Blackday trojan versus HIPS

Discussion in 'other anti-malware software' started by aigle, Apr 27, 2011.

Thread Status:
Not open for further replies.
  1. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Eh well... OS can be reinstalled easily. Your data destroyed by ransomware cannot be reinstalled really. You either have a backup, or have lost those permanently. I seriously do not get the thinking behind this design. Sandbox is pretty much a misnomer for similar feature. :cautious:
     
  2. _kronos_

    _kronos_ Registered Member

    Joined:
    Dec 8, 2008
    Posts:
    126
    So, honestly, the best way to use this sandbox seems to be to always run unknown program via right click - and forget the auto sandbox feature

    In this way i think that an option to clean, browsing via Comodo GUI, all the sandboxed entries created in Vritualroot folder is needed (otherwise we'll be full of unnecessary "temp" files) :p
     
  3. constantine76

    constantine76 Registered Member

    Joined:
    Dec 18, 2010
    Posts:
    191
    Interesting...
    How about Avast ver6 Sandbox..? Can someone test this with Avast Sandbox so users will know "if" it also fails or not? I am sure a lot here are eager to know how it will fair as compared with the others who were tested. Anyone...?

    Mamutu would nice also. Privatefirewall...?
     
  4. harsha_mic

    harsha_mic Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    815
    Location:
    India
    I think only certain types of ransomwares could able to destroy non-OS files bypassing comodo's sandbox. But, the said ransomwares (threads created by agile) and its variants are detected by CAV and cloud scanners (as per egemen).

    Only problem is what if unknown variant knocks our door??
    For this, the simple mitigation is just add following to protected file/folder list
    - file types
    - personal folders (documents/movies/music/installations)

    I think treating rundll32.exe as limited app would even mitigate the issue without the above trick. but some one needs to test it...
     
  5. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    AV is not any solution here. Stuff gets missed by AVs daily. Does not even have to be ransomware, imagine some "autosandboxed" script merely tries to wipe %USERPROFILE% - does not seem like CIS "autosandbox" would say a beep about this?
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,133
    Location:
    Saudi Arabia/ Pakistan
    Thanks
     
  7. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Appguard'd defense is directed to keeping malware out of your PC by denying programs being executed by guarded applications. So when you have moved something out of user space, into admin space and executing it is sort of shooting it in the back. Testing it this way is like prooving you can shoot a security guard in the back.

    Most HIPS have protection on many attack vectors, like loading of a driver, installing a driver, getting debugging rights, process modification, dll-injection, etc. AG only watches process (memory) modification of those attack vectors, to close the posible exploit gap of changing a guarded aps memory and THEN getting executed.

    Regards Kees
     
  8. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,133
    Location:
    Saudi Arabia/ Pakistan
    I think I tested AG in the wrong way. Actually I wanted to check the sandbox function of AG once a nalware is allowed to execute but I could not find an easy way to do this.

    Infcat I have used AG very less that caused this mistake. Sorry for that. I was not sure, that,s the reason I did not even contact AG support and waited until some AG user commnets on my findings.

    If you find a way to test AG as I want let me know. May be I decrease the protection level down from max?

    Thanks for ur correction.
     
    Last edited: Apr 28, 2011
  9. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Well ApGuard is very difficult to test. You need a website and some live javascript exploit,or a media file with an exploit. Everything else is comparable by installing something as trusted with GeSWall. There is no prevention (other than MBG Gruard) after something is allowed to execute by the user. I allways enjoy reading your test post by the way.
     
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,133
    Location:
    Saudi Arabia/ Pakistan
    Thanks.

    BTW I executed the sample with medium settings from desktop. It will run gaurded by this way. Almost all malicious actions were stopped except that ntuser.ini and desktop files were overwritten with malware copies plus a few other eired things, My Documents became hidden from the wondow when you open My Computer and some hidden system files in C partion became visisble etc etc.
     
  11. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    Where are you getting the idea from to guard this malware.exe before running it?

    Nevermind, lol. I didn't read above where Kees1958 addressed this. Sorry
     
  12. Kyle1420

    Kyle1420 Registered Member

    Joined:
    May 27, 2008
    Posts:
    490
    Thanks for the tests, much appreciated.
    If anyone with this sample and sandboxie - please post the results ^^ also avast sandbox would be interesting too.
     
  13. dw2108

    dw2108 Registered Member

    Joined:
    Jan 24, 2006
    Posts:
    480
    With one of PG, DSA, SSM or WinSonar (Shield Up!) + EXE Hound, or MD, this bug doesn't stand a chance. We need better malware writers. I'm getting bored with these guys and their collective lack of creativity.

    Dave
     
  14. hugsy

    hugsy Registered Member

    Joined:
    May 22, 2010
    Posts:
    167
    Thank you for all the tests.

    Could blackday do any damage to system if it starts inside LUA?
     
  15. constantine76

    constantine76 Registered Member

    Joined:
    Dec 18, 2010
    Posts:
    191
    Same sentiments here. Waiting here. Especially Avast sandbox because I am using it along with SBIE. Soem are waiting on DefenseWall / BufferZone too.
     
  16. pablozi

    pablozi Registered Member

    Joined:
    Oct 24, 2010
    Posts:
    215
    Location:
    nowhere
    Great job aigle! Curious how Malware Defender will act. Also awaiting DWPF result.
     
    Last edited: Apr 30, 2011
  17. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    Thanks aigle for all the HIPS test you do!

    And thanks 3x0gR13N for testing KIS... I would have asked for.. ;)
     
  18. Kernelwars

    Kernelwars Registered Member

    Joined:
    Aug 12, 2010
    Posts:
    2,155
    Location:
    TX
    drive sentry blocks it and every new trojan whatever scum rofl:argh:
     
  19. Syobon

    Syobon Registered Member

    Joined:
    Dec 27, 2009
    Posts:
    469
    can you test Mamutu?
     
  20. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,923
    Location:
    Canada
    did drvesentry has a signiture for it or the behabiour blocker or hips engine found it?thanks
     
  21. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
    Going to test this against ProcessGuard & Zemana, soon.

    Thanks to aigle for the baddie ;)
     
  22. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,923
    Location:
    Canada
    let us know clone ranger:thumb:
     
  23. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
    Testing blackday Trojan against ProcessGuard & Zemana

    Disabled Avira & Prevx & enabled ShadowDefender

    DC'd black-day.exe

    1a.gif

    Due to

    2a.gif

    Unticked that & DC'd black-day.exe again & allowed this

    3a.gif

    PG blocked this

    4a.gif

    Process Explorer showed LOTS of activity as black-day was busy doing it's dirty deeds. This included altering files on my D/Partition :eek: as well as C/ Fortunately i had enabled both partitions with SD :) If not :(

    After a few minutes i had seen enough, and unexpectedly i was able to kill black-day.exe via Task Manager :D

    Not a peep out of Zemana though ? So i allowed Service installations in PG & tried again. Zemana still didn't alert me to anything ! Let's not forget that Z is NOT meant to be a full blown HIPS product, the extra protection it does give along with it's Excellent KL duties is a bonus. And i have personally had it blocking other nasties etc in previous tests.

    Rebooting and thanks to SD everything was back to normal :)

    So ProcessGuard on it's own was enough to stop this nasty dead on arrival :thumb:
     
  24. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    DriveSentry is a WhiteList Programm.. ;)
     
  25. Tunerz

    Tunerz Registered Member

    Joined:
    Jun 12, 2007
    Posts:
    104
    Location:
    Philippines
    Would Comodo's HIPS intercept the changes if the sandbox is disabled?
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.