Failure of HIPS?

Discussion in 'other anti-malware software' started by aigle, May 25, 2007.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Well this has been discussed a bit already here on wilders in two threads:

    https://www.wilderssecurity.com/showthread.php?t=136452&page=14 See post no.330 by noway
    https://www.wilderssecurity.com/showthread.php?t=171576&page=10&highlight=Anti-executable

    I did some testing with it and it has attracked me so much that I thought that it sure deserves a separate thread, especially about the failure of HIPS in this regard.

    I was a bit of testing with a driveby download site. Using InternetExplorer 6, XP SP2( not fully updated), I went to this link,( change hxxp to http):

    hxxp://85.255.115.221/ind.htm?src=250&surl=www.sloantreefarms.com&sport=80&suri=%2Findex%2Ehtml
    IE is somehow redirected and causes a series of drive by downloads( note that redirection is not consistant. Sometimes I have to try multiple times by emptying my browser cache and changing dial up ISP that is a proxy server). More details are here by Rmus:

    http://urs2.net/rsj/computing/tests/redirect/

    What caused my concern is that a spoofed .gif file is downloaded and executed( it,s a doownloader) and then it caused to download and execute a series of malware exes. SSM Pro/ Free does neither prevents nor gives any indication of execution of this spoofed .gif( although the exes later downloaded are stopped infact). I tried ProSecurity free and NeovaGuard and they also failed. On the other hand Anti-Excutable stops execution of this file.

    I was thinking calssical anti-execution HIPS are supposed to stop such execution as well, but they failed here. More details by Rmus here:

    http://urs2.net/rsj/computing/tests/spoofexe/
    http://urs2.net/rsj/computing/tests/winantivir/

    What is your opinions about this?
     
    Last edited: May 25, 2007
  2. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    BTW I tried it with GeSWall, it did not stop any execution ofcourse but did stop some malicious actions and also files downloaded in system32 folder were isolated and marked. It is supposed to do this job.
    DefenceWall, same results as GeSWall.

    SandBoxie isolated all the exes etc in virtual drive as expected. An interesting thing is that duringg these drive by downloads, one exe from temp first terminated IE and then relaunches it in invisble mode( IEplore.exe running in Process Explorer but no IE window visible), IE then downloads malware exes in system32 folder.

    As Sandboxie free version does not auto isolate IE, I was thinking that at this step IE will be launched outside of sandboxie and that will lead to unisolated exes in system32, but that did not happen at all, rather the driveby downloads just stoped at this point. My guess is that it happened due to the special location of malware exes in sandboxie( as they were in virtual drive, not in actual C drive where they were supposed to be present, this change in path of malware exes broke the continuous driveby download sequence). This is just my speculation.
     
  3. steve161

    steve161 Registered Member

    Joined:
    Nov 22, 2006
    Posts:
    681
    Location:
    New York
    Hi aigle:

    One up for sandboxie and AE. I have not used AE but did use Exe Lockdown and was impressed by how light it was on my system compared to classical HIPS. Now, if AE runs as light, I can see why many members speak highly of it. As for Sandboxie, I assume that it's limitation of not being able to run legitimate programs in the sandbox is also what stopped the execution of the exe's.
     
  4. flinchlock

    flinchlock Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    554
    Location:
    Michigan
    That is why I have IE with a security policy set as a BASIC USER. :D :D (see my sig)

    UPDATE: My main/default browser is FF2, but some sites require IE!

    Mike
     
    Last edited: May 25, 2007
  5. tradetime

    tradetime Registered Member

    Joined:
    Oct 24, 2006
    Posts:
    1,000
    Location:
    UK
    Very interesting aigle, have you any idea why SSM doesn't intercept the installation of the exe files, since every legitimate file I install is challenged by it.
     
  6. screamer

    screamer Registered Member

    Joined:
    Apr 14, 2006
    Posts:
    921
    Location:
    Big Apple USA
    Went to the above mentioned URL. The Re-Direct couldn't get past FF w/ noscript. When I allowed (temporarily) I was brought to Sloans Farms. No .exe detected.

    ...screamer
     
  7. flinchlock

    flinchlock Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    554
    Location:
    Michigan
  8. tradetime

    tradetime Registered Member

    Joined:
    Oct 24, 2006
    Posts:
    1,000
    Location:
    UK
  9. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    aigle,

    Unfortunately I saw no sign of any "executable" GIFs.

    If its possible, can you upload it somewhere, and give me the link via PM?
     
