Behavioral detection of mass mailing worms

Discussion in 'other anti-malware software' started by aigle, Jul 17, 2008.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hi aigle,

    I thought all software firewalls alerted to unauthorized outbound connections.

    Here is Netsky from several years ago - the old double extension trick. Letting it execute,
    it immediately attempts an outbound connection.

    If the firewall rule for Port 25 has custom addresses, it should alert when connecting to any other address:

    netsky_outbound.gif


    ---
     
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi Rmus. Thanks for ur comments. Two things:

    1- CFP does not give SMTP Port 25 access alert on default settings9 low pop up mode) as there was a DNS or HTTP port acccess alert in both cases and it u allowed that alert, no more alerts. But it seems Ok as user is asked to grant oiutbound access in any way.

    2- Ordinary user has no idea of all these alets. An alert from ZA FireWall is much clear that an Inernet Mailing Program is asking fpr out bound access.

    Even more clear are pop ups by TF- suspicious e-mail sending activity.

    I like such alerts.
     
  4. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Your Comodo post also showed that ZA can be configured to alert alert about mass mailing in short time. I really like that capability.

    Does anyone know of any other HIPS or FW that can be configured to alert for mass mailing attempts?
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I realized that users who are not logged in at Comdod forums, can,t see the screenshots. Thread is almost useless without screenshots. so i will post them here too. They are mostly self explanatory. I will post the screenshots with Netsky Worm only. Wazer worm gives almost same pop ups etc.

    First some NeovaGuard alerts by NG about mass mailing behaviour of it.
     

    Attached Files:

    Last edited: Jul 18, 2008
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    ThreatFire alert. You need to disable blacklist to get this alert.
     

    Attached Files:

    • tf.jpg
      tf.jpg
      File size:
      51.6 KB
      Views:
      314
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Pop ups by ZoneAlarm Pro( I used ZA AS).

    07-18_0059.jpg 07-18_0060.jpg
    07-18_0061.jpg zap2.jpg
     
    Last edited: Jul 18, 2008
  8. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    And finally pop up alerts by CFP. I omitted the alerts by Defence plus module just like i did in case of NG and TF.

    U will not get second pop up on default settings. You need to adjust Alert Settings to atlaest High level to get this pop up alert with Netsky.
     

    Attached Files:

  9. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    DSA, Private and Webroot FW
     
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    All are actually one product I think.
     
  11. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    At least the same kernel, branded and sold differently
     
  12. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    Hi

    I think Webroot Firewall uses an older engine of Private, though I'm not sure.
     
  13. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Why do you need more than an alert that an unauthorized application wants to connect out to Port 25? -- As I showed above.

    --
     
  14. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    For the same reason when users need one or more alerts, after the Execution alert, to stop a malware by these HIPS and the user.
     
  15. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    CA Personal Firewall 2008 appears to have this capability also, though I have no personal knowledge of it.

     
  16. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hi aigle,

    Well, you seem to contradict what you said above, about ordinary users not understanding these alerts -- which I completely agree with.

    Netsky is triggered by a user opening an email attachment - in many cases, having to extract from a zipped file.

    You can make the case that a family computer with several users including children, is prone to an inadvertant mistake out of curiosity.

    I agree, and so have installed Anti-Executable on family computers, which prevents unauthorized extracting (copying) of executables from zip files. Here, an early Netsky variant:

    zip3.gif
    __________________________________________________________

    Why do you need more?

    I understand that your thread is examining the many features of today's HIPS stuff, but I think, in light of your email worm example, that basic preventative measures should be mentioned, which preclude the need for behavior detection.

    Preventative measures can also include email programs which quarantine such attachments.

    --
     
  17. guest

    guest Guest

    what about outpost?
     
  18. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I agree with you. I just wanted that HIPS have some way to tell this in a better way. There is no guarantee that such malware will always come via e-mail? Why it can,t come via driveby download?

    I like the way TF and ZA Pro give alert about this. Ofcouse AE will stop all such stuff nut AE is not suitable for most of home users practically.
     
  19. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    DSA is the HIPS & firewall component of both PrivateFW & Webroot FW. Thus, you can use DSA, stand-alone, as both a full-on SPI firewall, plus a *mostly classical* HIPS.

    The other component is an expanded GUI for DSA's firewall component. DSA offers limited configuration capabilities. The *full-on* PFW offers greatly expanded configuration capabilities.

    Together, these 2 components make up what is called Private Firewall (PFW). Webroot is simply a re-branded PFW. Webroot uses the latest version of Private Firewall.

    There is considerable discussion of PFW in the "Other Firewalls" topical category of Wilders forums.
     
  20. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    That is even easier to prevent - the user has no chance to click on anything because nothing is downloaded to the cache:

    netsky-drivebytest.gif

    --
     
  21. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    As I said earlier, most home users will not like AE.
     
  22. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    OK.

    ---
     
  23. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    U know I have friends with kid. They always complain about their problem. They get their PC re-format every month or so. But if I put something like AE on their PCs, their kids will not accept as they can,t run anything like games etc from net or any other software they want to run.

    These people have no sensitive data on their PCs, they don,t do online banking, shopping etc, so they don,t care for malware except that their PC becomes slow and performs poorly.

    They ofcourse even can,t sue any HIPS at all. The only solution for them is an AV, preferably one tyhat works in silence.

    AE will stop anything but even it,s not my choice as well as I isntall software so often. Moreover it,s my hobby, just trying to make a system where any thing even if allowed to run, can,t damage the system unless allowed to do so.

    So don,t take my posts so serious. :) :D
     
Loading...
Thread Status:
Not open for further replies.