New release. GSS v1.420

Hi SystemJunkie,

So far, the box is no problem with the setting of {Muxtex: block;}.
The GSS1.4.20 log shows that on my box, SMSS.exe (a component of windows XP; not a win32 executable) always shown running a rootkit at everyboot of the box. It can be guessed that the BSOD is to come if it is to set {Driver Install: Block; }; further more, the AppDefend panel does not show SMSS.exe

Any comments.

 

Installed flawless on my old win2k laptop. I didn't have time to play around with it yet, but i found that Appdefend does not detect this imaging program: http://selfimage.excelcia.org/

 

The old behavior.. this event started 2 or 3 years ago
a flood of discussion about bios/rootkits and it is still alive in GSS.

Rootkit Driver installation allowed by smss.exe.

 

Hey Jason, just downloaded it will test it after reboot.

I was wondering whenever you implement GhostWall into it, whether the IP block list will be functioning? I am hoping to use the peerguardian p2p IP address blocks, the source code of the program is free, and can be downloaded from here:

PeerGuardian p2p Source for Developers

The peerguardian list can be used in default format, however you may want to implement a conversion program to prevent any security issues, as well as obviously listing IP addresses and being able to tick the 'companies' (such as advert companies) by deselecting them individually. IE, so i can at least have HTTP blocking - but allowed to go to say adobe.com if that companies web IP addresses were listed.

Thanks

 

I am getting the same doubled issue I didnot know it; smss.exe is not a win32 executable to run in win32. If trying to set {driver install : block / ask (block)}, windows is going to get BSOD when reboot.

Can you confirm that and solution ?

 

I don´t want to try it.. But sounds logical, if we assume that shadow table (win32k) works very close together with session manager subsystem (smss) and you block this procedure at start up, windows will high likely crash.

Session manager subsystem is only needed at boot up you can kill smss.exe directly after it is loaded, some security tools do that by default because of obvious reasons.

But if we talk in terms of Rootkit. Smss.exe would be a perfect target too, e.g. the stealth rootkit would load itself with one of the earliest alive processes in windows and then likely disappear but infected subsystem would remain even if you´d close smss.exe (it could for example transfer the bad code into explorer.exe), good stealth factor, imo, especially related to sophisticated poly file infectors (smss-explorer.exe as main targets).

 

It sounds great to me, and it seems the issue lookin is on the right track ? A bug stay still or an earliest-boot windows stealth rootkit ?
Jason is going to jump in to address the issue and an explain.

It is pretty sure that why all my boxes have been having BSOD issues with all versions of GSS after the ver.1.100beta .

Thanks to SystemJunkie.

 

Detected it now, don't now why it didn't catch it the first time...

 

On my laptop DELL 1720 running winxp sp2 x32 and win2k3 server, BSOD is the problem when set "ask/block" to { execution ; start application ; install driver ; terminate } , and whatever to the other options. It seems GSS1.4.20 having problem with something "smss install rootkit at very early of booting"

SESSION3_INITIALIZATION_MANAGER_FAILED.....​

Hope Jason confirm & address the issue.

 

Usually I would say smss rootkit install is false positive but I don´t think so anymore, because we have cryptic attachment at the end of smss and explorer .exe, there are some people outthere who are searching for the reason of this mystery for many many years.

Then I checked some smss and explorer with attachment like this at the endand I saw the dhlptx phenomenon)
0#0*070U0^0g0s0
6,7:7C7`7g7n7{7
9!9'9L9U9_9x9
3 4&464<4A4G4p4y4
5(5>5K5a5n5
X0^0g0w0
>%>*>4>A>G>L>_>i>s>
,0<0B0I0R0Z0`0f0
777=7I7O7T7]7v7
9"9(909`9o9t9z9
:":':,:1:6:;:E:M:W:a:g:q:
;%;.;R;\;a;i;
=%=)=3=F=P=T=Y=
>#>'>1>6>;>L>Q>V>]>b>i>
?2?B?K?b?h?t?
0/0H0Q0V0[0
3(30363F3O3V3n3|3
4%414H4S4d4n4x4
8N8T8[8w8~8
9:9A9`9i9o9w9
576G6Q6Y6e6
:9;E;R;x;
0 040<0P0X0d0l0t0x0
1 1(10181<1L1T1X1h1p1
2L2P2T2X2\2`2d2

They use obfuscation mechanism with a 048 code (typical for trojan downloaders) as far as I´ve found out.
048 means e.g.: 0 0000 0000 1 1111 1111 2 2222 2222 3 3333 3333 4 4444 4444 5 5555 5555 6 6666 6666 7 7777 7777 8 8888 8888 9 9999 9999 and most time d h l p t x between the lines, which is part of crypto lessons, things
like that also used by military.

