bypass Online Armor Firewall

1.double click the virus

2.press "allow" in the alert box

3.OA popup this alert box

http://i234.photobucket.com/albums/ee153/a256886572008/fc/230638iek52sdk8zchh3b3.png

4.look at the pic, the parent process is spoolsv.exe

5.The virus injects data into spoolsv.exe, but OA does not block this action.

 

defensewall hips logs:

07.16.2010 18:21:00, module C:\Documents and Settings\XPMUser\桌面\vir\Adobe Photoshop CS2 9.0\keygen.exe, Attempt to rename file C:\Documents and Settings\XPMUser\桌面\vir\Adobe Photoshop CS2 9.0\keygen.exe (File )

07.16.2010 18:21:00, module C:\Documents and Settings\XPMUser\桌面\vir\Adobe Photoshop CS2 9.0\keygen.exe, Attempt to set value PendingFileRenameOperations within the key HKLM\SYSTEM\ControlSet001\Control\Session Manager\ (Registry)

07.16.2010 18:20:57, module C:\Documents and Settings\XPMUser\桌面\vir\Adobe Photoshop CS2 9.0\keygen.exe, Attempt to add new printer provider (Spooler)

 

Did you report it to OA tech support as well?

 

What's the alert? Execution?

Anyway, if you block the autorun warning, TDL3 wont infect the driver(s).

...which is correct, it loads/infects the driver through spooler.

Why does that matter if in the end it warns about suspicious action (red popup), i.e a definitive intercept point of malicious behavior.

 

to avoid this problem just disable the spoolsv(print spooler service)

 

From alex Developer Of Oa

Thanks. Next version will handle this

 

Real question here is was the first alert RED , was virus detected ?

 

No, you cannot relay on that

 

I think that he waited for the subsequent alert describing what the virus was doing in the system, as happens when we install a new, allowed program. He wanted to see " the program is modifying..."

 

I think the OP is right. I did not yet test the malware myself as I got no time. OA HIPS is not giving an injection alert that it is expected to give. Same is true of this thread, with another malware.

https://www.wilderssecurity.com/showthread.php?t=277471

However one need to re-test it to confirm the findings.

 

defensewall HIPS logs:

07.19.2010 12:19:31, module C:\Documents and Settings\Roger\桌面\virus\fw\d.exe, Attempt to set value TabProcGrowth within the key HKCU\Software\Microsoft\Internet Explorer\Main\ (Registry)

07.19.2010 12:19:31, module C:\Documents and Settings\Roger\桌面\virus\fw\d.exe, Attempt to set value SystemMgr within the key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL \ (Registry)

07.19.2010 12:19:32, module C:\Documents and Settings\Roger\桌面\virus\fw\d.exe, Attempt to open process C:\WINDOWS\explorer.exe (Process)

 

1.deactivate antivirus engine

2.double click on the virus

3.press "allow"

http://i234.photobucket.com/albums/ee153/a256886572008/do/oa6-1.png

4.open autoruns program

http://i234.photobucket.com/albums/ee153/a256886572008/do/oa7-1.png

5. OA history

http://i234.photobucket.com/albums/ee153/a256886572008/do/oa8-1.png

6.The virus injects data into explorer.exe, but OA does not block this action.

 

i dont like the rebranded version of oa

 

Upto step 3 everything is fine OA does notify you if some unknown file tries to do execute. And it is obvious that the parent program will be explorer.exe if you are executing any program from desktop or any other place of your computer. Are you sure it didn't gave any other pop ups?

 

Can you test with other HIPS and post screen shots, just to compare.

Thanks

 

Funny that it solves all these bypass bugs in one sitting

The most effective part of any HIPS solutions and yet to expose bugs you are told to ignore it.

C'mon guys reguardless of what bugs are exposed once you let new code execute on your machine all bets are off.

If a boxer kept lowering his guard giving free hits, then no surprises if they get Ko'ed at somepoint

 

CIS V4

http://i234.photobucket.com/albums/ee153/a256886572008/do/cd1.png

http://i234.photobucket.com/albums/ee153/a256886572008/do/cd2.png

 

Commenting on the CIS v4 screen shots. Would any self respecting members of wilders accept something called d.exe to be run or allow it. I would hope not. Come on.

 

http://i234.photobucket.com/albums/ee153/a256886572008/do/cd3.png


COMODO with proactive security configuration

 

Again why would you be trusting keygen.exe anyway? Comodo does give the option to run it as either a isolated app or low privlerages. Any app can be bypassed if you ignore the warnings.

 

Probably related to the reason that he is also using keygen's.

 

1.The virus is in the Chinese language path.

http://i234.photobucket.com/albums/ee153/a256886572008/do/oa6-1.png

2.The virus is in the English language path.

http://i234.photobucket.com/albums/ee153/a256886572008/do/oa9.png

http://i234.photobucket.com/albums/ee153/a256886572008/do/oa10.png

http://i234.photobucket.com/albums/ee153/a256886572008/do/oa11.png

Conclusion:
Online armor does not support Chinese language path.

OA can not block the malicious behavior of the virus which is in the Chinese language path.