Classical HIPS and policy based HIPS discussion

Discussion in 'other anti-malware software' started by BoerenkoolMetWorst, Jan 28, 2015.

Thread Status:
Not open for further replies.
  1. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
    I have been thinking about this zombie process business and there is a way to stop it with a HIPS. Below is a quote about zombie processes from the link ref. previously.

    A zombie process is nothing more than a spawned process of itself. How many processes spawn a copy of themselves? The only one I am aware of in WIN 7 is iexplore.exe -EDIT- also explorer.exe. Note that a spawned process is not the same as having multiple instances of the same processes running like explorer.exe. Those instances are created by a different process; svchost.exe. Also not the same as a process creating other different processes such as explorer.exe.

    You can stop spawning of a process via the following HIPS rule using Eset format:

    Create an ask or block rule where source is processx.exe and target is processx.exe and select the "start new application" option.

    What processes should be covered? Well, everything to be 100% covered. Obviously, no one is going to do that. Covering explorer.exe and taskhost.exe are a must. Then possibility all MS apps like notepad.exe, write.exe, calc.exe, wordpad.exe, etc. Also Internet facing apps like reader.exe, etc. Again, whatever the user feels most comfortable with protection-wise.


    -EDIT- Further testing shows the above will not work. The spawned zombie process has no directory origin hence no way to create a HIPS rule to prevent it's starting. Best that can be done is to protect the source process from any code injection/modification; at least with Eset's HIPS that is the case.

    Zombie Process

    Once the executable tries to perform an action that is deemed malicious, the system can decide what to do based on how common the application is, if it's signed and by whom. For a malicious executable to escape a HIPS, it would have to trick the system into believing it's a legitimate signed application.

    Due to non-static data within a process, such as absolute addresses, imports, and statically allocated variables; it is not possible to verify the digital signature of a running process. To check a process' signature, the HIPS would have to get the executable file path from the PEB (Process Environment Block) or the section handle, then verify the signature of the file on disk.

    The concept of zombie processes is pretty simple: we can create a standard Windows process in a suspended state, then write our malicious code to the processes' memory; the PEB and the EPROCESS structures will still be that of the original process, causing the HIPS to see the now malicious process as a legitimate signed executable (this is not RunPE or dynamic forking, because we don't unmap the original executable and replacing it with our malicious one, as those can be detected in multiple ways). It's basically PE injection, but with less exposure to functions that would allow the HIPS to detect code injection.
     
    Last edited: Jun 6, 2015
  2. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,867
    Location:
    Outer space
    Other than the fact that I can't use the right-click menu on the systray icon while Outpost is showing a pop-up, I don't experience any bugs.
    But what makes AppInit_DLLs problematic since it also used by malware? The registry key to enable specify a DLL for AppInit_DLLs is in the same part as the key to enable AppInit_DLLs functionality.
    So even if you would use a product that doesn't use AppInit_DLLs and it is therefore disabled on your computer, if the malware has enough rights to use it, it also has enough rights to enable it anyway.
     
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
    There are a few issues with using AppInit_DLLs reg area. Beginning with WIN 8, all .dll's stored there have to be signed. In WIN 7, it is optional but it is highly recommended to enable that setting; I have. So I assume Outpost .dlls stored there are all signed? Since Outpost uses that reg key, it can only be assumed that it by default protects that area which is good. Finally, Microsoft highly recommends that reg key not be used by software developers. It is only there for compatibility legacy software reasons. Would not be surprised if support for it disappears with WIN 10.

    Refs: https://support.microsoft.com/en-us/kb/197571
    http://reverseengineering.stackexch...at-happens-when-a-dll-is-added-to-appinit-dll

    And finally a ref. to a Wilders posting I made when I got nailed by malware hidden in that key: https://www.wilderssecurity.com/threads/worst-malware-ever.346182/ . This was a nightmare to fix. It had changed permissions on all critical WIN 7 files. Had to run a MS utility to reset them all back to default values.
     
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Still nothing like good images to use for rescue.
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    BTW, does anyone know if HIPS can also control Metro Apps? I don't think it's necessary, because they already run in a sandbox (AppContainer), but from a technical point of view it's still interesting. Especially now M$ is trying to make Metro Apps more popular in Win 10.
     
  6. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,867
    Location:
    Outer space
    Yes, it is 1 and it's signed.
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
    And that key value can be overridden unless specifically HIPS blocked; at least on WIN 7. When I was testing the free ver. of Zemana Antilogger, it did just that; set it to a value of "0." Then when I uninstalled it, it left the key value at "0." One reason among many I don't want anything to do with their software.
     
