Disillusionment at rootkit defense - the eternal search

Discussion in 'other firewalls' started by underdog, Aug 15, 2009.

Thread Status:
Not open for further replies.
  1. underdog

    underdog Registered Member

    Joined:
    Aug 12, 2009
    Posts:
    26
    for ages, i have been looking for something that seems to be so simple, yet eludes me. i'm looking for a hips. there are plenty out there, but none that are able to meet these simple criteria:

    1. it must be actively developed.
    2. it must be able to stop rootkits by preventing the loading of drivers.
    3. it must allow me to turn off certain features in the hips like prompting me when i execute every single file, or the loading of dlls. (in other words, turn off behavior filtering for all applications, even ones for which there are no rules yet, instead of just specific applications)
    4. it must not SEVERELY lag my computer.
    5. it must not have a whitelist i cannot control
    6. it must be reasonably good at stopping keyloggers.
    7. it must be able to distinguish between system processes and untrusted processes when filtering behavior.

    aren't these criteria reasonable and simple? i basically just want a hips that can stop keyloggers, rootkits, and works!

    here is why all of the top programs listed at matousec don't work for me :(:
    online armor violates #3. i have to answer huge numbers of prompts because i have to give permission for every type of behavior or at least set behavior for every individual program.

    kaspersky violates #5. it has a whitelist that i have no control over, according to a moderator at kaspersky's forums. proof? try zemana's anti keylogger test with kaspersky on. kaspersky won't even alert you to its presence.

    comodo fails #2 and possibly #5. comodo creates "custom policy" rules that i never allowed for all programs for which there is no rule at startup. furthermore, it fails to detect the loading of many drivers that even eq secure 3.41 can detect. i had to severely tweak the registry protection component of comodo. i don't know if protecting specific parts of the registry can stop driver loading, but it sure doesn't save me the trouble of clicking on millions of popups. those areas of the registry are so broad that even legitimate applications have plenty of reason to access. so, the only question left is, should i just allow all applications to access the registry? or should i waste most of my life just answering popups? legitimate applications like services.exe don't even know if they're being called by legitimate installers or rogue installers, do they?

    outpost fails #4. it uses nearly 300 kb/sec of I/O. this constant and pointless access to my hard drive both wears it down faster and slows down everything to a crawl.

    jetico fails most of the keylogger tests.

    malwaredefender violates #7. according to notes at the bottom of the matousec report, it passes the kernel2 test by claiming that services.exe is the source process. thus, it fails to distinguish between trusted and untrusted processes.

    privatefirewall fails #3 miserably. there is absolutely no ability to disable specific filters for all applications as opposed to just specific applications.

    pc tools firewall violates #4 and #6. it not only freezes my computer whenever i right click on an icon, but fails most of the keylogger tests.

    netchina: has anybody managed to get the pdf file for netchina? i couldn't get it to open, so i don't know the results at all.

    i can't even install zonealarm pro, but if i could, it's an inadequate hips. it failed nearly half of the keylogger tests (#6) and just about every kernel test (#2).

    lavasoft personal firewall: fails all but one keylogger test (#6).

    norton internet security: fails all the kernel tests (#2).

    webroot desktop firewall: fails 4 out of 6 keylogger tests (#6).

    (the firewalls below this one received a rating below that of "poor", according to matousec. :( )

    threatfire fails #3 and gives me absolutely no control over applications in general. furthermore, unless i agree to share my settings with everyone else, my automatic updates are disabled. the alternative is to pay money.

    eset smart security was not meant to be a hips. it's just a scanner and an inbound/outbound firewall.

    =====

    there are other hips i have tried. process guard is obsolete and no longer being developed. eq secure 3.41 is obsolete and no longer being developed. the same is true for ssm.

    i grow weary of this game. all i want is to enjoy a computer safely. yet, i cannot even protect myself against the biggest threats to privacy that exist on the internet. what is spyware that pops up ads when your keystrokes could be recorded without your knowledge by a kernel level keylogger hidden by a rootkit? what is a virus that destroys some data i already backed up next to a hidden process that remains forever hidden? nothing!

    i have become completely disillusioned with computers. does anybody else feel this way? i've just about lost all hope. i used to use a combination of snoopfree and eq secure, but snoopfree is no longer being developed and doesn't protect users from kernel mode keyloggers anyways. hook based keyloggers are hardly the only threat these days.
     
    Last edited: Aug 16, 2009
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I would also be disillusioned with computers in trying to keep up with matousec's tests!

    First, they assume that some rootkit, keylogger, etc somehow gets installed on your computer, and then need to be nullified from doing any damage by this or that product.

    I would back up and ask myself: How can this junk get installed in the first place?

    That is, What are the ways you fear that these things can get onto your computer?

