Sinowal/Mebroot, perfectly bypass threatfire v4.7.0.53

1.I went to the exploit url, comodo popuped alert windows, but threatfire was not.

http://i.imgur.com/qRv4D.png



2.I opened the active process list from comodo, and then I checked the PID of the malware.

http://i.imgur.com/VlxK8.png



3.I opened the task manager and checked the PID of the malware.
they are regsvr32.exe

http://i.imgur.com/eb6xq.png



4.I viewed the system activity monitor

http://i.imgur.com/8PEQc.png



5.The malware deceived threatfire successfully.

system environment:
XP SP3 32bit

java version 6.0.220

IE 8

 

First - in which security level was TF? Second - HIPS and behavioral bloker don't work the same and don't point the same action.
I am not a "defender" of the TF, but one thing is important ... TF is based on the heuristic analysis and each higher level represents an increase of sensitivity.
The second matter - TF and Comodo indicated that suspicious file have a certificate of Microsoft, what is also important in identifying some infections.

 

very true

 

Once upon a time, TF was popular, here.
It is Not the same anymore...

 

very true cyberhawk

 

TF is dead infact. Useless for newer threats. Sad indeed.

 

Reading about TF, I thought let's give it a try.
D/l'ed from PC Tools site, the TF installer had version 4.11.2.22. I thought; WOW!
But no, it's the tested v4.7.0.53.
Perhaps they've done real serious work on the installer...

 

I have a quick question about this:

Would creating a custom rule be able to help protect against this type of attack? Now I am going by the guide Kees made here (https://www.wilderssecurity.com/showthread.php?t=253507&highlight=ThreatFire+tutorial) and I do not have ThreatFire installed in front of me. However if I am reading it the rule would look something like this.

Set regsvr32.exe to be monitored when creating/executing a file from C:\documents and settings\Local\temp or C:\users

Also this rule would need to have the trusted vendor list ignored.

Sorry if I am understanding this incorrectly I don't have a machine with TF installed at the moment and Kees is the expert on making these rules.

 

Unfortunately no...I had the same hope
https://www.wilderssecurity.com/showthread.php?t=299708&highlight=threatfire

 

Could someone explain why the certificates are being read as being from MS?

 

Because the process launching the malware component is the genuine regsvr32.exe, meaning regsvr32.exe is the file being verified.