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
    Came across what I consider to be the best guide I have found to preventing known cryptolocker variants using classical HIPS rules:

    https://kc.mcafee.com/resources/sit...00/PD25203/en_US/Cryptolocker_Update_RevD.pdf

    -EDIT- Also don't miss this "tidbit" in the article: Prevent svchost executing non-Windows executables.

    Seen a number of articles linking svchost.exe launching CryptoLocker/Wall .exe's in the \AppData folders.
     
    Last edited: Jun 12, 2015
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    To be honest, I've never understood how svchost.exe can be used to execute non Windows apps. I remember that on my old Win XP system, for some reason, Winamp always got launched by svchost.exe, instead of explorer.exe. I've always found this to be fishy. So a HIPS with this capability sure comes in handy.
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    This stuff is also interesting, it's about Tinba and Poweliks. I always keep thinking about how HIPS are able to stop this stuff.

    What's interesting about Tinba: it first tries to inject code into winver.exe, and after this, winver.exe (trusted system app) injects code into explorer.exe. This is a way to stay of a HIPS radar, and this also proves that HIPS can never blindly trust "Microsoft signed" apps inside the system32 (and other) folder(s). About Poweliks, it seems to be crucial to block CLSID hijacking, I believe Comodo does this out of the box.

    http://www.symantec.com/connect/blo...malware-goes-fileless-attempt-prevent-removal
    http://blog.fortinet.com/post/tinba...banking-credentials-into-the-hands-of-hackers
     
  11. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
    You have to create a rule for svchost.exe in most HIPS for protection. The commercial products have options like allowing "Microsoft trusted apps" and the like to make things a bit easier.
     
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
    You should have a HIPS rule for explorer.exe(one of the known attack vectors) to prevent code injection. The only apps I allow to inject are my security software.

    Ditto for rundll32.exe; also another known attack vector. It needs to be tightly monitored:

    Poweliks uses a legitimate Windows rundll32.exe file (blue outline) to execute JavaScript code (red outline) that has been embedded in the registry subkey itself. The JavaScript code has instructions to read additional data from the registry, which acts as the payload (green outline), and then execute it.

    Blocking per McAfee recommendations:

    Create a new user-defined rule and choose Registry Blocking Rule. Add the following information in Registry key or value to protect:

    HKLM\Software\Classes\CLSID\**

    In Process to Include put only the following value:
     DLLHOST.EXE


    Finally, choose the Key option in Registry Key or Value to Protect bullet list, and mark the following options in the Registry Actions to Block list:

    Write to key or value
    Create key or value

    Some variants of Trojan-Powelike use different registry hives to store its malicious payload. The following variants were seen by McAfee and similar Access Protection rules can be created for them, replacing only the Registry key or value to protect:

     HKCU\Software\Classes\CLSID\

     HKLM\Software\Microsoft\windows\CurrentVersion\Run

     HKEY_CLASSES_ROOT\CLSID\

    Please ensure that only DLLHOST.EXE is used in the Process to Include field, to avoid blocking normal system behavior.
     
    Last edited: Jun 13, 2015
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes, but did you know that apps can apparently use svchost.exe to get launched? That was news for me. That's why I always monitor it with a tool like System Explorer.
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes correct, this all is tricky stuff. The problem is that there are also legitimate (non security) apps who sometimes need to inject code. So the next step is to monitor API hooks (after code injection). This is what apps like Zemana, SpyShelter and HMPA try to do. They see it when certain API hooks get modified and try to either block or alert about it. Of course I'm then specifically talking about banking trojans. And rundll32.exe should indeed also never be trusted, if it's not launching a "Microsoft signed" file.
     
  15. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
    Presently I am HIPS monitoring explorer, svchost, rundll32, winlogon, notepad, my browser, and Abode Reader for any process modifications. BTW - some of these modify themselves. :confused:

    I also monitor the browser and Adobe Reader for any global hooking activity.
     
