Classical HIPS and policy based HIPS discussion

Ok - whitelisting aficionados, I will help you out. The author of these bypasses is a well known information security analyst named Casey Smith.

He published an article in the Excubits blog late last year: https://excubits.com/content/en/news.html . Scroll down to the following section:

Whitelisting Evasion

Information Security Analyst Casey Smith made a great job in his presentation on how to bypass application whitelisting on Windows. Besides basic attacks on well known Windows folders he also showed how to misuse scripting hosts and our beloved .NET framework.
​

Happy rule creation to all

​

 

Agreed

 

Just for informational purposes, I found these interesting articles:

http://www.malwaretech.com/2014/10/usermode-sandboxing.html
http://securityinternals.blogspot.nl/2014/01/user-interface-privilege-isolation.html

 

@ itman

Here is another article about a banking trojan. Blocking of code injection/API hooking is most likely enough to win the battle.

http://www.welivesecurity.com/2012/08/13/win32gataka-banking-trojan-detailed-analysis/

 

It installs a proxy server. I assume local host based but article doesn't specify:

This plugin creates a proxy server on the local machine so that all outbound and inbound network traffic can be examined.
​

So, you prevent the local host proxy from being installed. Or failing that, you prevent your browser's memory from being modified via a HIPS rule to prevent process modification:

As soon as the user launches a browser, the malware will inject its malicious payload into it, then patch the certificate checking functionality and also hook selected API functions such as connect in order to intercept all web communications.​

Worrying about what API to intercept and block is again .......... "cart before the horse" technology.

-EDIT-

Pertaining to local host proxy server protection, the following is an extract from a MBAM log where a malicious one was installed:

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - <-loopback>

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyServer] - http=127.0.0.1:55783;https=127.0.0.1:55783

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings [DefaultConnectionSettings]

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings [SavedLegacySettings]
​

So you want to have a HIPS rule to monitor changes to this registry key:

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ \

Note: "\ \" ref. above means this key only with no path transversal​

 

All this time, effort and anguish trying to build a nanny state with HIPS is a wasted effort is it not? There are so many easier and effective ways than all this overthinking using a HIPS that monitors everything but the kitchen sink.

 

Windows is evolving from a two layer security landscape (admin and user) to a three layer security (High - Medium - Low integrity) architecture. On top of that it has got protected processes and all sorts of memory mitigations to make it harder to exploit. Finally reputation scoring (Smartscreen on the Desktop) and Cloud combined with OS-aware Anti Virus will make it harder for malware to intrude a system. Malware will be more and more focussed on social engineering and phising. Inevitably the weakest point in the chain is the user.

 

I have already stated that the classical HIPS's of old are absolute. So no need to elaborate on that.

As far as stand-alone HIPS software's future, I would say it is not bright. That's why I find the creation of Rehips are bit strange. However, I do wish its author the best of luck.

The future of HIPS lies in integrated solutions like those offered by Eset, Kaspersky, and a few others. Eset's HIPS was developed "from the ground up" to incorporate protection against today's advanced malware such as exploits and reflective memory injection. It will continue to improve its default protections in the future as evidence of the new features being incorporated into ver. 10. Again as I have stated many times, you need an integrated and comprehensive security solution against today's advanced persistent threats.

Finally for the novice to average PC user, using a solution that incorporates advanced behavior blocking technology such as employed by Emsisoft is strongly recommended. Such a solution offers "install and forget" operation while at the same time providing excellent and comprehensive protection.

 

I am interested to find the starting point of its execution.
So, the malicious code is delivered through the HTML page, and when the browser parses the page, the malicious code is executed by the browser directly or ? Can anyone please explain, the infection execution steps.

 

More detail here: http://www.welivesecurity.com/2012/06/28/win32gataka-a-banking-trojan-ready-to-take-off/

Actual malware sample here: https://www.hybrid-analysis.com/sam...d39c1c6591c3630f6b3fd8a48180/?environmentId=4

Note: I believe this is a hybrid version.​

 

@Rasheed187

In regards to today's advanced banking Trojans, they establish a backdoor on your PC. Once that is accomplished, it is "pretty much game over." The best detection of this type of infection is to use a security solution that has botnet protection such as Eset has. At least the connection to the botnet C&C server will be detected and blocked. Then remedial activity can be initiated.

The type of proxy being established through the backdoor by the botnet's C&C server is Socks, FTP, etc. based and is done dynamically at the network stack level. As such, it is virtually undetectable. A bit of discussion here:

If access to the internet is locked down on the computer, let's say only to http and https and no other ports, meterpreter can go around that as well. It can be configured to connect back to its control server using a well-formed ActiveX session over HTTP or HTTPS that may even not trip up some intrusion detection systems. This is the tip of the iceberg in obfuscating command and control connections.

Zeus/SpyEye/Citadel etc malware and the like generally have proxy(SOCKS4-5)/RAT/ftp-backconnect capabilities as a standard, and they can 'pivot' the attackers traffic/attacks through those infected platforms to target your machine.

Ref.: http://security.stackexchange.com/questions/93776/how-do-rats-access-computers-through-routershttp://security.stackexchange.com/questions/93776/how-do-rats-access-computers-through-routers
​

Here is a example of a Zeus Botnet currently for sale for $1200 and a few of its features:

Server-side bot functions:
- Socks 4/4a/5 server with support for UDP and IPv6.
- Backconnect for any service (RDP, Socks, FTP, etc.) on the infected machine. I.e. may gain access to a computer that is behind a NAT, or, for example, which has prohibited connections by a firewall. For this feature to work there are used additional applications that run on any Windows-server on the Internet, which has a dedicated IP.

