Ransomware n poor protection by HIPS

Discussion in 'other anti-malware software' started by aigle, Jul 10, 2008.

Thread Status:
Not open for further replies.
  1. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    Hi

    Yes, as GES/POR said. Do you have any evidence whatsoever that Prevx2 is "the most effective of them all"? Very interested to see your reply.
     
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    What exactly is the relevance of this to the subject. Some of the ransomware doesn't even inject Dll's. Do you know this setup would protect you?

    Pete
     
  3. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    I'm afraid Easter that you may find EQS and Cyberhawk will not protect against Trojan Arhiveus and GPcode. If Threatfire was derived from Cyberhawk, would they have removed protection against this sort of malware. Doesn't make much sense to me.
     
  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Now a days he likes to post as much as possible about Cyberhawk versus ThreatFire, three drivers versus four drivers etc etc.
     
  5. Einsturzende

    Einsturzende Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    390
    Location:
    neubauten
    Hello aigle,
    Please could you tell me for what extensions GPcode looking for and where (which folders are involved)
    Manny thanks for testing :)

    Edit: sorry, I just found "geswall log" and found answer to above questions
     
    Last edited: Jul 11, 2008
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
  7. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    I read somewhere that there are up to 80 extensions affected by different versions of GPcode. See following for example.

    http://www.viruslist.com/en/viruses/encyclopedia?virusid=86369

    You will see there are many versions affecting different extensions.

    From above link, extensions affected are

    arh
    arj
    c
    cdr
    cgi
    chm
    cnt
    cpp
    css
    csv
    db
    db1
    db2
    dbf
    dbt
    dbx
    doc
    flb
    frm
    frt
    frx
    gtd
    gz
    gzip
    h
    htm
    html
    key
    kwm
    lst
    man
    mdb
    mmf
    mo
    old
    p12
    pak
    pdf
    pem
    pfx
    pgp
    pl
    prf
    prx
    pst
    pwa
    pwl
    pwm
    rar
    rmr
    rnd
    rtf
    safe
    sar
    sig
    tar
    tbb
    txt
    xls
    xml
    zip

    I was thinking of using EQS to detect attempt modify these files but the amount of pop-up's that this will produce put me off.
     
  8. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    As long it is packed, it's harmless and which fool will unpack it : the user of course.
    Once it is unpacked, AE will kill it immediately as an unauthorized executable BEFORE launching.
    Why make it difficult, if it can be done easily ?
     
  9. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    Hi

    Well AE is quite expensive and most people (in case you haven't realised) don't want such restricted functionality on their computers.:D
     
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    You are right.
    No benefit of doing this IMO.
     
  11. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    You mean, they don't want REAL security and I like to pay money for AE with a detection rate of 100%, that kills the most dangerous malware : executables.
     
  12. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    Hi

    No, because then the computer is restricted. They can't run new downloads, play new games, etc.

    Nothing is 100%. Detection or removal.

    In the case of AE, something could break through it or malware could be a new executable.
     
    Last edited: Jul 12, 2008
  13. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    And the most benign as well: excutables.
    And mosr useful as well: executables.
     
  14. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,065
    Hey,
    it has a whitelist of all the excutible files on the machine and then uses a global rule to block all new excutible files. so not really a black list.
    i do agree with you that AE is way to restictive.
    would it block a .msi file?
     
  15. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Yes, AE detects more than 80 executables, including .msi.
     
  16. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,065
    as i said yesterday there is no way of blocking nearly all/all malware without functionaly loss on windows.
    most users would be really annoyed with AE.
    no possible new installs
     
  17. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Of course, they like to download and run anything from anywhere.
     
  18. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,065
    that is a huge asumpsion to make.
    its like saying some teenagers cause trouble so lets put all teenagers in jail.
    i like to trial software.
    i only download software from legitimate companies and dont get infected. if i couldnt install any new programs i would be really annoyed. at that point i may as well pull the plug on my computer.
     
  19. ggf31416

    ggf31416 Registered Member

    Joined:
    Aug 20, 2006
    Posts:
    314
    Location:
    Uruguay
    Packed executables aren't unpacked by the user, they unpack to the memory during execution. Any HIPS with execution control will stop them, not only AE :D
     
  20. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    AE can be a little unpractical, but not much more than any other other HIPS/Sandbox/etc.
    If you want to install something new, just disable AE protection. Once installed, enable again.
    This way you can install anything TRUSTED, while UNTRUSTED can't do anything at all.
    If I had the money right now, I'd use it.
     
  21. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Right, HIPS bombards you with numerous popups and average users have to decide what to do with it and are guessing what's best.
    AE is nothing but installing, reboot, a password, mark a few settings and turn it ON. That's it.
     
  22. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    You have a wrong idea about AE. I can install any new application.
    SSM, EQS, Comodo, ... these are very annoying softwares, but that is considered as normal, maybe because they are freewares. ;)
     
  23. ggf31416

    ggf31416 Registered Member

    Joined:
    Aug 20, 2006
    Posts:
    314
    Location:
    Uruguay
    Most HIPS allow you to disable features that you don't want and password-protect the rules.
     
  24. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Actually, a .msi file is an installer package -- a database file.

    Go to your Windows/Installer directory - you can open a .msi file in a text editor.

    One way an exploit uses msiexec.exe is to download/launch a msi.tmp executable to install something.
    I found this just last evening:

    cracks-fp.gif
    __________________________________________________

    This is curious, since I already have FrontPage installed, but it is not in the default c:/program files

    This is probably to exploit FrontPage Extensions vulnerabilities.

    You can see that a msi.tmp file is really an executable if you attempt to open it in a text editor:

    cracks-cwp.gif
    __________________________________________________

    A few seconds later, another exploit from the site was triggered:

    cracks2.gif
    __________________________________________________

    Other exploits attempted to use .hta and .chm vulnerabilities.

    Nasty environments, are these crack sites!

    --
     
  25. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Yes I know, I visited these crack sites all the time in my newbie time. After awhile my system was completely crippled by malware and I didn't even know what was happening. My very first scan with Spybot reported 200+ threats and my computer was still crippled. :D
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.