  16. Here is an ADM templates I use (based on SANS or NSA policy hardeding tips), save as App_Init.ADM and import in group policy
    --------------------------- start -------------------
    CLASS MACHINE
    CATEGORY "App_Init"
    POLICY "Enable App_Init_DLL"
    KEYNAME "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
    EXPLAIN "Disable this setting to prevent loading DLL into every application."
    VALUENAME "LoadAppInit_DLLs"
    VALUEON NUMERIC 1
    VALUEOFF NUMERIC 0
    END POLICY

    POLICY "Require App_Init Signing"
    KEYNAME "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
    EXPLAIN "Enable to load only code-signed DLLs used by App_Init.."
    VALUENAME "RequireSignedAppInit_DLLs "
    VALUEON NUMERIC 1
    VALUEOFF NUMERIC 0
    END POLICY

    POLICY "Load_App_Init_DLLs"
    KEYNAME "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
    PART "Enter dll's comma seperated" EDITTEXT
    VALUENAME "AppInit_DLLs "
    END PART
    EXPLAIN "List the DLL's to load into every application."
    END POLICY

    POLICY "Safe DLL Search Mode"
    KEYNAME "System\CurrentControlSet\Control\Session Manager"
    EXPLAIN "Enable safe DLL search mode."
    VALUENAME "SafeDllSearchMode"
    VALUEON NUMERIC 1
    VALUEOFF NUMERIC 0
    END POLICY

    END CATEGORY
     
  17. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    To be honest, I still don't understand COM hijacking completely. I suppose it makes sense to protect existing COM object against modification, but there is no way to know if new ones that are created, will be used in a malicious way or not. So that's why monitoring this registry key doesn't make a lot of sense from my point of view. That's the problems with HIPS, IMO it should be monitoring only stuff that you can make decisions about.
     
  18. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
    If they contain a ref. to rundll32, they should be blocked until verified. Been running with the McAfee recommended rule using Eset's HIPS without a peep.

    -EDIT-

    This link is from a person that was actually infected with Powerliks: http://superuser.com/questions/8339...in-dllhost-exe-thats-missing-processid-switch . Note all the spawned dllhost.exe processes; a dead give away. Also this is a great example of a "zombie" process.

    Here is a Sophos link on Powerliks:https://www.sophos.com/en-us/support/knowledgebase/121370.aspx . Note the use of RegDelNull to get rid of those bugger null registry key values hiding the malware. I had one of those many moons ago sitting in the AppInit_Dlls key; one reason I won't use any software that writes to that key. Finally the the use of Autoruns to find the infected Powerliks /Run key entry and delete it.

    BTW - no malware scanner I know of can detect malware hidden in a null registry key.
     
    Last edited: Jun 18, 2015
  19. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
    I also added a HIPS rule to monitor any x86 and x64 Powershell modification to corresponding dllhost.exe's by Powerliks. What I love is how Powerliks runs Powershell in silent interactive mode to avoid OS detection.
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I remember that on my old system, I removed this registry key from my rules (System Safety Monitor), because it was completely useless to monitor it. But malware nowadays try to hijack COM objects, so it suffices to monitor the existing ones, if I'm correct. You can use this tool to see (all?) installed COM objects: http://www.nirsoft.net/utils/shexview.html

    Powershell isn't even allowed to run on my system.
     
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes, that's why I love Process Explorer, a couple of times per day I always check which processes are running. Especially dllhost.exe and rundll32.exe should be closely monitored.
     
    Last edited: Jun 24, 2015
  22. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    411
    Location:
    router
    @Windows_Security
    thank you
    can you make topic that explain all your group policy security setup? like in screen shot?
     
  23. Whoa that is a lot of work (not the pictures, but the explanation). You can find NSA and SANS group policy templates and PDF's with explanation on the web. Don't have the time for that coming month. Maybe in august.
     
  24. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Here is some info about HawkEye, a quite popular trojan. It's mostly used to capture passwords in order to hack mail-accounts from mostly CEO's and CFO's. This way they can send fake bills to certain departments. Last year hackers have managed to steal 216 million dollars worldwide with this simple technique. Of course, a good HIPS/anti-logger would block this.

    http://www.trendmicro.com/cloud-con...lligence/white-papers/wp-piercing-hawkeye.pdf
    http://www.isightpartners.com/2015/06/hawkeye-keylogger-campaigns-affect-multiple-industries/
     
  25. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,591
    Location:
    U.S.A.
    Nigerians never quit, do they?

    Here's another keylogger targeting businesses in the U. S. A heck of a lot cheaper than Hawkeye: http://researchcenter.paloaltonetworks.com/2015/06/keybase-keylogger-malware-family-exposed/ .

    Also I would think corporate e-mail servers would be smart enough to detect the MITM incoming e-mail?
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.