Rogue slips right through Comodo!

So I was doing my weekly tests when I found I link to a rogue antivirus. I copy pasted it and downloaded it. It wasn't in the NOD32 databases so it was missed, i can accept that. But then when I tried to run it, Comodo didn't even give me a execution alert and only gave one alert, that even if you block it, the rogue runs happily.
The rogue's name is XP Security deluxe (Something like that).
DefenseWall was able to keep it in untrusted. Comodo does the same when I set up Defense+ to Paranoid.
Would love to see how other HIPS do on this.
The rogue was posted on the site on 2009/07/23_00:00 by Michael Arrigoni /
I can pm you the link if you guys want.

I did this yesterday.
EDIT:Ok so I checked it again, and it is now detected by NOD32 but comodo still can't stop it with its HIPS

 

Ok i have uploaded the rogue and not a lot of antiviruses detect it. 9 out of 21 detected it on jottis scan.

Edit: removed the link

 

hi can you pm the link....plus i think the jotti link is not allowed here

 

LOL i had to rely on my last one to save me, DefenseWall

 

Totally agree

 

But I have seen some other malware being stopped by Defense+s heuristics, was surprised when I saw that!

 

There's nothing for Comodo or any other HIPS to detect (beyond its execution) because all it does is add a desktop shortcut and then do a bogus scan. Simple social engineering. Tested against Malware Defender 2.3.2 and verified with Sandboxie 3.39.02 on Vista SP2.

 

Could you PM me the link, please?

 

What about the tray icons?

 

From MD's log when denied...

7/28/2009 01:45:55 c:\windows\explorer.exe Create new process e:\files\samples\072809\xpdeluxe.exe Denied [App]* Cmd line: "E:\files\samples\072809\xpdeluxe.exe"

 

Even comodo gives a memory alert, access to explorer.
Does the rogue run with malware defender?

 

Image Execution monitoring set to normal or aggressive?

I'll give this a go myself later on tonight (am re-building my Ubuntu machine at the moment )

 

Give the rogue a try with it set to aggressive. See if that makes any difference (it did with the previous POC nasty we were looking at).




(I love my Linux, but it doesn't love my HP lappy - am damned if I can get any audio... )

EDIT - just saw YOUR edit, ssj100

 

Funny thing is Windows Defender (and I always keep it on because it never conflicts with any other security here) detected it as a "fraud tool" right after it was saved to the disk by my browser

 

Not when I deny it.

 

anyone got screenshots of this rogue, ssj i think said it was convincing looking so im curious now.

 

Linux is vulnerable to the rootkits, worms and trojans as well as any other PC platform. But it is very resistant to the Windows exploits. Though, that is to say, Windows is very resistant to the Linux exploits in return

 

not at home

 

Here you go...

 

It's kinda pretty for a piece of malware.

Almost makes me wanna head on down to IRC and apply to join a botnet

 

Any idea on who owns the IP's?

 

You are right, when i set image execution to aggressive, defense+ gives lots of alerts and when all are blocked, the rogue doesn't run. The alerts showed that the rogue was accessing A LOOOOOOOOT of windows files.
EDIT: Success!!! LOL but only if its set to super high mode

 

I know. I've got a nice collection of rogues. The UI's are convincing. This one is clever with its minimalist approach (no real system intrusion beyond a desktop icon).

 

How interesting, considering that ssj100 said that with img ex set high, the rogue was still able to do its stuff.

Now I am really looking forward to playing with this later on

 

Can anyone plz test this sample against Online Armor, geswall, outpost and other popular HIPS? with the default or settings that you are using right now and then with the highest only if the default fails.