    -rich
     
  3. underdog

    underdog Registered Member

    Joined:
    Aug 12, 2009
    Posts:
    26
    well, i would actually be happy if the rootkit doesn't get installed at all. but even preventing this seems to be a lost cause if the .exe file is allowed to run. but to block all .exe files from running creates serious headaches.

    the keylogger/rootkit might get to your computer as part of an attachment from someone you thought was a friend. it's probably common sense by now not to run any executable files, but what if the attachment was just a picture? it would seem reasonable to open a picture from someone you know, wouldn't it? if the picture had any malicious code in it that was allowed to run, it would leave a huge mess to clean up. yet, not opening any pictures at all would seem extreme. meanwhile, there are constant threats from even everyday sites you surf to. suppose there was malicious javascript on one that caused a buffer overflow and ran an .exe file which then tried to install a driver? i would certainly like to be able to stop that driver.

    these are just examples of how it could happen, but there are plenty of others too. once you do get something malicious, there is almost no hope. if you got a bios rootkit for example, you would be in for one heck of a headache. flashing the bios isn't a trivial task either. one bad flash and you could end up with a useless computer.

    i think the disillusionment arises in part from the fact that the more you learn about these things, the more you realize that you are completely unsafe and that technology is a double edged sword. every time i run a scanner to search for rootkits that might already have been installed, i feel like i'm doing damage control instead of preventing the threat from doing any damage in the first place. this is why i am looking for a hips. for years i have looked for one, and for years i have failed. the search goes on.
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Which browser do you use?

    -rich
     
  5. underdog

    underdog Registered Member

    Joined:
    Aug 12, 2009
    Posts:
    26
    firefox with noscript, but certain sites need to be allowed to function properly. i don't sandbox all the time; only when visiting potentially dangerous sites. if anything gets through, i basically have to hope my hips can stop it (if i even have a hips that is). as long as i can stop drivers, i figure i can stop rootkits, and so eventually everything that is not hidden will be picked up by one of my scanners.

    oh yeah, i also have keyscrambler, but the free version only works on browsers (even the paid version doesn't cover all programs). all my other windows are vulnerable unless i have another way to stop keyloggers. keyscrambler also does not protect against screen captures and such. snoopfree does this, but on my system it constantly gets errors on intialization. even if i could get snoopfree to work properly, it doesn't protect against kernel level keyloggers, and it's no longer updated, which means it won't work properly on vista or windows 7. i could get zemana antilogger, but that only protects against surveillance software and not rootkits in general. i'd much rather kill 2 birds with one stone. the best way to do this seems to be with a hips.
     
    Last edited: Aug 16, 2009
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    OK, so you know about browser security. You suggest that possibly you could be compromised on a site.

    First: I've just now caught up reading some threads in this forum, and I see that many have made good suggestions. Joe's Post #6 in your Rootkit Defense thread suggests the simplest solution: Default-Deny all unauthorized executables from running.

    You argue that this would be inconvenient, since you install a lot of stuff. Actually, it's very easy, using Anti-Executable that Joe mentions, to click the icon in the Sys Tray, turn off AE, install your stuff, turn on AE. AE adds your new program to its White List.

    Otherwise, nothing gets in w/o your permission. Let's use your example:

    Why not stop the EXE file from running in the first place?

    The recent PDF exploits start with Javascript triggering loading a malicious PDF file into the browser. Code inside the PDF file exploits a buffer overflow vulnerabilility in the PDF Reader, then calls out to a server to download a malicious executable.

    [​IMG]

    By the way, load.exe is a keylogger:

    If you handle exploits at the gate -- deny their entrance -- you don't have to worry about what may or may not happen if they install. You'll lose less sleep not worrying about matousec's latest test.

    -rich
     
  7. underdog

    underdog Registered Member

    Joined:
    Aug 12, 2009
    Posts:
    26
    how about new programs that you are testing out? executable files that you knowingly and willingly execute? there is sometimes no way to tell if it is safe to run that file before you do it, but it is important enough to you that you might want to risk running it anyways.

    there's also programs that you want to use, but certain aspects of which you might want to exclude. the only way to do this is with a behavior blocker that blocks only specific aspects of the program.

    what if you click the wrong link, thinking you downloaded something that you intended to download? i think the demand for a hips stems from the fact that in an imperfect world, there needs to be a way to distinguish between safe behavior and unsafe behavior when choosing to not run the executable is not a viable option.

    i'm not looking for 100% security. i've already accepted that it isn't possible. all i'm looking for is reasonable security against the most serious threats. i've always believed in layered defense. i'm not saying your suggestions aren't good. in fact, i think they are great. but it is always possible to do both your suggestion and have an extra layer ;) the two are not mutually exclusive.
     
