Comodo Defence Plus Bypassed by Zeroaccess rootkit

Re: Comodo Defence Plus Byapssed by Zeroaccess rootkit

test strategy is very much valid. Defence plus and sandbox are there to catch any thing that is not detected by AV. I just test this aspect of CIS.

I don't care for the AV so i turn it off( just assume that the sample was zero day for the AV). All other settings are defa2ult. And i do test with maximum paranoid settings too, which are actually the settings i use to protect my PC.

 

Re: Comodo Defence Plus Byapssed by Zeroaccess rootkit

Sent to a member there.

 

Re: Comodo Defence Plus Byapssed by Zeroaccess rootkit

I suspect that sandbox enabled weakens Defense+, also in Paranoid Mode with restricted settings. I think that there is some interference.

 

Re: Comodo Defence Plus Byapssed by Zeroaccess rootkit

i think sandbox will weaken the D+
because comodo made it disabled by default in v5.8

also really disappointed by OA

 

Re: Comodo Defence Plus Byapssed by Zeroaccess rootkit

Just curious why you think DefenseWall and/or Sandboxie would fail at this?

 

Re: Comodo Defence Plus Byapssed by Zeroaccess rootkit

Strange, indeed!

Based on MGR Tests, DW has passed all those 0-day rootkit samples with flying colors [either TDSS or ZeroAccess], so like you I'm just wondering why would DW not pass this ZeroAccess rootkit test? [Unless you purposely disable DW HIPS while testing ZeroAccess, or the rootkit .exe file was already on the computer sitting on desktop as a “trusted app” before DW was installed and then you execute it].


Thanks.

 

Re: Comodo Defence Plus Byapssed by Zeroaccess rootkit

DW will for sure nail this litle bugger in real time

 

Re: Comodo Defence Plus Byapssed by Zeroaccess rootkit

+1
I can't actually recall either DW or SBIE being bypassed by anything similar to this,without the user deliberately circumventing their protection

 

Re: Comodo Defence Plus Byapssed by Zeroaccess rootkit

If the member could do something... it'll be ok.
But it always better to send for the virus team for analysis.

 

Re: Comodo Defence Plus Byapssed by Zeroaccess rootkit

sorry, for DW and SBIE, it was a typing mistake. I wanted to say no reason for them to NOT pass the test.

 

Re: Comodo Defence Plus Byapssed by Zeroaccess rootkit

Now I understand.

 

Re: Comodo Defence Plus Byapssed by Zeroaccess rootkit

Could we test this against the BZ 4 RC?

 

Re: Comodo Defence Plus Byapssed by Zeroaccess rootkit

knew it

 

Re: Comodo Defence Plus Byapssed by Zeroaccess rootkit

OA bypassed, no pop up at all- confirmed.
AppGuard, default settings, high: Passed

 

Re: Comodo Defence Plus Byapssed by Zeroaccess rootkit

did you run it from a link or just download file and then run it?did you use default config?did you run it run safer or did you run any unknown or untrusted files to run safer?how do you configure OA?was it OA++,premium or free version?
also what config did you use for appguard?lockdown mode?or what? thanks for testing

 

Re: Comodo Defence Plus Byapssed by Zeroaccess rootkit

I set up to simulate a driveby download to force the files into my Temp directory.

Using Faronics AE v.2, the files cannot get onto disk, so cannot run:








----
rich

 

Re: Comodo Defence Plus Byapssed by Zeroaccess rootkit

OA free default settings after config wizard and scan.

Executed them from a desktop folder.

AG default.

 

Re: Comodo Defence Plus Byapssed by Zeroaccess rootkit

Hi aigle,

Unfortunately I am unable to confirm your findings. OA Free blocks the ZeroAccess variant abusing the signed Flash installer just fine on Windows XP and Windows 7 x64:



I recorded the session on Windows XP and you can download it here (best viewed using VLC):

http://tmp.emsisoft.com/fw/videos/ZeroAccessTest.rar

Would you mind repeating the test with Debug Mode enabled? That way we may be able to see why it is able to bypass OA on your test system but not on our.

Thanks.

 

Re: Comodo Defence Plus Byapssed by Zeroaccess rootkit

Wow that was a fast response Fabian, good to know you're lurking the forums

 

Re: Comodo Defence Plus Byapssed by Zeroaccess rootkit

@Rmus,aigle and Fabian Wosar thanks for testing

 

Re: Comodo Defence Plus Byapssed by Zeroaccess rootkit

Little off topic. Mpc-hc and PotPlayer could not render the file. Only VLC seems to have VMWare's video codec built in

 

Re: Comodo Defence Plus Byapssed by Zeroaccess rootkit

You can download Vmnc Codec from official website if you wish. It will allow you to view the file.

I re-encoded this video to XVID for those who don't wish to install any additional codecs
http://www.mediafire.com/?aau5jz5p32dno1b (~8MB)


From the video it looks like the bug is essentially on Adobe side, since it first loads .dlls from it's own directory instead those installed in system, right?

 

Re: Comodo Defence Plus Byapssed by Zeroaccess rootkit

What is the effect that malicious on system? I mean what do you suffer after infected with this? And why would someone who knows how to use hips install the flash player with a suspicious dll file?

 

Re: Comodo Defence Plus Byapssed by Zeroaccess rootkit

just hit block,there is enough info

 

Re: Comodo Defence Plus Byapssed by Zeroaccess rootkit

Further reading:

http://blogs.mcafee.com/mcafee-labs/zeroaccess-rootkit-launched-by-signed-installers