Anti-Executable

Rmus, let me ask a Q. So if a downloader code can execute from a spoofed .gif image without warning from a HIPS( like I tested with SSM and PS) that means any HIPS can be bypassed very easily and the actual malicious code can be executed in this way to steal data, damage the system, etc?

 

BTW I cant,t see any images in your post no. 248, some filter by my ISP. It was better if u upload images locally.

 

Well, I'm confused now, because I thought that HIPS included execution protection, which would have prevented the spoofed .gif file from downloading.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

The post is temporary. As soon as I make it into an article for my web site, I'll just link to it from the post.

Bubba explained once how to code inline images in a post, but I wasn't successful in trying it, so I link from my server.

Otherwise you are limited to one attached image per post, as I understand it.

regards,

-rich

 

Noe u can attach upto 5 images but it causes the post to widen horizontally in such a way that I don,t like.
I wonder why it does not arange images vertically.

 

Well I tried with NG, PS and SSM and no alert about the execution of this spoofed .gif file.
Seems I need another post at syssafety forums.

 

That's very confusing. SSM doesn't detect every executable? That should be perfect in SSM. Maybe the pro does? Can you ask that too Aigle?

Rich, how can i reproduce those tests? (where do i get my hands on something like that?)

TIA

 

Hello, aigle,

When you posted in this thread that Geswall had intercepted an executable, MS_update.....exe and that you had AntiVir popus:

https://www.wilderssecurity.com/showpost.php?p=1010173&postcount=347

I wrote that the original downloader 'cnte-oiduuyes.gif' must have executed before those files could download.

Just to be sure, I followed that link again, and confirmed that no other files download until the original trojan has run:

WinAntiVirus Test

I don't know why those programs you describe didn't block the .gif file. If you post at the forums you mention, give them the direct link for them to test.

Post back with their results.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

Hello Pedro,

See noway's post. The direct link is in the 4th paragraph, last line:

https://www.wilderssecurity.com/showpost.php?p=1008929&postcount=330

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

Hi Pedro and Rmus!

I have tested it with SSM free, SSM pro, ProSecurity free and NeovaGuard all. None of them detects the execution of spoofed .gif( filecnte-oiduuyes.gif). Though all othere executables that run later are detected. It is really very interesting.

I have made a thread at syssafety forums here.

http://www.syssafety.com/forum/viewtopic.php?t=944

 

Hi Rmus! I wonder what if u get redirect by FireFox or Opera. Still the .gif download is cached and able to download the stuff.

 

Yes, aigle, I get redirected in Opera (unless I disable Referer logging or Auto-redirect)

However, there is no attempt to download the .gif file.

There are two methods used to download the file:

1) Obfuscated javascript in one of the cnte__.html files, which I cannot convert to HTML, so I don't know what is there that Opera is not vulnerable to.

2) .ani exploit, which Opera is not vulnerable to.

So, nothing triggers the download using Opera.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

Thanks for the info!

 

There's some qns I'll like to ask about AE, hope you guys can help me out. Do correct me if any of my assumptions is wrong

For example,

If I want to update my antivirus (components/definitions), I'll need to turn off AE. After which I can run my liveupdates.

During this time, an unknown malware manages to get into my system. This would be a 1st opportunity to do damage.

When the liveupdates are done & I turn AE back on, it'll whitelist all changes. What about this malware which got in while AE was off? While I can carry out definitions updates offline, it's unlikely to be the same for components updates.

If AE does whitelist the malware, wouldn't my system be compromised without any restrictions from AE?

 

If you switch AE off, then what you say is theoretically possible. If all you were doing at the time was downloading AV updates, then I'm not sure how you could get malware on the system under normal circumstances. But if it happened, the malware would be in AE's whitelist.

Anyway, to get around this theoretical problem, you can add the AV folders to an exclusdion list or add the AV executables to an ignore list. This means you don't have to keep switching AE on and off to update your AV.

Of course if you do that, then theoretically, a piece of malware could copy itself into one of your excluded folders and then be able to run. How it would get into the excluded folder I'm not sure. But if it did, it may as well be on AE's whitelist.

 

Hi EviLHeLLLivE, in addition to what SpikeyB said you can usually trust most AntiVirus software to protect their own folders and components (depending on which one you are using). If you choose the exclude method, don't forget any Application Settings folders and such.

 

If AE has been OFF,
1. I boot-to-restore, which cleans my harddisk.
2. I put AE back ON
3. I re-freeze.
I don't do this often, because my system partition doesn't change, my personal data changes all the time.

