dll exploit/ .lnk exploit mitigation by HIPS

Discussion in 'other anti-malware software' started by aigle, Oct 11, 2010.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,115
    Location:
    Saudi Arabia/ Pakistan
    There are two interesting exploits/ vulnerabilities discovered recently.

    1- .lnk exploit( involves a dll execution too).
    2- dll vulnerability

    HIPS and behav blockers are usually not meant to handle malicious dll execution, though many of classical HIPS can be configured to intercept dll execution/ loading but due to the insane no of pop up alerts it,s not practical at all.

    I have tried the POCs for both exploits with Comodo Defence Plus v 4, EQSecure and GesWall.

    CIS v 5 is great but sadly it has no control for dll execution. :'( No way to intercept both these exploits via CIS 5.

    Here is .lnk exploit POC that executes a test dll named dll.dll.

    1 cis.jpg
    1 eqs.jpg
    1 gw.jpg
    geswall log.jpg
     
  2. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,115
    Location:
    Saudi Arabia/ Pakistan
    Here is second POC. This is for dll exploit. I tried with VLC Media Player.

    2 cis.jpg
    2 eqs.jpg
    x.jpg
    2 gw.jpg
     
    Last edited: Oct 11, 2010
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,115
    Location:
    Saudi Arabia/ Pakistan
    And here is an interesting dll issue.

    http://www.greatis.com/security/explorer_redirection_dll_startup_hole.htm

    I searched this malware and then tested with CISv 4 and GesWall. Besides the dll issue malware also installs a driver so any HIPS will stop it anyway. However the dll part of it is interesting. In case of XP, once a malicious linkinfo.dll is dropped into windows directory, then windows explorer will automatically load it on next boot.

    cis 1.jpg cis2.jpg
    cis3.jpg cis 4.jpg
     
  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,115
    Location:
    Saudi Arabia/ Pakistan
    And with GesWall.

    gw xp 1.jpg
    gw3.jpg
    gw win7 1.jpg
     
  5. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    sorry to hijack your thread for an instant m8.

    aigle:

    POC?
    i see this quite often here.
    what does it mean?
    i've Googled it and there's about 30-40 definitions.

    from where i sit, it's either Proof of Concept or Pile of Cr*p! :eek:
    is it something else?
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,115
    Location:
    Saudi Arabia/ Pakistan
    Again this dll loading part can,t be tested with CIS v 5 as it has no dll control. :mad:
     
  7. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,100
    Location:
    North Carolina USA
    Proof of Concept.:cautious:
     
  8. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,115
    Location:
    Saudi Arabia/ Pakistan
    Yep, Proof of Concept. :)

    You may call it pile of crap until the real malware comes out, it,s upto you. By the way .lnk exploit is already more than a Proof of concept( stuxnet worm).
     
  9. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    tnx m8!

    now back to our regular programming...
     
  10. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    according to the article at greatis:
     
  11. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    What about a LUA Limited User Account (XP)/Standard User Account (Vista, 7)? By definition, a limited/standard user has no write permissions to C:\Windows.
     
    Last edited: Oct 11, 2010
  12. Boost

    Boost Registered Member

    Joined:
    Feb 2, 2007
    Posts:
    1,294
    Geswall - :thumb:
     
  13. Kyle1420

    Kyle1420 Registered Member

    Joined:
    May 27, 2008
    Posts:
    487
    Yep, As always :D If there isn't a conflict... Geswall is nice layer.
     
  14. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,874
    Location:
    Europe, UE citizen
    Aigle, did you try it, or only you saw the 5v Defense+ settings ? I say it because is unknow which files are checked by default, see here 196
     
  15. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,115
    Location:
    Saudi Arabia/ Pakistan
    Yes i tried. Also officially egemen, the lead developer, himself wrote that dll control is no more there in this version.
     
  16. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    tnx for feeding my paranoia folks! :ninja:

    i think i'm gonna give Ubuntu a try.:D
     
  17. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,874
    Location:
    Europe, UE citizen
    o_O o_O Another good reason for don't upgrade from 4v.
     
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.