dll exploit/ .lnk exploit mitigation by HIPS

There are two interesting exploits/ vulnerabilities discovered recently.

1- .lnk exploit( involves a dll execution too).
2- dll vulnerability

HIPS and behav blockers are usually not meant to handle malicious dll execution, though many of classical HIPS can be configured to intercept dll execution/ loading but due to the insane no of pop up alerts it,s not practical at all.

I have tried the POCs for both exploits with Comodo Defence Plus v 4, EQSecure and GesWall.

CIS v 5 is great but sadly it has no control for dll execution. No way to intercept both these exploits via CIS 5.

Here is .lnk exploit POC that executes a test dll named dll.dll.

 

Here is second POC. This is for dll exploit. I tried with VLC Media Player.

 

And here is an interesting dll issue.

http://www.greatis.com/security/explorer_redirection_dll_startup_hole.htm

I searched this malware and then tested with CISv 4 and GesWall. Besides the dll issue malware also installs a driver so any HIPS will stop it anyway. However the dll part of it is interesting. In case of XP, once a malicious linkinfo.dll is dropped into windows directory, then windows explorer will automatically load it on next boot.

 

And with GesWall.

 

sorry to hijack your thread for an instant m8.

aigle:

POC?
i see this quite often here.
what does it mean?
i've Googled it and there's about 30-40 definitions.

from where i sit, it's either Proof of Concept or Pile of Cr*p!
is it something else?

 

Again this dll loading part can,t be tested with CIS v 5 as it has no dll control.

 

Proof of Concept.

 

Yep, Proof of Concept.

You may call it pile of crap until the real malware comes out, it,s upto you. By the way .lnk exploit is already more than a Proof of concept( stuxnet worm).

 

tnx m8!

now back to our regular programming...

 

according to the article at greatis:

 

What about a LUA Limited User Account (XP)/Standard User Account (Vista, 7)? By definition, a limited/standard user has no write permissions to C:\Windows.

 

Geswall -

 

Yep, As always If there isn't a conflict... Geswall is nice layer.

 

Aigle, did you try it, or only you saw the 5v Defense+ settings ? I say it because is unknow which files are checked by default, see here 196

 

Yes i tried. Also officially egemen, the lead developer, himself wrote that dll control is no more there in this version.

 

tnx for feeding my paranoia folks!

i think i'm gonna give Ubuntu a try.

 

Another good reason for don't upgrade from 4v.