Prevx bypassed !

Discussion in 'Prevx Releases' started by CloneRanger, Aug 4, 2010.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    ......
     
  2. SIR****TMG

    SIR****TMG Registered Member

    Wow very good read indeed...Thank You....
     
  3. EraserHW

    EraserHW Malware Expert

    We already had a look at the code and we are going to fix the issue.

    On a side note, I would underline that the tool needs some specific privileges (SeDebugPrivilege) that are not available by default unless you are running under administrator account.

    Code:
    Set_Privileges:
    push    offset _oldStatus
    push    0
    push    1
    push    14h
    call    RtlAdjustPrivilege
    
    If you have administrative privileges, then it's game over actually. Yes, you can enforce your self-defense (Prevx 4 has fully rewritten self-defense module that filter out this PoC attack too by design) but you and attackers are both playing at same privilege level. It's just a matter of time then.

    Moreover, this self-defense bug is present only in Windows XP - Prevx 3 uses another self-defense mechanism in Windows Vista and 7 which is much more effective. Proof of concept code is aware of this actually:

    Code:
    mov     ds:dword_4032C4, 114h
    push    offset dword_4032C4
    call    RtlGetVersion
    cmp     ds:dword_4032D0, 0A28h [I][B]; is Windows XP?[/B][/I]
    jz      short loc_40156A [I][B]; if not, then "Unsupported OS"[/B][/I]
    Anyway, we are going to address this shortly :)

    Marco
     
    Last edited: Aug 4, 2010
  4. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Thanks for your reply, nice explanation :)

    How about UAC admin accounts?
     
  5. EraserHW

    EraserHW Malware Expert

    Do you mean administrator account with UAC enabled? If so, then it's the same as a limited account. It's an administrator account in Admin Approval Mode. It needs your interaction to gain administrative privileges
     
    Last edited: Aug 4, 2010
  6. CloneRanger

    CloneRanger Registered Member

    ;)

    :thumb: When did you discover this POC ?

    *

    Ran the POC

    Prevx v3.0.5.179 - XP/SP2 - Admin

    um1.gif

    z1.gif

    n.gif

    The only alert i got was from Zemana :thumb: but even allowing that it still failed = :) but ?
     
  7. Dark Star 72

    Dark Star 72 Registered Member

    Thanks CloneRanger for the link :thumb:
    Tried this POC running as admin :eek:

    Returnil RSS 2011 stopped it as soon as I tried to run it and Zemana with my custom settings just terminated it (look at the bottom line in the screenshot). Not the same as a real malware trying to get at Prevx perhaps but interesting in that it shows the power of Returnil RSS and custom configured Zemana to stop anything unwanted executing.
     

    Attached Files:

  8. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Yes, that was what I meant, thank you. A while ago I read somewhere that admin accounts with UAC enabled would be less secure than limited accounts, so I asked just to be sure :)
     
  9. Dark Star 72

    Dark Star 72 Registered Member

    Prevx now detects this POC :thumb:
    Trusted it and then allowed it to run but with Returnil Lite 2011 this time as backup silently stops it. Nothing happens, Prevx still chugging along
     

    Attached Files:

  10. sparviero

    sparviero Registered Member

    Do not worry!

    Actually methods used to break Prevx self-protection is very old (3-4 years).

    And is not representative of any of today's malware break methods, so it is largely a waste of time in terms of testing.

    Prevx focuses on finding only advanced (VIP) threats break methods, and guarantees, what ? LOL

    I wish you a very beautiful day...
     
  11. sparviero

    sparviero Registered Member

    Prevx .187 successfully terminated with all it's hooks from pure user mode !!!

    Guys, what do you do? this is a joke? lol

    EraserHW, (prima di sviluppare un tuo driver di auto-difesa) dica agli lettori Italiani (i swear i will read msdn to fix my bugs), un saluto a nV 25;)

    I wish you a very beautiful day...
     
    Last edited: Aug 5, 2010
  12. CloneRanger

    CloneRanger Registered Member

  13. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Pretty ironic that it's now just a video being posted and not a link :p If you would wait 10 seconds, Prevx will re-execute :)
     
    Last edited: Aug 5, 2010
  14. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Also, probably worth noting, all of these exploits ONLY apply to XP - if you are using Vista/7/2008, you've been fully secure this entire time :)
     
  15. pling_man

    pling_man Registered Member

    I know! :D There's also an extra layer of protection for those running with UAC on as far as I can see.
     
  16. CloneRanger

    CloneRanger Registered Member

    It didn't work on my XP when i tested it post 6 Not complaining but wonder why ?
     
  17. EraserHW

    EraserHW Malware Expert

    read my post above :) As PrevxHelp said, it's only on Windows XP with admin rights :)
     
  18. EraserHW

    EraserHW Malware Expert

    That's exactly true :)
     
  19. Konata Izumi

    Konata Izumi Registered Member

    this is entertaining. :D
     
  20. CloneRanger

    CloneRanger Registered Member

    @ EraserHW

    I know, please see my Post 6


    Still failed to work :D = Why is what i'm wondering ?
     
  21. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Hackers today just aren't like they used to be :D
     
  22. CloneRanger

    CloneRanger Registered Member

    @ PrevxHelp

    Don't let EP_X0FF hear you say that :D

    Fact is, it didn't work, so i thought you'ld be interested to try and find out why ?

    At the moment it's no biggy, still got a newer POC to be released so ? But i would have thought that if the real baddies make use of these, and/or similar techniques, it "might" be ?
     
  23. EraserHW

    EraserHW Malware Expert

    Not sure actually :) Do you use any other security software?
     
  24. PrevxHelp

    PrevxHelp Former Prevx Moderator

    The area that they're using is generally quite unstable so it's understandable that it wouldn't work well. The technique has been around for a while, but I have only extremely sparingly seen malware using these techniques (and Prevx automatically restarts itself anyway). As mentioned earlier, it is a bit of wasted effort - why bother killing the AV, alerting the user that something is wrong, when you already have full access to the system?
     
  25. CloneRanger

    CloneRanger Registered Member

    That's funny, i thought Prevx had ESP :D

    https://www.wilderssecurity.com/showthread.php?t=278273

    Err, yes :p but only Zemana picked up on it, see post 6
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice