Downadup/ Conficker worm versus HIPS

Discussion in 'other anti-malware software' started by aigle, Jan 19, 2009.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Downadup/ Conficker worm versus HIPS/ Anti-executables etc

    The original inspiring thread by Rmus is here. :thumb:

    https://www.wilderssecurity.com/showthread.php?t=230837

    It,s a very clever piece of malware, uses an aurorun.inf file and a dll( hidden as a vmx file) to do its dirty tricks and spreads via USB sticks. :thumb:

    CFP - on default interactive security mode, you will get only one pop up that is execution of dll/ vmx file by rundll32. If u allow it, no more pop ups and malware is free to do all its actions. CFP however did label it as suspicious via file heuristics. :thumb: PASS though I am not so happy about this pass. ;)

    EQS - seems similat to CFP though I tested it in hurry. PASS

    GesWall - you need to make a rule to isolate ur USB drive in GW( see the pic). It stopped the worm dead. :thumb: :thumb: PASS

    TF - Fail, totally blind. :mad: :thumbd:

    Come on. Try ur HIPS once again. :D :D

    BTW - more pics are here but u need extremely tight rules to get many( though not all) of these pop ups and such rules are practically not feasible at all.

    http://rapidshare.com/files/186335754/pics.zip

    cfp2.jpg
    GW.jpg
    2009-01-19_045747.jpg
     
    Last edited: Jan 20, 2009
  2. PiCo

    PiCo Registered Member

    Joined:
    Apr 9, 2008
    Posts:
    352
    Location:
    Athens, Greece
    Someone test it with SandboxIE :)
     
  3. ThunderZ

    ThunderZ Registered Member

    Joined:
    May 1, 2006
    Posts:
    2,459
    Location:
    North central Ohio, U.S.A.
    Curious about DS as well since it monitors flash drives as they are plugged in.
     
    Last edited: Jan 20, 2009
  4. sded

    sded Registered Member

    Joined:
    Jun 4, 2004
    Posts:
    512
    Location:
    San Diego CA
    What about the Prevx Edge discussion of their success at http://www.prevx.com/blog.asp ? Is HIPS simply the wrong tool for some of the modern malware?
     
    Last edited: Jan 19, 2009
  5. sded

    sded Registered Member

    Joined:
    Jun 4, 2004
    Posts:
    512
    Location:
    San Diego CA
    And what about Online Armor, another current modern HIPS?
     
  6. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Sample files I picked up.

    Con samples.JPG
     
  7. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Aigle I can make a pass custom rule in ThreatFire, like you did with GeSWall

    So either you consider GeSWall a FAIL or you reward ThreatFire with a PASS

    Aigle do you have two USB sticks and two or more USB ports? Would you mind testing GeSWall with the custom rule you applied for USB stick (harddisk1) with the virus on teh second USB stick. I bet GeSWall will fail miserably :blink: :blink: :blink:

    Come on man, use one stick to measure results :D :D :D
     
    Last edited: Jan 20, 2009
  8. Mosqu

    Mosqu Registered Member

    Joined:
    Nov 21, 2008
    Posts:
    69
    Location:
    Germany
    Comodo Defense+

    It's often the problem with "classical" HIPS: the user has to deccide himself what to allow or block.
     
  9. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    If somebody provides a dropper, I can report the results.
     
  10. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,041
    Caution: Please don't post links. They will certainly be removed.

    Pete
     
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hmmm.... I don,t agree Kees. TF is supposed to intercept it by default without any custom rules at all as it intercepts other autorun malware. When u add custom rules in TF, it acts as a typical classical HIPS and any classical HIPS willl for sure intercept this malware. I just tested default behav blocker function of TF.

    As far as GW is concerned, it,s lacking the feature to protect USB sticks by default. I just added it manually. Development of GW is stalled ofcourse. Basic functionality is there but u need to implement it somehow.

    I used this rule in GW as there seemed no other way for me to run this malware isolated. It,s not a PASS infact I agree unless u tweak GW as it lacks protection of USB sticks by default.

    If u run malware isoalted, it will not be able to do anything. If u run it un-isolated, it can do anything. That,s how GesWall or any other such product is supposed to do. :)
     
    Last edited: Jan 20, 2009
  12. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    The ability to apply minor nuances marks a great mind. You are a sport :thumb: :thumb: :thumb:
     
    Last edited: Jan 20, 2009
  13. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Will test SandboxIE later when I'm at home, but I have no doubt it will pass, with the USB drive forced to run sandboxed.
     
  14. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    Your faith in the wondrous SandboxIE is well placed,I'm certain it'll pass,but await your findings in any case.:D

    Has anyone tried this with Mamutu yet?
     
  15. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Guys, again in regard to Sandboxie
    - let's make a special configuration rule (force USB drive run sandboxed)
    - ghee it passes a real malware sample

    What in regard to XP:
    - I have a SRP rule blocking executables from running in RECYCLER
    - Ghee my windows XP passes in Limited User Account, what a great HIPS old XP is, it passes!

    When you disagree with the second observation, why do you agree with the first observation?

    There is something I seem to misunderstand completely o_O, so better keep my mouth shut :gack:
     
    Last edited: Jan 20, 2009
  16. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Actually Kees, I don't disagree with your 2nd observation.
    SandboxIE with it's default config would not protect from this. A default XP is vulnerable. I think some classic HIPS could be vulnerable too.
    But when you design your setup to cover infection vectors, you only see PASSES. It doesn't matter if it's a HIPS, a sandbox, LUA, or other method. The important thing is to have the defenses well planned.

    For what it's worth, If I had XP Pro, and could use SRP, I probably wouldn't use Sandboxie, but I'm stuck with XP Home...
     
  17. Creer

    Creer Registered Member

    Joined:
    Jun 29, 2008
    Posts:
    1,345
    Nice test, what about OA or DefenseWall?
     
  18. Joerg

    Joerg Guest

    According to the PC Tools Forum the new Threatfire Beta will detect the conficker worm.

    regards,
    Joerg
     
  19. chris2busy

    chris2busy Registered Member

    Joined:
    Jun 14, 2007
    Posts:
    477
    a)to be honest,any classical HIPS should give you at least 1 execution warning...soooo if you just pop the thumb drive in and you get a prompt,ya you deserve to be infected :D

    b) @ aigle i don't know why you say that it needs very deep rules (in CPF) to get the right warning..anyone that uses cpf adds those and paranoid mode has them on by default

    http://www.imageshack.gr/files/kccat7zu2wqzdfzed5ze.jpg
     
  20. icr

    icr Registered Member

    Joined:
    Sep 6, 2008
    Posts:
    1,588
    Location:
    Mumbai
    Reports of Eset v 3.0.669.0

    Edit: Sorry if my post is off topic :'( don't know much abt HIPS
     

    Attached Files:

    Last edited: Jan 20, 2009
  21. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    OA is much the same to the others. There was execution alert about jwgkvsq.vmx wanting to run. Once allowed computer is infected.
     
  22. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    what about if you allow the pop up to run it in comodo or other hips but you have a rule to denny access to write to the hard disk?:D ;) :thumb:
     
  23. neksus

    neksus Registered Member

    Joined:
    Nov 27, 2008
    Posts:
    54
    Hey, what about the case of 2+ HDDs?:)

    It would be pretty good if there was a way to add rule for removable drives automatically, without putting the user through the misery of doing the computation on total number of HDDs & USB sticks by hand:)
     
  24. chris2busy

    chris2busy Registered Member

    Joined:
    Jun 14, 2007
    Posts:
    477
    deny copying files from a thumb drive? :D
    then why buy it at all?thats why you use it anyway,to copy stuff :p

    *hint* if LUA passes the sample then OA with checked the option "run unknown apps as untrusted" passes it too. duh!

    some1 pm me the sample please? :p
     
  25. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    anyway i think that defensewall will run this sucker as untrusted from a usb devise making it run with limits rigths;)
    note:not tested yet on my part:D
     
Loading...
Thread Status:
Not open for further replies.