Prevx bypassed !

......

 

Wow very good read indeed...Thank You....

 

We already had a look at the code and we are going to fix the issue.

On a side note, I would underline that the tool needs some specific privileges (SeDebugPrivilege) that are not available by default unless you are running under administrator account.

Code:

Set_Privileges:
push    offset _oldStatus
push    0
push    1
push    14h
call    RtlAdjustPrivilege

If you have administrative privileges, then it's game over actually. Yes, you can enforce your self-defense (Prevx 4 has fully rewritten self-defense module that filter out this PoC attack too by design) but you and attackers are both playing at same privilege level. It's just a matter of time then.

Moreover, this self-defense bug is present only in Windows XP - Prevx 3 uses another self-defense mechanism in Windows Vista and 7 which is much more effective. Proof of concept code is aware of this actually:

Code:

mov     ds:dword_4032C4, 114h
push    offset dword_4032C4
call    RtlGetVersion
cmp     ds:dword_4032D0, 0A28h [I][B]; is Windows XP?[/B][/I]
jz      short loc_40156A [I][B]; if not, then "Unsupported OS"[/B][/I]

Anyway, we are going to address this shortly

Marco

 

Thanks for your reply, nice explanation

How about UAC admin accounts?

 

Do you mean administrator account with UAC enabled? If so, then it's the same as a limited account. It's an administrator account in Admin Approval Mode. It needs your interaction to gain administrative privileges

 

When did you discover this POC ?

*

Ran the POC

Prevx v3.0.5.179 - XP/SP2 - Admin







The only alert i got was from Zemana but even allowing that it still failed = but ?

 

Thanks CloneRanger for the link
Tried this POC running as admin

Returnil RSS 2011 stopped it as soon as I tried to run it and Zemana with my custom settings just terminated it (look at the bottom line in the screenshot). Not the same as a real malware trying to get at Prevx perhaps but interesting in that it shows the power of Returnil RSS and custom configured Zemana to stop anything unwanted executing.

 

Yes, that was what I meant, thank you. A while ago I read somewhere that admin accounts with UAC enabled would be less secure than limited accounts, so I asked just to be sure

 

Prevx now detects this POC
Trusted it and then allowed it to run but with Returnil Lite 2011 this time as backup silently stops it. Nothing happens, Prevx still chugging along

 

Do not worry!

Actually methods used to break Prevx self-protection is very old (3-4 years).

And is not representative of any of today's malware break methods, so it is largely a waste of time in terms of testing.

Prevx focuses on finding only advanced (VIP) threats break methods, and guarantees, what ? LOL

I wish you a very beautiful day...

 

Prevx .187 successfully terminated with all it's hooks from pure user mode !!!

Guys, what do you do? this is a joke? lol

EraserHW, (prima di sviluppare un tuo driver di auto-difesa) dica agli lettori Italiani (i swear i will read msdn to fix my bugs), un saluto a nV 25

I wish you a very beautiful day...

 

Looks like they have an anti Prevx crusade on at the moment

 

Pretty ironic that it's now just a video being posted and not a link If you would wait 10 seconds, Prevx will re-execute

 

Also, probably worth noting, all of these exploits ONLY apply to XP - if you are using Vista/7/2008, you've been fully secure this entire time

 

I know! There's also an extra layer of protection for those running with UAC on as far as I can see.

 

It didn't work on my XP when i tested it post 6 Not complaining but wonder why ?

 

read my post above As PrevxHelp said, it's only on Windows XP with admin rights

 

That's exactly true

 

this is entertaining.

 

@ EraserHW

I know, please see my Post 6

Still failed to work = Why is what i'm wondering ?

 

Hackers today just aren't like they used to be

 

@ PrevxHelp

Don't let EP_X0FF hear you say that

Fact is, it didn't work, so i thought you'ld be interested to try and find out why ?

At the moment it's no biggy, still got a newer POC to be released so ? But i would have thought that if the real baddies make use of these, and/or similar techniques, it "might" be ?

 

Not sure actually Do you use any other security software?

 

The area that they're using is generally quite unstable so it's understandable that it wouldn't work well. The technique has been around for a while, but I have only extremely sparingly seen malware using these techniques (and Prevx automatically restarts itself anyway). As mentioned earlier, it is a bit of wasted effort - why bother killing the AV, alerting the user that something is wrong, when you already have full access to the system?

 

That's funny, i thought Prevx had ESP

https://www.wilderssecurity.com/showthread.php?t=278273

Err, yes but only Zemana picked up on it, see post 6