Example2: End of Explorer.Exe SP2:
> >$>(>,>0>4>8><>@>D>H>L>P>T>X>\>`>d>h>l>p>t>x>|>
? ?$?(?,?0?4?8?<?@?D?H?L?P?T?X?\?`?d?h?l?p?t?x?|?
2'232D2H2L2P2T2X2\2`2d2
: :Q:W:t:
1C2V2c2i2}2
9S9Y9r9|9
2#2D2L2T2\2d2l2t2
:L:';8;<;@;H;L;P;T;X;\;`;d;h;l;p;t;x;|;
......
3/4:4E4P4[4f4q4|4
0 0$0(00040<0@0D0L0P0T0\0
0 1(1<1H1P1p1x1
5 5$5(5,5054585<5@5D5 6$6@6D6H6L6P6T6X6\6

End of Explorer Exe SP3 RC:
A0H0O0V0]0d0k0t0
4 4A4k4x4S5f5m5
5.6D6J6d6q6v6
9<:B:I:X:\:`:d:h:l:t:x:|:
;;;B;l;p;t;x;
5Q5d5l5t5|5
9V:m:t:
>B>J>P>o>
a0h0p0{0
:$:/:::E:[:f:q:
0$0(0,0004080<0@0D0H0L0T0X0\0
5 5$5(5,50545@6D6`6d6h6l6p6t6x6|6
________________________________
So you see 5 methods of Obfuscation:
1. Old hxdef method e.g.: I am here: I/A/M/H/E/R/E
2. dhlptx - crypto method
3. 048 downloader method
4. A=1 B=2 and so on.
5. Permutation in the lines e.g.: Hello lloeH

 

Sounds like someone has on his tinfoil hat.

 

Just been checking out this new version. I haven't used gss in a while so maybe i'm missing something but when did the network control get removed? Is it permanent?

 

Hi SystemJunkie,

You mentioned that GSS does not pass all the firewall tests at http://www.firewallleaktester.com. However how does AKLT determine that a function call (say GetKeyState) is illegitimate?

Does it essentially spawn an independent process which then tries to call GetKeyState on AKLT.exe and tries to read AKLT.exe 's viewspace? If so how
would it do this. (p.s. I know next to nothing about Win API function calls)

Thanks

 

It was removed in the 1300a3_nonet release, there were many having looping BSOD problems. As for whether it is permanent or not, I have mixed feelings about it. At first I hated to see it go, but then quickly became accustomed to having one less alert to Allow/Block. Besides, as you know, install GSS on a clean system, practice safe hex, and one could do without having to permit network access. But that is just my opinion.

 

Was installing Internet Explorer 7 and had a huge number of pop up windows. Might be useful to have an "Allow all for current session only" so as to easy the pain of an installation.

Thanks

 

Also under AppDefend Rules, it might be useful to have a "delete all" button, which clears all the programs from the rules list.

It might also be useful to be able to catagorise AppDefend Rules into User defined groups e.g. core rules, non-core rules etc. If I am compiling programs on an hourly basis, AppDefend Rules will become cluttered and it might be better to seperate the rules for my executables from the rules defined for things like winlogon.exe etc...

 

The next version is taking a little longer due to the new registration system being setup (which requires writing linux apps for the webserver), but it should only be a few days away. There are also some small visual differences (and possibly other future things) I've added for the life members of products (customers who have purchased before the switch takes place). When you register the product now there is also a little animation of sorts which comes with it, which you can partially see some of below.

 

The "rootkit driver method" AppDefend is detecting is probably a legitimate driver install, I have seen it on every machine I've tested. Microsoft simply use one of the "undocumented methods" they want others to stop using to load a driver. Once the log provides more info on the driver name and things of that nature it will be obvious it isn't malicious...

 

Hello Jason,

Good to hear from you on the latest development.

By the way, is the coming version still a beta?

 

Anyway, with the setting { driver install : ask/block } is going to have BSOD on the next boot, Jason.

For online purchase through Regsoft, they can not complete my orders with my creditcards; the reason is with Regsoft can not handle all banks - an issue of regsoft transaction handling. While We can complete orders with the same creditcards with other online services even a few outside of US online stores having transaction handling through paypal service (such as TallEmu.com). Hope you have a better solution for online payment system xp before your new license system goes.

 

Yes still a beta..... though not long to go now (this saying does get long in the tooth ). The registration stuff took a little longer than I wanted, but I wanted to get a public key encryption system in place to allow for better key management and to simplify the process for people. Once this is done it is only minor things to improve before the final, this was the last major hump to do.

 

I was installing a big package (setup.exe) which installed many subpackages, and got loads of pop up windows for each subpackage installed. Might be useful to have a button which says "Allow current process, and all processes spawned by current process, for current session only". This makes installation easier.

Note that this is more restrictive than an "Allow all processes for current session only".

Ofcourse one could just switch GSS off during installation!! This is probably the simpler option.

 

One of the things which will be added very soon is a whitelist of basic services/apps like smss.exe so that even if you change the default rootkit method to block it won't stop the system from booting. At the moment it's in a very "be careful what settings you change" state because of the assumption that only experienced users will tweak a lot of things. But yes, I am aware that there are many minor annoyances like this which still plague AD and RD, I have a list to work from for such things.

 

Thanks for the reply!

 

You knew things you have been doing to build the ground-breaking technical piece of software - GSS - which is going to be greatest at all (smallest in size + most less computer resource use + ground-up from cratch newly built secure GUI library + Kernel Security + Kernel mode + lifetime upgrade policy + else). All users are going to have your new build release.

For tweakings to GSS1.4.20, it is clear that even with setting (execution : ask/block), BSOD is going to be after reboot; the settings (execution : allow/ask(allow)) is not safe to boxes. Am I correct on this, please correct me.
THanks.