Comodo: Buffer Overflow attak

Discussion in 'other anti-malware software' started by Yanix, Aug 23, 2009.

Thread Status:
Not open for further replies.
  1. Yanix

    Yanix Registered Member

    Joined:
    Jul 3, 2009
    Posts:
    34
    Location:
    Switzerland
    Hi,

    I was testing Comodo (without AV), to see what what its doing if I run a know infected .exe in installation mode.
    And Comodo showed me a alert that I never saw before:

    comodo 2.JPG

    I didnt know Comodo can block something without prompt.
    Is this new in Comodo 3.10 ? And a buffer overflow attak is it really dangerous ? o_O
     
  2. Julian

    Julian Registered Member

    Joined:
    Sep 14, 2008
    Posts:
    103
    It means the malware is badly programmed and writes unexpectedly in memory areas in which it shouldn't do this.
    DEP would have "secured" you too.

    The only advantage of CMF is that it can block Ret2Libc buffer overflow attacks for 32 bit processes, it may help against exploits using such attacks (DEP can't).

    It's not a great thing IMO but it's neither bad.
     
  3. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    Or the malware is trying buffer overflow to gain access to the system. Once access is gained, will try to allow trojans to be downloaded and rootkit to be installed.

    to the OP: Since you are testing your defences, I assume you are doing this under a virtual machine or using a light virtualizer or you have image back ups and bootable rescue CDs/floppies, why not try to allow the malware to proceed, i.e on that comodo prompt you choose skip instead of terminate and see what will happen next. Will there be another HIPS prompt, that it is trying to download something(more malwares)or install a rootkit or load a driver or terminate your security processes or install a global hook or log keystrokes or modify the registries or modify memory of other processes or will it try to do lowlevel disk access and mess up with your MBR or bootsectors(if the latter is the next prompt, I suggest to terminate the testing immediately). Killdisk like malwares is a big headache. He he

    And since you are asking if buffer overflow is dangerous, I assume that you don't have those prerequisites mentioned and then quit testing malwares and re-education is in order first before experimenting further.
     
    Last edited: Aug 23, 2009
  4. Julian

    Julian Registered Member

    Joined:
    Sep 14, 2008
    Posts:
    103
    Can you please explain this? I think you must be mistaken.
    AFAIK buffer overflows can only be used to execute additional code. Of course this code can modify other processes etc. This code belongs to the exploited application's process which can still be controled, so BO doesn't mean death.
     
  5. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    Exactly as you put it. The end result will be "to gain access to the system". Rmus has several threads and posts how BO does that. He clearly demonstrated a default-deny policy such as AE or HIPs or LUA-SRP can mitigate further attacks. No need for any esoteric buffer overflow protections. He's still searching for buffer overflow exploits used in the wild by malwares that do otherwise other than the shellcode's functionality which is to download and execute. So you are right that the prompt the OP has could just be the result of poor coding where this particular malware is doing some memory violations. Sorry to you and the OP, for I have become part of the confusion instead of the solution. To make amends, here is a nice read...

    https://www.wilderssecurity.com/showthread.php?t=244430&highlight=buffer overflow
     
    Last edited: Aug 23, 2009
  6. Julian

    Julian Registered Member

    Joined:
    Sep 14, 2008
    Posts:
    103
    Sorry, I got you a bit wrong. Thanks for the warm reply :thumb:
     
Loading...
Thread Status:
Not open for further replies.