dll exploit/ .lnk exploit mitigation by HIPS

Discussion in 'other anti-malware software' started by aigle, Oct 11, 2010.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    There are two interesting exploits/ vulnerabilities discovered recently.

    1- .lnk exploit( involves a dll execution too).
    2- dll vulnerability

    HIPS and behav blockers are usually not meant to handle malicious dll execution, though many of classical HIPS can be configured to intercept dll execution/ loading but due to the insane no of pop up alerts it,s not practical at all.

    I have tried the POCs for both exploits with Comodo Defence Plus v 4, EQSecure and GesWall.

    CIS v 5 is great but sadly it has no control for dll execution. :'( No way to intercept both these exploits via CIS 5.

    Here is .lnk exploit POC that executes a test dll named dll.dll.

    1 cis.jpg
    1 eqs.jpg
    1 gw.jpg
    geswall log.jpg
     
  2. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Here is second POC. This is for dll exploit. I tried with VLC Media Player.

    2 cis.jpg
    2 eqs.jpg
    x.jpg
    2 gw.jpg
     
    Last edited: Oct 11, 2010
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    And here is an interesting dll issue.

    http://www.greatis.com/security/explorer_redirection_dll_startup_hole.htm

    I searched this malware and then tested with CISv 4 and GesWall. Besides the dll issue malware also installs a driver so any HIPS will stop it anyway. However the dll part of it is interesting. In case of XP, once a malicious linkinfo.dll is dropped into windows directory, then windows explorer will automatically load it on next boot.

    cis 1.jpg cis2.jpg
    cis3.jpg cis 4.jpg
     
  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    And with GesWall.

    gw xp 1.jpg
    gw3.jpg
    gw win7 1.jpg
     
  5. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    sorry to hijack your thread for an instant m8.

    aigle:

    POC?
    i see this quite often here.
    what does it mean?
    i've Googled it and there's about 30-40 definitions.

    from where i sit, it's either Proof of Concept or Pile of Cr*p! :eek:
    is it something else?
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Again this dll loading part can,t be tested with CIS v 5 as it has no dll control. :mad:
     
  7. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    Proof of Concept.:cautious:
     
  8. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Yep, Proof of Concept. :)

    You may call it pile of crap until the real malware comes out, it,s upto you. By the way .lnk exploit is already more than a Proof of concept( stuxnet worm).
     
  9. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    tnx m8!

    now back to our regular programming...
     
  10. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    according to the article at greatis:
     
  11. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    What about a LUA Limited User Account (XP)/Standard User Account (Vista, 7)? By definition, a limited/standard user has no write permissions to C:\Windows.
     
    Last edited: Oct 11, 2010
  12. Boost

    Boost Registered Member

    Joined:
    Feb 2, 2007
    Posts:
    1,293
    Geswall - :thumb:
     
  13. Kyle1420

    Kyle1420 Registered Member

    Joined:
    May 27, 2008
    Posts:
    479
    Yep, As always :D If there isn't a conflict... Geswall is nice layer.
     
  14. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,433
    Location:
    Europe
    Aigle, did you try it, or only you saw the 5v Defense+ settings ? I say it because is unknow which files are checked by default, see here 196
     
  15. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Yes i tried. Also officially egemen, the lead developer, himself wrote that dll control is no more there in this version.
     
  16. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    tnx for feeding my paranoia folks! :ninja:

    i think i'm gonna give Ubuntu a try.:D
     
  17. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,433
    Location:
    Europe
    o_O o_O Another good reason for don't upgrade from 4v.
     
Loading...
Thread Status:
Not open for further replies.