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I understand, and hope you find what you are looking for!

    -rich
     
  9. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,433
    Location:
    Europe
  10. underdog

    underdog Registered Member

    Joined:
    Aug 12, 2009
    Posts:
    26
    thanks for the suggestion! that's certainly on program i will be keeping my eye on for the future. right now, it's still in beta stages, and as such, " 'several hooks for keyloggers and other monitoring applications' are not included in this beta-release", according to Julia, a malware analyst on their forums. specific examples include the tests on zemana's site. in the future, this might well be the only hips needed. for now though, i must find something else to plug a hole in my defense :D
     
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    U will not find ur ideal. Get a HIPS that is near to ur ideal and add a sandbox. That must be enough unless u think that rootkit developers are behind u specifically.
     
  12. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Your posted requirements for this "ideal" HIPS are basically impossible for a vendor to meet.
    During the install process, your system is at its most vulnerable. This is not the time to turn off alerts for new processes. It will be a new/unknown/altered process that installs the rootkit or malicious code.
    Not completely possible. Part of a HIPS function is verifying the identity or integrity of the executables. That would require the HIPS to have digital signatures for all versions of all the system executables for each OS version the HIPS works with. Windows updates often replace executables, which will make them unknown to the HIPS. The HIPS vendors don't get the new files any sooner than we do, so there's no way they can include them in a whitelist. Malware has often used the names of legitimate system files so they can't just trust files with system file names.

    You can't completely eliminate the risk of a rootkit or other infection without blocking the execution of all new and/or unknown installers and executable files. About the best that you can do is to block these unknowns during normal, non-administrative operations and set up a specific policy for handling new executables and installers. Use test systems (virtual and/or real) the first time you try out an unknown. Making a full system backup before installing or running a new/unknown executable makes it possible to undo any damage that may be done. Upload the new file to VT and let all of the scanners have a look at it. Monitor the entire install process and the first run of the new software. Do not silence your security apps or lower any of your defenses at this time. Forget about Matousec and his leaktests. There's too many variables they can't account for and are based on the idea that the user is allowing that malicious code to execute.

    If you install or test a lot of executables, you should have a separate system for that purpose.
     
  13. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    Last edited: Aug 16, 2009
  14. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,433
    Location:
    Europe
    Quote. So do I
     
  15. Mihail Fradkov

    Mihail Fradkov Registered Member

    Joined:
    Apr 12, 2008
    Posts:
    93
    Location:
    St. Petersburg, Russia
    Julia wrote this about v0.8 Beta (and it was a known issue).
    You can easy use v1.1 Beta, one of the changes - improved anti-keyloggers (and mouse grabbers) protection. :cool:
     
  16. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,732
    i quote myself
    https://www.wilderssecurity.com/showthread.php?p=1523969#post1523969
    you never get 100% security!
    you should never give away all control to any software which you dont
    understand or configure right. you showed me in your other topic.

    matousec is a good hint if you can work with his results - but he do not
    differ between suites and only-firewalls. so the suites rock and the rest not.
    depends on what someone need.

    xyz "fails" - did you perfom the tests yourself or just reading matousec?
    you should consider that matousec doesnt have the latest builds.
    you should consider that matousec does not use any combination of av-engine
    and firewall/hips together.

    first - av-engines warn on malware in most cases when the come in.
    HIPS defends inter-action - and firewall in-outbound action.
    good security is a combination of all - NOT ONE like matousec would like to
    make us believe.

    if you feel scared about internet and bad people - TURN OFF or cut line
    http://www.pkelektronik.com/productPics_big/9516165.jpg

    >> sandbox

    Sandboxes like Sandboxie cant prevent sending data outside from host system
    if internet is not blocked - but it can prevent intrusions on the host.
    Do not use sensible data when you cannot work with the safely.
    Then a VM with non-sensible data is the better way.
     
  17. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,433
    Location:
    Europe
    This is the reason for we talk about " multi layer defense " - under an hardware firewall naturally. You want more ? Get a BSD distribution, set up it by yourself, use something like this : http://www.dd-wrt.com/dd-wrtv3/index.php and more... use a second pc Linux based as another fw/dmz... :D
     
  18. underdog

    underdog Registered Member

    Joined:
    Aug 12, 2009
    Posts:
    26
    eq secure was "ideal", but version 3.41 is obsolete now and is missing a lot. even a small hole in your defenses could be fatal when you're dealing with the most dangerous threat.

    here, you were referring to requirement #3. actually, quite a few vendors have already met this requirement. outpost firewall, CIS, and eq secure all allow you to turn off some, but not all filters in the hips. the problem is that these products suffer from other flaws that are equally serious, not that requirement #3 is impossible to meet.

