Messages. But it didn't overwhelm the oldversion applications I use like CCleaner even if I completely disabled Eqsecure.

    Can't understand why other HIPS didn't give alerts of those windows messages.
     
    Last edited: Jul 25, 2009
  14. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,156

    well I can't see it being an ordinary normal type windows message other wise comodo and MD would of been able to block it. this test must have some other obscure method to send message. interesting how eqs 4 blocked it. might give it a try at some stage.
     
  15. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    363
    The answer is "User-friendliness".
    HIPS alerting every interprocess communications will drive them nuts... he he
    ...and an easy way to mess up one's system's and application's functionalities without any particular significant benefit securitywise, on which a simple default-deny or anti-executable can give adequate protections also.
    But then again, a well-featured HIPS provides a good learning experience to a control freak like me. Ha ha
     
    Last edited: Jul 26, 2009
  16. _kronos_

    _kronos_ Registered Member

    Joined:
    Dec 8, 2008
    Posts:
    126
    You tested anything, in fact in that way you did not allow to execute it.
    I can have the same result with any security software, but only with software restriction policy [see attachment]

    ...You know, must execute the "malware" before to do a test.. while with your config you deny all the new executions, so malware can't execute (and test does not start) ;)
     

    Attached Files:

  17. _kronos_

    _kronos_ Registered Member

    Joined:
    Dec 8, 2008
    Posts:
    126
    Sorry, i hadn't read your reply:oops: :p

    Regards
     
  18. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    363
    stackz offers a hint which I had initially overlooked...
     
  19. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Looks like OA 3.5.0.36 beta does the trick and silently prevents the POC from being able to damadge other processes.
     
  20. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,156
    Yea I installed EQS V 4 and can see by these logs that it is Flooding notepad with continuous messages. It is normal for processes to send messages to each other but not to this heavy extent of Flooding. So I don't know why other HIPS don't provide any protection from this. By the way I have installed sandboxie haven't used it for ages, seems a bit lighter than what it used to be and a few more features so I am quite impressed with it, now using it instead of deep freeze atm.
     

    Attached Files:

    • test.JPG
      test.JPG
      File size:
      105.8 KB
      Views:
      109
  21. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,156
    well if have sent xiaolin a pm so hopefully we will get an update soon.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.