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Sorry, it was:

    https://www.wilderssecurity.com/showthread.php?t=171576&page=10&highlight=Anti-executable

    Corrected now.

    If u get redirected, u will get it in ur temp internet files( mainly) or all users start menue( not sure).
    PM me ur e-mail address and I will send it to you. Not sure where to upload. My ISP blocks many upload sites.
     
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Not all exe,s, only spoofed .gif file.
    None of HIPS detects its execution except AE. I tested PS Pro, SSM Pro, and NG.

    I made a thread at SSM forums too, much similar to this one.

    https://www.syssafety.com/forum/viewtopic.php?t=944&sid=korfuf8hjrgpkkgpn7onfvhol6
     
    Last edited: May 25, 2007
  12. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    excellent results again for geswall, defensewall and sandboxie! aigle i'm stunned that only anti-executable passed this "test". if you have time can you try dynamic security agent (DSA)? i'd love to know if that would stop this.
     
  13. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I tried but DSA will not install on my system ATM( some conflict). I tried thrice and then gave up.

    If anybody needs spoofed .gif file. pls PM me. I have uploaded my Temp Internet Files in a zip n passowrd at rapidshare.
     
  14. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,040

    Have you tried it with exe lockdown. I tried Anti Executable on my system but for some reason on this box it blocks Sandboxie.
     
  15. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    aigle,

    Sorry for not seeing your message earlier - was busy with assignments.

    Either way, I received your PM, and used cmd.exe to launch the GIF file "as is" without renaming it. SSM properly intercepted the CreateProcess API call and popped up a prompt. I'd just want to ask what rules are you using for IE - have you told SSM to prompt when IE wants to launch a new untrusted process?
     
  16. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hi solcroft,

    I think what aigle was wondering, as do I, should SSM have blocked the spoofed .gif file from downloading in the first place?

    That is to say, does is have classical execution prevention as one of its features?

    Or is it's job just to block it from being executed by another process?

    Thanks,

    -rich
     
  17. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Good going, aigle! I am eagerly watching the thread you started at SSM's forum. If SSM's proponents run true to form, they will quickly & effectively plug this hole.

    It is obvious that the bad guys are well aware that lots of their intended *victims* are now running HIPS programs. It is to be expected that the bad guys will aggressively probe for ways to get around HIPS.

    IMO it is well nigh impossible for any HIPS developer to keep up with ALL the new probes by the bad guys. That's why it is essential that the proponents of a HIPS program give heed to people like aigle, and encourage them to report any & all suspected weak points.

    Herein is one of the MAJOR reasons why I stick with SSM. Namely, they have a forum. Most of the other HIPS do not. SSM's forum is very active and very responsive. In many cases the other HIPS -- the few that DO have forums -- either do not reply to posts such as aigle's, or else treat them with disdain and aloofness.

    SSM's forum listens. SSM's team pays attention. Checks to see. Treats folks like aigle with the respect they deserve. Then ACTS quickly to verify & correct any weak areas. I have yet to find any other HIPS team that is equally as pro-active and helpful & friendly as is the team at SSM.
     
  18. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Hi Aigle,

    Nice test. I went to the link with IE7, was redirected to sloan's tree farm. Nothing dwonloaded (running EQSecure, Antivi + GeSWall Pro). Checked internet temp folder and system32 for flagged files by GW, found nothing. EQ did not alert on anything written to system folders or creating executables. Could not find the gif mentioned anywere on my system. Does this only work with IE6 and unpatched XP?

    Could you PM a spoofed gif?

    Thx K
     
  19. wat0114

    wat0114 Guest

    The same results here using IE7 and latest Opera on XP administrative account no less. I deleted all temp files but I keep just getting Sloan's Tree Farm and I'm positive notthing is is dowloading into my system.

    Good question

    BTW Aigle, thank you for your efforts and information sharing. I've been following this turn of events since last night.
     
  20. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I tried same and I get the prompt in the same way.
    But during actual tresting, I got no prompts that IE is tryting to launch .gif file. Also keep in mind that on my system SSM doesn,t allow cmd.exe to start. I have though kept a renamed copy of it in another place.
    I will.

    @ Kees and wat0114
    I think it will only work with IE6 and unpatched OS, but nout sure.
    SSM will not block download of any executable. It will only warn/ stop its execution. So is true of anyother HIPS like PS, PG, NG etc.

    BTW, now I suspect the spoofed .gif file was never executed so that,s the reason SSM and other HIPS don,t give a prompt. I think AE warned u about download of executable( .gif) not its actual execution( that why it is saying Reason: Copy). Gif file was never excuted on my system or on Rmus,s system. Jsut my idea, I have no way to confirm it.

    Other HIPS are a bit different from AE as they don,t stop download, copy of execuatbles, they just block the execiution of theses.

    If I manually run gif via CMD.exe on my system, SSM gives a pop up warning. Moreover normally SSM on my system does not allow even start of CMD.exe( I allowed it to run gif file and got prompt for gif execution).

    If it is true, then I wonder what was the purpose of driveby download of this spoofed gif file?
     
  21. herbalist

    herbalist Guest

    I end up at Sloans Tree farm with both IE6 and Mozilla. Nothing happens, no matter what my browser settings or what security apps I bypass or disable.
    I'd like to know that as well. It doesn't work with IE6 or Mozilla Sea Monkey 1.07 on a 98 box. If anyone has this spoofed gif, could they send me a copy?

    I'd very much like to test SSM on more of these sites if I can ever find one that works as intended on this box. I keep seeing posts about how SSM fails to defend against different web delivered malware but none of them even try to function when I go to them. This is getting to be a recurring theme. So much for how vulnerable and insecure 98 is supposed to be.
    Rick
     
  22. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    guys i can't explain it but aigle is right. i downloaded DSA to test it vs the drive-by website that aigle mentioned. i enabled powershadow and disabled geswall and comodo firewall so i can run the test on DSA without any interference. i entered that website in IE and lo and behold, i was redirected to another site and MASSIVE amounts of pop-ups were being issued by antivir.

    i had STUPIDLY left antivir on. i closed IE, disabled antivir, and cleaned my cache using window washer and tried to test DSA again. but amazingly i wasnt' taken to the original webpage, i was taken straight to the "tree farm" page. i tried rebooting my machine and trying again, but no luck.

    no matter what i can't seem to get to the original infected page!
     
  23. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    It will not run again so easily. I use dial up and I just change my ISP no. each time to get it work, sometimes trying after half an hour or so works. Try again later. Run CCleaner before as well.
     
  24. Kenjin

    Kenjin Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    63
    I checked that website and tested with ProSecurity and SSM. Both block the loading of the executable just fine. Aigle, I'm sorry, but I believe this whole thread is based on a misunderstanding on your end. The .gif which gets downloaded is never launched, instead the exploit copies the contents of it to a new file named MS_update_0704_KB74073.exe and then tries to launch this one and not the original .gif file. There is no hole in ProSecurity's or SSM's execution control as you suspected in the beginning.
     
  25. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    All I can determine - and I went to the site again earlier today - is that if cnte-oiduuyes.gif does not download, I don't see any other executable files cached or installed. If I let cnte-oiduuyes.gif download, then the whole scenario is set in motion, including the launching of the hidden process of IExplore.

    The Host Server for the Sloan web site was sanitized earlier, so the redirect from Google no longer works. You will have to use the direct link which aigle posts above.

    Here are screenshots of the files, both at the point of blocking cnte-oiduuyes.gif, and after it is allowed to download.
    Using IE6 on Win2K SP4:

    http://urs2.net/rsj/computing/imgs/winantivir/

    So, that .gif file has some purpose. Note that cnte-oiduuyes.gif and MS_update_0704_KB74073.exe are the same file probably just being renamed-copied, as I show in the scans.

    (EDIT: I see that Kenjin draws the same conclusion)

    If there is no cnte-oiduuyes.gif, the exploit can't get started. Otherwise, why don't we see any other executable files? I may be wrong, but that is the way it appears.

    I checked AE's Log and it shows only one executable - cnte-oiduuyes.gif - attempting to download, so there were no blocks in the background.

    Until someone can analyze more thoroughly each step of the exploit, including those convoluted javascript coded pages, we are left to guess what is really happening. This is no longer a straightforward task, where one could use a simple CharCode-to-ASCII Chart, or an Unescape converter.

    See here for a current example of the difficulty:

    Analyzing an obfuscated ANI exploit
    http://isc.sans.org/diary.html?storyid=2826

    @Herbalist: Spanner over at DSLR uses Win98 and most of the recent exploits don't work for him, so this maybe the case with you.

    If so, Too bad... you will have to get an XP box to play with these things :)


    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
    Last edited: May 25, 2007
Loading...
Thread Status:
Not open for further replies.