Getting a screenshot of your desktop in real time.
- Intercepting HTTP/HTTPS-requests from wininet.dll (Internet Explorer, Maxton, etc.), nspr4.dll (Mozilla Firefox) libraries:

Modification of the loaded pages content (HTTP-inject).
- Transparent pages redirect (HTTP-fake).
- Getting out of the page content the right pieces of data (for example the bank account balance).
- Temporary blocking HTTP-injects and HTTP-fakes.
- Temporary blocking access to a certain URL.
- Blocking logging requests for specific URL.
- Forcing logging of all GET requests for specific URL.
- Creating a snapshot of the screen around the mouse cursor during the click of buttons.
- Getting session cookies and blocking user access to specific URL.
- Get important information from the user programs:

Logins from FTP-clients: FlashFXP, CuteFtp, Total Commander, WsFTP, FileZilla, FAR Manager, WinSCP, FTP Commander, CoreFTP, SmartFTP.
"Cookies" Adobe (Macromedia) Flash Player.
"Cookies" wininet.dll, Mozilla Firefox.

- Import certificates from the certificate store Windows. And tracking their subsequent addition.
- Tracking of pressing the keyboard keys.
- Traffic sniffer for TCP protocol in Windows Socket.
- Intercept FTP-logins on any port.
- Intercept POP3-logins on any port.

Ref.: http://www.freetrojanbotnet.com/2016/02/zeus-2089-bot-sourcebuilder.html

​

 

I've already explained that certain HIPS watch only specific browser API's that are often used by banking trojans. So even if they fail to protect against certain code injection methods, they can still interfere, at least in theory.

Yes correct, detection gets hard once code is injected into browser and certain trusted system processes. But if you block code injection, banking trojans can not install the SOCKS proxy server. Almost all actions that banking trojans perform are via code injection/API hooking. That's why M$ tried to protect the Edge browser by allowing only trusted apps to inject code.

I don't see how it's a wasted effort for people who like to be in total control. And most HIPS do not try to monitor everything, but only the most used malware techniques. Plus developers have tried to make it more user friendly, by white-listing system and trusted apps. BTW, when I think of nanny's I think of UAC not HIPS!

 

It isn't any different than any other malware attack. It needs to be able to run in order to do any damage. Malware can run via user or exploit. If you use anti-exe or anti-exploit, the chance is quite small that malware will be able to run. If you download and run malware yourself, then HIPS should be able to interfere when AV fails. HIPS and behavior blockers are basically the last line of defense.

 

What are you trying to be in total control of? Legitimate processes and applications or malware? Assuming it's the former...why?

Yes, but they also monitor techniques used by legitimate and trusted processes. If one isn't careful, they cripple their system and they won't even know why.

I'd be willing to bet more time is spent modifying HIPS configurations than answering UAC alerts.

 

a "simple" ESET Internet Security is enough to have this kind of HIPS, or is a special Endpoint-Product needed?

 

Not quite following you.

The HIPS in Eset's retail products is the same as that in the endpoint products. However a few features are disabled in the retail ver. such as filename wildcards which irks me to no end.

 

My motto is to "trust no app" unless it's impossible not to. I like to know what apps are up to, either legitimate or not. Also, it depends on how you use a system. If you install or run new apps a lot, of course you will get to see more alerts compared to when your system is quite static once your favorite/most used software is installed and rules are already made.

That's what I tried to explain, developers are smart enough to whitelist system apps. And legitimate apps should sometimes be monitored, think of the browser. And besides, HIPS are geared to geeks not to normal users, so I don't know why this subject keeps coming up. Most of the HIPS users think it's fun to have complete control.

I don't want to start that discussion again, but to me it's more meaningful to know if some apps wants to inject code, install a driver, or modify files. That hasn't got anything to do with acting like a nanny, that's all about giving clues whether apps might have malicious intentions. In contrary to UAC who keeps asking dumb questions over and over again, that was my point.

 

BTW - referring back to the Eset detailed description link posted in reply #789 on the Win32/Gataka Trojan, the payload injects explorer.exe. Then explorer.exe starts iexplore.exe to connect to the C&C servers.

So how can it start iexplore.exe hidden and undetected? By using COM and injecting the code noted in this article into explorer.exe: http://stackoverflow.com/questions/18427324/handle-ie-to-filling-a-form-c-sharp/18427724#18427724

 

@ itman

Speaking of new code injection techniques, here are some more examples. I wouldn't be surprised if a lot of HIPS and BB's would fail against this stuff, it's simply ridiculous how many attack vectors the Windows OS provides:

http://breakingmalware.com/injection-techniques/code-less-code-injections-and-0-day-techniques/
https://github.com/BreakingMalware/PowerLoaderEx

 

@ itman

Here is an interesting article about the Windows OS boot process. I suppose this stuff should be interesting to HIPS developers that are trying to protect against rootkits and bootkits:

http://securityinternals.blogspot.nl/2014/02/walkthrough-of-windows-boot-process.html

BTW, I forgot to add that I don't like all HIPS. For example Comodo got on my nerves by alerting about system processes and it presented other dumb alerts. So I chose not to use it, even though when configured properly it's one of the most complete HIPS on the market. And the new ReHIPS seems to be a bit too complex at first sight, it's a mix between Sandboxie and a regular HIPS.

 

Ok, thanks. This answers my question.

 

PowerLoader is just one example of the advanced RMI techniques I have been referring to.

Note that the 64 bit versions are restricted to desktop memory injection. I do know that Emsisoft protects the desktop. Also, I protect all Win system processes using Eset's HIPS. That would include dwm.exe which runs as a service and controls the desktop.

 

Casey Smith's "latest and greatest" AppLocker bypass: http://www.securityweek.com/windows-applocker-bypassed-execute-remote-scripts

It is COM based using regsvr32.exe.