DFK-threat-simulator-v2 - Claims made about PG's capabilities

Discussion in 'ProcessGuard' started by Baldrick, Oct 14, 2006.

Thread Status:
Not open for further replies.
  1. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,299
    Location:
    South Wales, UK
    Hi there

    I have just come across the following link:

    http://www.morgud.com/interests/security/dfk-threat-simulator-v2.asp

    which describes "the DFK Threat Simulator was created. Bundling a de-clawed collection of dropper, rootkit, exploit, virus, trojan, spyware, keylogger, leaktest, process termination, action automation, and alternate data stream technology...". Now whilst only a simulator it makes claims about being able to get around most security applications but makes the following (and concerning) claims about PG specifically:

    "ProcessGuard is especially vulnerable because once the "pgaccount.exe" file is replaced with the dummy placeholder, ProcessGuard will allow any new process without prompting but will appear to be functioning normally! The only thing worse that no security is the illusion of security. In addition, ProcessGuard will protect the new dummy placeholder executable as its own and not allow it to be terminated."

    I was wondering anyone out there, especially Wayne, had any thoughts about this claimo_O?
     
  2. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
  3. farad

    farad Registered Member

    Joined:
    Sep 24, 2006
    Posts:
    11
    I haven't studied it or ran any tests but the article itself says that the technique used to shut down the security suites is not entirely reliable. They even annotated that ProcessGuard is not shut down by a Power User. Correct me if I'm wrong but isn't the interface lock and secure message handling there to block such methods of attack?

    What you quoted looks like the next step, presumably after it has been disabled.
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    In evaluating threats, one should always consider 1) how such a threat can get into your computer, and 2) the liklihood that this would happen.

    Recently, I've spoken with several System Administrators and all agree that the most common entry point of malware is still the victim being tricked.

    And so from the article:
    How many of you would have double-clicked?

    The System Adminstrators told me that the lowering of malware attacks in their institutions has resulted from users adhering to strict protocols.

    Also, they stressed, the workstations on their networks have both restore and image programs in place which mitigate the damage in case of a mishap.

    And so:

    At the institutions to which I refer, at this point a simple reboot would restore the system to its previous good state.

    Not to downplay the implications of this test for PG, it's becoming pretty well accepted that all software has vulnerabilities. Understanding how malware gets installed, and having safeguards in place (including well-thought-out and followed protocols, is the best defense.

    -rich


    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
  5. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    There are two attacks described in that article.

    1) Simulate mouse clicks. The Malware controls your mouse and clicks to turn off your protection.

    This one is fairly easily to handle, some form of password protection when changing options or turning on/off will stop this. In PG, locking the interface will defend against it.

    Also the pre-programmed mouse click assumes a certain screen layout, so having different resolution sizes, taskbar at some other position than at the bottom will mess up the mouse clicks.


    2) Replacement attacks. The malware renames the HIPS files and drops a dummy placeholder file, which will kill the program.

    This one seems to work against any HIPS that does not have some form of file or directory access control. PG seems to be particularly problematic because replacing pgaccount does not shut down PG, but makes it totally useless.


    A quirk of PG I think because PG requires admin rights??

    Interface lock will protect against simulated mouse clicks. SMH works only against "Windows messages" I believe. Replacement attacks might be outside the area of responsibility of PG.
     
  6. Devil's Advocate

    Devil's Advocate Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    549
    Yeah but we are paranoid. :D.

    The scenario described is interesting though.

    This points out one of the problems about googling...
     
  7. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hello,
    That dude Morgud is meticulous.
    Mrk
     
  8. farad

    farad Registered Member

    Joined:
    Sep 24, 2006
    Posts:
    11
    Did anyone actually run it?

    1) It won't even run without the Internet Explorer ActiveX Flash Player control installed. An oversight by the author I'm sure, but lol...

    2) With just execution protection enabled, and the drop files blocked, the program does nothing whatsoever.

    3) As long as ProcessGuard was enabled, and not in learning mode, it was not killed. It tried to kill ProcessGuard with winmgmt.exe, but winmgmt.exe has no Termination by default (at least not in 3.41).

    I was expecting the worse and was disappointed. It does wreck havoc but ProcessGuard, and protected processes, aren't replaced, modified, nor killed...
     
  9. jp10558

    jp10558 Registered Member

    Joined:
    Oct 4, 2006
    Posts:
    27
    Don't count on screen size being necessary for preprogramed mouse clicks to work - see AutoIt3 for a scripting language that will click control IDs vs specific movement of the mouse.
     
  10. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,693
    Location:
    Texas
    Hi,

    So if Judy used NOD32, the email would have been scanned, would she still been infected?

    Take Care
    rico
     
  11. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    A zero-day exploit would not be recognised by any virus scanner initially (until the AV companies added a signature for it) - the threat simulator is therefore more a test of non-signature-based security software (network and system firewalls), and a worst-case scenario for users.
     
  12. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
    I agree that DCS should address this even if it is just letting us know that PG is not intended to monitor its files/directories. Also Maybe DCS is busy writing a proper response for the users... I'm pretty sure it's just around the corner.

    Thanks,

    Chris
     
  13. farad

    farad Registered Member

    Joined:
    Sep 24, 2006
    Posts:
    11
    What do they need to address? If people are buying PG to leave the protection disabled there are other issues at hand.
     
  14. LeeH

    LeeH Registered Member

    Joined:
    Mar 6, 2005
    Posts:
    25
    Location:
    West London, UK
    They need to address the problem or not. It would be nice to know if PG is still being actively developed and how. Users can either be kind and support the authors for a while longer or look elsewhere.

    Since business is business it may be good to look elsewhere. People are paying for protection and so we should not be sentimental towards a company like I try to be.

    I can't say I have experienced this attack, but protection should move forward just as malware does.

    In this case, theoretical vulnerabilities should be patched before they are exploited in reality or on a wide scale. This is the whole idea of protection. You should attempt to be safe guarded at all times; otherwise, you may not be protected. This is obvious.

    Best regards,
    Lee
     
    Last edited: Nov 9, 2006
  15. farad

    farad Registered Member

    Joined:
    Sep 24, 2006
    Posts:
    11
    True. All I'm saying is this thread, and the several repetitions of it, are full of crap. I posted my observations after I ran it. You literally have to disable PG (or give winmgmt.exe termination) for it to overwrite the files. PG was protected by default. I don't see the point of everyone getting worked up over it if they aren't even going to try it.
     
  16. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Yes, see above post for my comment.. totally agreed.
     
Thread Status:
Not open for further replies.