Blackday trojan versus HIPS

Discussion in 'other anti-malware software' started by aigle, Apr 27, 2011.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Blakday trojan/ worm( W32.Whacker.A by Symantec) is a very very nasty malware. It overwrites a lot of data file types and executables with a copy of its own and makes a total mess of your system. Moreover it puts its copies with autorun.inf files on all partitions, drives and USB sticks etc. Very scary malware indeed. Let,s see how some of the HIPS fare against this malware. :)
     
  2. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Comodo Defence Plus - default settings but tightened the autosandbox to Untrsuted instead of partially limited

    It failed. Blackday trojan successfully trashed the system..
     

    Attached Files:

  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    GesWall- Passed. Blackday trojan could not touch any files. It did create many of its copies but these were all isolated by GW.

    gw 1.jpg
    gw 2.jpg
    gw 3.jpg
     
    Last edited: Apr 27, 2011
  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    OnlineArmor- I allowed first pop up( malware execution) and denied the rest. OA stopped blackday.exe from getting list of files on all partitions and stopped from creation of any of its copy there.

    Only a small glitch blackday trojaan was able to create some autorun.inf files though they were harmless as there were no associated malware files but they were sure a bit nusiance for novice users while opening the partitions and USB sticks.

    oa1.jpg
    oa 2.jpg
    oa 3.jpg
     
    Last edited: Apr 27, 2011
  5. SIR****TMG

    SIR****TMG Registered Member

    Joined:
    May 31, 2004
    Posts:
    757
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    AppGuard- with high settings I run Blackday.exe from C:\Program Files folder as a guarded application. AG stopped blackday.exe from infecting most of files but unfortunately still some of files were infected. It was disappointing and totally unexpected. :mad:

    ag1.jpg
    ag2.jpg
     
  7. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,280
    Great job aigle!:thumb:
     
  8. kjdemuth

    kjdemuth Registered Member

    Joined:
    Jul 29, 2005
    Posts:
    2,960
    Location:
    Boston, MA
    Aigle, what flavor of windows are you running? Kinda bummed out about CIS failing. Does the AV pick it up at all?
     
  9. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Apparently XP, according to the screenshots. The Comodo sandbox seems to fail miserably. :thumbd:
     
  10. harsha_mic

    harsha_mic Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    791
    Location:
    India
    I think with new version of OA can even block the modification of autorun.inf files with its file and registry shield.

    refer the attached image - http://www.emsisoft.com/en/info/oa/Resources/flist.png.

    If you have time/patience, you can consider upgrading your VM to v5. Or some can confirm my guess. Again thanks for your time in letting every one know about each products strength and weaknesses. Appreciated :thumb: :thumb:

    Thanks,
    Harsha
     
  11. monkeybutt

    monkeybutt Registered Member

    Joined:
    May 18, 2009
    Posts:
    126
    Comodo has not been putting in a good showing that's for sure.
     
  12. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina

    Check *
     
    Last edited by a moderator: Apr 27, 2011
  13. harsha_mic

    harsha_mic Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    791
    Location:
    India
    sorry for a bit irrelevant question..

    does anyone know if rapport could play nicely together with Online Armor Permium? I'm considering myself to try it.

    b/W i do already have a license to it.

    Thanks,
    Harsha
     
  14. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    XP Home SP2 for testing.

    AVs mostly catch these samples but it,s not the matter. Any malware write can write a sample with same capability and still undetected by any AV.
     
  15. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Not a very nice rule IMHO. It,s just a rule to intercept ANY file creation in root of C drive / Partition.

    Comodo has a builtin rule that intercepts ONLY autorun.inf file creation in root of any drive/ partition etc. That,s really nice by Comodo developers.
     
  16. Dundertaker

    Dundertaker Registered Member

    Joined:
    Oct 17, 2009
    Posts:
    385
    Location:
    Land of the Mer Lion
    Very interesting!. Very very good work there. You rock man!

    Can you test it with the Avast ver6, Outpost Pro, Privatefirewall and the new Defensewall beta?

    Many will be very eager to see the results.
     
  17. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks, actually I have none of these installed in my PC. A lot of work to install all, understand them, configure them and then to test. My apologies.
     
  18. Dundertaker

    Dundertaker Registered Member

    Joined:
    Oct 17, 2009
    Posts:
    385
    Location:
    Land of the Mer Lion
    Oh...the result would REALLY be interesting for the other apps. All claims to be fully equipped to handle such but as it turns out they ain't. Makes me wonder how will the apps I mentioned will fair too....

    Are you also the author of this thread:

    LINK ...?

    I do not know if some here can further test it(willingly)....

    I have VirtualBox 4 in another machine where can I get the sample of that Blackday trojan if I decided to check it out myself? That is "if" I can also accomodate it. Well, you never know:)
     
    Last edited: Apr 27, 2011
  19. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    754
    KIS (and KAV too) 2012 prevents Blackday (and rolls back changes) without user interaction (i.e by default, Automatic mode).
    Start sample, this prompt appeared- clicked Allow (because it would be auto-allowed by def./in Automatic mode):
    1.png

    Afterwards, this popup appeared- clicked Quarantine as it's the action taken by def./in Automatic mode (you can also see which files were dropped at that time, in Application activity log window):
    2.png

    After that, I was prompted to roll back changes made by the sample- Clicked Rollback (again, as it would be the default action taken in Auto mode):
    3.png

    The two files that were dropped before the program was suspended by KIS were removed after rolling back; system clean.
     
  20. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    Cool, nice test !!!! Thanks ...
     
  21. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Wonder how well Kaspersky sandbox will fare against this.

    Actually this worms makes so many copies of itself and any classical HIPS can catch it easily.
     
  22. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    yes. :)
     
  23. AdamL

    AdamL Registered Member

    Joined:
    Jan 17, 2011
    Posts:
    116
    Location:
    France/Fife
    Good work :)

    Have you passed the info on to Appguard?
     
  24. 1000db

    1000db Registered Member

    Joined:
    Jan 9, 2009
    Posts:
    718
    Location:
    Missouri
    If this file was encountered in the wild with AG on high, it never should have launched since only guarded applications on the list will execute. o_O (At least I believe this is how it would work)
     
  25. 031

    031 Registered Member

    Joined:
    Sep 5, 2007
    Posts:
    185
    Location:
    Bangladesh
    Thanks Aigle, excellent work. I am a great fan of HIPS and my favorite one is Malware Defender . Can you give it a try ? Thanks again.
     
Loading...
Thread Status:
Not open for further replies.