In my case it doesn't really matter, because I have two whitelists.
1. One that covers all executables = Anti-Executable
2. One that covers all objects, including executables = Freeze Storage.

As long my FS is clean, my AE is also clean.

Keeping my Freeze Storage clean is my biggest problem.
I'm still struggling with doing things in the right sequence, but each user has that problem.

 

Thanks guys, do point out my mistake if I've misunderstood your meaning

I was thinking about spoofed exe & this came to mind. Just imagine Malware 1 (spoofed exe) was downloaded through web browser/email previously. With AE on, Malware 1 can't do anything. When we turn off AE to update programs, Malware 1 used the opening to download Malware 2 etc. In this case, Malware 2 would be whitelisted the next time AE is turned back on. In this case user will end up thinking his pc is still protected.

So it seems excluding the AV is the solution atm. It seems the exclusion list can get large since most software uses liveupdate now.

Well I'm using antivir & nod32, i guess their detection is decent but not sure about the self-protection part. Any place I could check this out?

I'm still new to stuff like FDISR, AE so there may be some misinterpretations.

The part on "If AE has been OFF"

1) You restore the system partition to a stored snap shot?
2) I get this point
3) Re-freeze? As in capture another snap shot of the system partition?

When you mention freeze storage, what is it actually?

Like you mentioned, personal data changes all the time. So there maybe a chance for the malware to get into the personal data. And by personal data, I assume you meant the Software/Program/Document partition?

 

So you have Malware 1 stored somewhere on your hard drive. When you switch off AE, there is no trigger to cause Malware 1 to run, so it still cannot do anything.

Anyway, AE would not have allowed the download of Malware 1 through your browser. I don't know how it handles e-mails.

 

Like SpikeyB, I cannot imagine this scenario - assuming a clean system when you installed AE.

If you think because the malware is a spoofed executable it can download, it won't. Also it would be flagged if in an email attachment as the executable itself, or in a zipped file (my example).

See here:

http://urs2.net/rsj/computing/tests/spoofexe/

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

All infections have one thing in common they CHANGE my system partition and that's their weakness. Infections, no matter how sneaky they are, they always betray themselves by changing my harddisk somewhere.
If I find software to UNDO these changes on my harddisk as fast as possible, I have a very good security. That is basic idea behind my security setup.
In theory it sounds very simple, but in practice it isn't that simple anymore, because there are not only bad changes on my harddisk, there are also many GOOD changes.

My freeze storage = system partition [C:] (Windows + Applications), based on an off-line installation. During each reboot FDISR compares my actual system partition with the freeze storage and UNDOES any change in my actual system partition. That is the basic principle in theory.

My personal data is stored in my data partition [D:] on a second harddisk and this partition is also vulnerable, but I can't solve all problems at once.
I'm still polishing my system partition and my data partition is next.

I could have choosen a classical security setup, but I like experiments.
The softwares, I would like to have, don't exist and FDISR was the closest to my wishes.

Isolating malware is also an interesting approach, but you don't only isolate bad objects, you also isolate good objects. If you aren't able to see the difference between good and bad objects, you have a problem.

 

Hi SpikeyB & Rmus,

For example if Malware 1 was designed to self-execute every few minutes, it'll be picked up upon execution & AE would show a warning?

Hi Eric,

The Freeze Storage that you made with offline installation, it still has to be updated every now and then with changes made while online right? For example like M$ updates?

The part where you mentioned,

If AE has been OFF,
1. I boot-to-restore, which cleans my harddisk.
2. I put AE back ON
3. I re-freeze.

If I boot-to-restore, wouldn't I lose the good changes?

 

I don't know if I'm doing this right but:


Using FD-ISR I have a clean snapshot and a work snapshot of Windows Xp and programs. Data is kept on a second physical drive.

boot to clean - update windows and anything else that requires an update.
copy to work. boot work and freeze. Every time I boot C:/ win Xp and programs reverts to its original state.

when ever I need to make a change - boot to clean - make the change - unfreeze work - copy from clean to work and then re freeze.

As I have never seen a virus nor had any malware more serious than a cookie
I think this just about covers me.

 

@Long View, very good non-tech explanation!

Same here!

Mike

P.S. As a side note, the "clean snapshot" could be a stripped down (very small, andd also disable the network) system... Google for nLite.

 

You only forgot one thing : the period between two reboots.
In that period, malware can install and execute itself.
Of course after reboot you removed the malware, but TOO LATE.