DFK-threat-simulator-v2 - Claims made about PG's capabilities

Hi there

I have just come across the following link:

http://www.morgud.com/interests/security/dfk-threat-simulator-v2.asp

which describes "the DFK Threat Simulator was created. Bundling a de-clawed collection of dropper, rootkit, exploit, virus, trojan, spyware, keylogger, leaktest, process termination, action automation, and alternate data stream technology...". Now whilst only a simulator it makes claims about being able to get around most security applications but makes the following (and concerning) claims about PG specifically:

"ProcessGuard is especially vulnerable because once the "pgaccount.exe" file is replaced with the dummy placeholder, ProcessGuard will allow any new process without prompting but will appear to be functioning normally! The only thing worse that no security is the illusion of security. In addition, ProcessGuard will protect the new dummy placeholder executable as its own and not allow it to be terminated."

I was wondering anyone out there, especially Wayne, had any thoughts about this claim?

 

it's discussed here :
https://www.wilderssecurity.com/showthread.php?t=150046

still no dev response though.

 

I haven't studied it or ran any tests but the article itself says that the technique used to shut down the security suites is not entirely reliable. They even annotated that ProcessGuard is not shut down by a Power User. Correct me if I'm wrong but isn't the interface lock and secure message handling there to block such methods of attack?

What you quoted looks like the next step, presumably after it has been disabled.

 

In evaluating threats, one should always consider 1) how such a threat can get into your computer, and 2) the liklihood that this would happen.

Recently, I've spoken with several System Administrators and all agree that the most common entry point of malware is still the victim being tricked.

And so from the article:

How many of you would have double-clicked?

The System Adminstrators told me that the lowering of malware attacks in their institutions has resulted from users adhering to strict protocols.

Also, they stressed, the workstations on their networks have both restore and image programs in place which mitigate the damage in case of a mishap.

And so:

At the institutions to which I refer, at this point a simple reboot would restore the system to its previous good state.

Not to downplay the implications of this test for PG, it's becoming pretty well accepted that all software has vulnerabilities. Understanding how malware gets installed, and having safeguards in place (including well-thought-out and followed protocols, is the best defense.

-rich


________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

There are two attacks described in that article.

1) Simulate mouse clicks. The Malware controls your mouse and clicks to turn off your protection.

This one is fairly easily to handle, some form of password protection when changing options or turning on/off will stop this. In PG, locking the interface will defend against it.

Also the pre-programmed mouse click assumes a certain screen layout, so having different resolution sizes, taskbar at some other position than at the bottom will mess up the mouse clicks.


2) Replacement attacks. The malware renames the HIPS files and drops a dummy placeholder file, which will kill the program.

This one seems to work against any HIPS that does not have some form of file or directory access control. PG seems to be particularly problematic because replacing pgaccount does not shut down PG, but makes it totally useless.

A quirk of PG I think because PG requires admin rights??

Interface lock will protect against simulated mouse clicks. SMH works only against "Windows messages" I believe. Replacement attacks might be outside the area of responsibility of PG.

 

Yeah but we are paranoid. .

The scenario described is interesting though.

This points out one of the problems about googling...

 

Hello,
That dude Morgud is meticulous.
Mrk

 

Did anyone actually run it?

1) It won't even run without the Internet Explorer ActiveX Flash Player control installed. An oversight by the author I'm sure, but lol...

2) With just execution protection enabled, and the drop files blocked, the program does nothing whatsoever.

3) As long as ProcessGuard was enabled, and not in learning mode, it was not killed. It tried to kill ProcessGuard with winmgmt.exe, but winmgmt.exe has no Termination by default (at least not in 3.41).

I was expecting the worse and was disappointed. It does wreck havoc but ProcessGuard, and protected processes, aren't replaced, modified, nor killed...

 

Don't count on screen size being necessary for preprogramed mouse clicks to work - see AutoIt3 for a scripting language that will click control IDs vs specific movement of the mouse.

 

Hi,

So if Judy used NOD32, the email would have been scanned, would she still been infected?

Take Care
rico

 

A zero-day exploit would not be recognised by any virus scanner initially (until the AV companies added a signature for it) - the threat simulator is therefore more a test of non-signature-based security software (network and system firewalls), and a worst-case scenario for users.

 

I agree that DCS should address this even if it is just letting us know that PG is not intended to monitor its files/directories. Also Maybe DCS is busy writing a proper response for the users... I'm pretty sure it's just around the corner.

Thanks,

Chris

 

What do they need to address? If people are buying PG to leave the protection disabled there are other issues at hand.

 

They need to address the problem or not. It would be nice to know if PG is still being actively developed and how. Users can either be kind and support the authors for a while longer or look elsewhere.

Since business is business it may be good to look elsewhere. People are paying for protection and so we should not be sentimental towards a company like I try to be.

I can't say I have experienced this attack, but protection should move forward just as malware does.

In this case, theoretical vulnerabilities should be patched before they are exploited in reality or on a wide scale. This is the whole idea of protection. You should attempt to be safe guarded at all times; otherwise, you may not be protected. This is obvious.

Best regards,
Lee

 

True. All I'm saying is this thread, and the several repetitions of it, are full of crap. I posted my observations after I ran it. You literally have to disable PG (or give winmgmt.exe termination) for it to overwrite the files. PG was protected by default. I don't see the point of everyone getting worked up over it if they aren't even going to try it.

 

Yes, see above post for my comment.. totally agreed.