Bouncer (previously Tuersteher Light)

Discussion in 'other anti-malware software' started by MrBrian, Jan 25, 2014.

  1. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    3,109
    I think WinHex was prevented from writing temporary files ;)
    "In-place Mode" can be used to edit a file directly, without a temporary file (and without a prompt).
     
  2. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    308
    Location:
    router
    thank you.yes you are 1000% right :thumb: my bad:oops:.its for me in a Default edit mode and also now tested In-place edit mode and its directly write to file no warning!
    i know Bouncer will take care of this things in first step.but hope Florian make another driver for this raw mode also
     
  3. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,154
    Location:
    Toronto, Canada
    That is a good suggestion. Possibly something similar to the kernel-mode driver that was released by Cisco’s Talos Group, MBRFilter, but extended functionality. Although I can imagine that raw level access is likely quite complex.
     
  4. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    2,941
    Location:
    Mexico
    I got an email this morning from Excubits:

    Dear friends,

    Today we would like to publish an updated list of recommended blacklist
    values for Bouncer. The current list can be loaded at [2], use the values
    to enhance your configuration’s security.

    Additionally we would like to focus on EVENTVWR.EXE. This program file is
    recently abused by cyber crooks to install malware forcing privilege
    escalation. EVENTVWR.EXE is part of the Windows operating system and is
    automatically installed onto your system. The attackers rely on a security
    breach described by enigma0x3 (see [2]). In short, it is a misbehavior of
    EVENTVWR.EXE which requests parts of its configuration from the user
    accessible parts of the Windows Registry. E.a. cyber criminals can change
    the behavior of EVENTVWR.EXE by just manipulating a setting in the user's
    Registry Hive. Crooks use this to instruct macros placed in Microsoft Excel
    and Word files to execute malicious code with higher (admin) privileges and
    thus can manipulate vivid parts of your system. However, an attacker can
    gain total control over the computer by just calling EVENTVWR.EXE.

    EVENTVWR.EXE is therefore dangerous and shall be deactivated. Normally you
    do not need this EXE every day, so you should put it onto Bouncer’s
    blacklist as soon as possible and protect your PCs effectively against this
    security hole. Hopefully Microsoft will publish a patch soon. Also disable
    Office Macros if you do not need them.

    Regards, Florian


    [1]: https://excubits.com/content/files/blacklist.txt
    [2]:
    https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
     
  5. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    3,109
    Disk Cleanup is affected too:
    [3]: https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup/
    And other executables which are able to auto-elevate without any UAC-prompt
    But MS won't fix it:
    Mitigation:
     
  6. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    422
    Microsoft has already fixed these.
    The Enigma0x3 UAC bypasses are already fixed as of build 15031.
    (All credits to hfiref0x / EP_X0FF for tracking and testing all the UAC improvements Microsoft are implementing)
     
  7. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    140
    Location:
    Europe
    On what operating system? On Windows 8.1 (fully patched) it is not. I can execute sample exploit using EVENTVWR.EXE and it still works. I added blacklist rule to my configuration until it is clear under what conditions it wont be possible to misuse EVENTVWR.EXE (I dont need this executable).
     
  8. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    3,109
    Good, they have fixed it with the newest build :thumb:
     
  9. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,094
    Location:
    Germany
    Blacklisting event viewer instead of using a standard user account. Gotta love those security tweakers. Always priceless.
     
  10. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    19,321
    Unfortunately not all of us can use a standard user account
     
  11. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    "(All credits to hfiref0x / EP_X0FF for tracking and testing all the UAC improvements Microsoft are implementing)"

    " Gotta love those security tweakers. Always priceless."

    Wow I haven't seen that name in a while.
    I just remember him saying he went to work for MS a few years ago.
    Like cruelsister says. those old hackers ( famous rootkit writers)get hired really fast by companies. more so if they are young.
     
  12. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,531
    Location:
    U.S.A. (South)
    Of Rootkit Unhooker Fame for 32bit mainly XP systems. Remember that tool of his and MP_ART very well.

    They also did a POC named Unreal that was a hidden RK. Interesting that EP_X0FF is still heavily involved in Windows. KOOL
     
  13. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    140
    Location:
    Europe
    Exactly, we all know we should, but reality proofs that in many cases people do (or can)not :)
     
  14. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    140
    Location:
    Europe
    Ah yeah, it was somewhere arounds 2006 if I remember right. But there was also some controversys around that Rootkit Unhooker if I remember right?!
     
  15. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    2,577
    Location:
    The etherlands
    So due for release (to non-Insiders) from April 2017?
     
  16. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,531
    Location:
    U.S.A. (South)
    The only controversy I remember is that it worked! It was the snappiest and most instant eviction tool of pulling out rootkit (other malware) code lodged in the SDDT Table and other areas, at least on XP. Never seen anything perform as fast since. Don't know much about anything like it when x64 and Ring0 with patchguard plus signing of MS drivers made it obsolete.
     
  17. Martin_C

    Martin_C Registered Member

    Joined:
    Dec 4, 2014
    Posts:
    422
    Yes.
    Easy mitigation (and a great general mitigation against a 1001 other unpleasant experiences) are to use SUA, as @FleischmannTV mentioned in post #1659
    (I should probably say that this is a great solution to users that don't mind using SUA. Users that really don't want to, will of course do something else :))
     
  18. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    140
    Location:
    Europe
  19. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    6,531
    Location:
    U.S.A. (South)
    Good read. All MS needs to do now is pull a fast one and drop out the conveyor line yet another O/S fresh off the heels of Windows 10.

    Maybe backtracking to a Windows 9? Nah, too complicated and the PR would be another firestorm for them.

    Or perhaps a Windows 11 in keeping with something like a forward order of progression?

    On Topic, Bouncer seems it is just enough to yet could be improved on as new problems surface to cover.
     
  20. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    308
    Location:
    router
    ProcessHacker show *.xpi (i know its not executable and just zip) loaded under firefox
    no way to block it:doubt:
    i know there is no way in kernal for it but hope somehow manage to restrict it also.
     
  21. kakaka

    kakaka Registered Member

    Joined:
    Oct 5, 2009
    Posts:
    60
    I saw something like below in the log file.

    LSTCHECK > C:\Windows\System32\wbem\WMIADAP.exe > C:\Windows\System32\loadperf.dll

    Can anyone here teach me to write a rule to get rid of it from logging? Thanks.
     
  22. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,154
    Location:
    Toronto, Canada
    @kakaka If you want this action blocked but with silence from logging, try the following rule:

    Code:
    [PARENTBLACKLIST]
    #    Example parentblacklist block with silence rule
    $C:\Windows\System32\wbem\WMIADAP.exe>C:\Windows\System32\loadperf.dll

    Similar silent blocking rules can be done with [BLACKLIST], [PARENTBLACKLIST] and [CMDBLACKLIST] sections.
     
  23. kakaka

    kakaka Registered Member

    Joined:
    Oct 5, 2009
    Posts:
    60
    Thanks, WildByDesign. Will try that soon. And what actually does "LSTCHECK" mean in this case?
     
  24. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,154
    Location:
    Toronto, Canada
    You're welcome. Once Florian added more features to Bouncer it became more difficult to determine which type of rule triggered a specific blockage, so I suggested to add within the log which rule section triggered the blockage. So in this case LSTCHECK is referring to the parentcheck feature. If a blockage was triggered by command line rule, it would show CMDCHECK in the log.
     
  25. kakaka

    kakaka Registered Member

    Joined:
    Oct 5, 2009
    Posts:
    60
    Thanks again, @WildByDesign. I followed your instruction and worked like a charm.