    this is already entirely possible. just take at zonealarm pro, for example. they have hashes for all known "safe" files and if files change, they can easily provide updates through an internet connection, much like a virus database does. it is true that hips companies don't get the files any sooner than we do. but all this means is that we won't immediately have information about the newer executables, and that we should make our own decisions in such situations. but in order to make that decision, i must first know that a change has occurred in the first place. unfortunately, this just isn't happening.

    by the way, a hash check isn't what i meant. all i meant is that services.exe for example must be able to allow some drivers to load and prevent others from loading. very simple, but outpost firewall can't, for example.

    i already stated above that i recognized 100% protection wasn't possible. all i wanted was reasonable protection against rootkits and keyloggers. but failing 80% of keylogger tests or kernel tests certainly doesn't make me very comfortable about spending money on a product. playing with virtual machines takes up a huge amount of time that some users might not have. the requirements i listed are not "ideal" in the sense that at least a few vendors have already implemented every single one. i did not pull them out of thin air. if anything, my desire to have #3 indicates that i am not so paranoid that i wish to be told about everything; i only wish to know about the most dangerous of activities; namely keylogging and driver detection to protect against rootkits. is this truly so unreasonable? a hips is essentially an anti rootkit. if it can't even perform its most basic function, then what good is it?

    a NAT capable router is already essentially a hardware firewall. i have one. linux is as vulnerable to rootkits as windows is. what good is a hardware firewall against an internal threat? "more" is not necessarily better. what i seek is not quantity, but quality.
     
    Last edited: Aug 16, 2009
  19. Einsturzende

    Einsturzende Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    390
    Location:
    neubauten
    Untick checkmarks pointed by arrows in pictures and you will be prompted for ALL applications except from MS which have hardcoded exceptions by default.

    16.8.png

    16.81.png
     
  20. underdog

    underdog Registered Member

    Joined:
    Aug 12, 2009
    Posts:
    26
    how did you get your hands on kaspersky 2010? i only see 2009 for sale. by the way, i'm ok with known safe applications being given exceptions, but there is one situation i'm worried about a rogue application using a system application to deliver its driver. what's so unusual about services.exe installing a driver, right? also, can kaspersky tell if a legitimate application is replaced?
     
  21. Einsturzende

    Einsturzende Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    390
    Location:
    neubauten
    You can purchase 2009 keys it will work for 2010 as well, then you can download from this site
    here are all API protected by Kaspersky on XP, I think it covers thing you mentioned, installing drivers as well...

    16.8.png

    16.81.png

    yes it can, it have installed application list created automatically which is monitored by "protected application" part of HIPS...

    16.82.png
     
    Last edited: Aug 16, 2009
  22. underdog

    underdog Registered Member

    Joined:
    Aug 12, 2009
    Posts:
    26
    yea, kaspersky actually does have everything; it's just the whitelist that i'm concerned about. even microsoft applications aren't necessarily safe because they can be used in certain situations to do damage. are you sure the whitelist can't be turned off?
     
  23. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,728
    Location:
    localhost
    Used by whom or what? Any decent HIPS will question this use by another untrusted process/application.
    So you are safe...

    Cheers,
    Fax
     
  24. underdog

    underdog Registered Member

    Joined:
    Aug 12, 2009
    Posts:
    26
    all right. do you know what particular prompt will be raised? the less prompts, the better, as long as it doesn't compromise security :) i will probably have a few options disabled.
     
    Last edited: Aug 16, 2009
  25. Einsturzende

    Einsturzende Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    390
    Location:
    neubauten
    Every newly started executable (exe, dll, bat..etc.) executed by trusted application will be examinated by Kaspersky app. analyzer which will place executable in some of four level of trustiness groups: trusted, low restricted, high restricted, untrusted. You can bypass Kaspersky app. analyzer and place newly started app in level of your choice automatically...
    Also should be noted that if application started by application which is not in trusted application group will inherit same level of trustiness as an application which started it, even if started application is already placed in group of trusted... example: some trojan which is in group of "high restricted" wants to start IE which is already in "trusted" group, IE will be immediately placed in "high restricted" group with all its restrictions...

    prompt which will be raised depending on what started app. want to do, example: "application xy" belonging to group high restricted is trying to load driver "xy.sys" .... what you want to do: make trusted, allow, block, terminate and place to "untrusted group"?
    or
    "trojan xy" belonging to group high restricted is trying to start "Internet Explorer" belonging to group trusted, what you want to do... if allow ... "Internet Explorer" belonging to group high restricted trying to access DNS API interface what you want to do?...

    NOTE: unrecognized app. will NEVER be placed in trusted group automatically by Kaspersky application analyzer
     
    Last edited: Aug 16, 2009
Thread Status:
Not open for further replies.