Gpcode trojan versus HIPS

Thanks for sharing this.

Actually adding such rules manually is impractical IMO.

 

Yes, it fails. The only way for the files to survive is if the user is using the Pro version and has the Lock Files and Folder feature enabled for the desired files. Files, added to this list in Outpost Firewall, will be protected and untouched. However such files and folders aren't accessible not only to the malware but to the user as well, which makes it a bit impractical.

A little, yes. The creation of the rules isn't too slow and it's only a one-time thing. The additional popups later might be a little annoying but if one is already using these programs, then one is already geeky enough to be prepared to deal with more popups.

 

it should pass.
if it's not on the allowed SRP white list it can't run.

 

So, if i understand correctly, even if "allow" button is clicked as shown in the first alert, malware did not do any harm as it automatically blocked in its paths...

 

I can,t agree with you. Imagine if you get hundreds of pop ups about many processes just accessing and changing harmless .txt files. It,s just an example.

It,s absolutely impractical unless some one want to use his PC only to answer pop up alerts.

 

Yes, I allowed its execution and still OA blocked the malware from encrypting the files.

 

thanks.

 

And I can't agree with you. Noone should ever create a rule for accessing/reading certain types of files. If anyone does that, it's his/her problem. I'm taliking about only writing/modifying/deleting the files. There are not nearly as many processes that want to do that, as you imply.
Let's take the .txt files for example. You can have rules that always allow reading and creation of these files, and asking the user when it comes to modification and deletion. A few system processes might need to change .txt files, and so will the text editors (Notepad, Notepad2, Notepad++, etc.) and browsers (for the cookies). Although for browsers you could allow all kind of file activity within the browser's profile folder in the first place. If you have rules asking just for deletion it's virtually the same as not having additional rules for .txt files at all. Programs don't try to delete the files usually.
Or let's take .jpg for example. What programs need to modify such files? Image editing programs and image viewers. That's not a lot.

Yes, there are more popups, but it's not an overwhelming amount. With well created groups and rules one can achieve protection of given files with few additional popups.

 

Hmm... let me tel you Comodo doesn,t differentiate file read, write, delete or create. It just gives file access alert. So when you will configure a rule for .txt file access, you will get a pop up alert any time a process wants to read, write, modify, delete or create a .txt file.

Now just consider how many file types gpcode encrypts.

Now imagine the no of rules, then the no of allow rules ( sub-rules) for that. And the no of pop up alerts. Sure you can decrease but i guess by no criteria these will be few pop ups or few rules.

Anyway, I don,t expect any one to agree with me on this. If you or some one else are happy with all this work around, that,s fine for me.

 

KIS 2012 prevents the sample from encrypting data if you enable Interactive mode (no other changes to rules) and click block on this popup (after clicking block, gpcode.vbs starts but doesn't do anything, no messages ("Your files are encrypted...") or encrypted files):

If you allow the popup, game over.

 

Well, I wasn't aware of that. I thought Comodo had more granular control. I'm using Malware Defender and it can differentiate between 4 activities: reading, creating, writing/modifying and deleting.

The sample that I have doesn't encrypt .asc and .zip files. However it does encrypt .pdf for compensation.

Well, it seems this file protection strategy isn't feasible with Comodo. However with Malware Defender it is and I'm using it actually.

 

Interesting. Thanks a lot

 

About Comodo and Gpcode egemen posted an answer. -https://forums.comodo.com/leak-testingattacksvulnerability-research/weakness-of-the-gpcode-t65960.0.html;msg512678#msg512678-
For those who doesn't want to go into their forum here is a copy/paste.

 

Uhm erm... that sandbox did not seem to exactly work, according to https://www.wilderssecurity.com/showpost.php?p=1864043&postcount=2

 

Hi 3x0gR13N,

Did/could you try with the Sandbox feature?

Regards.

 

The sample isn't able to encrypt data when executed in the sandbox.
(HIPS prompts for sandboxed process allowed, of course)

 

Did 2011 also give the same alert?

If you add the trojan ransom keys (they are not present in 2012). Will it give you other alerts (protect te system) afther pressing alow in the access to protected password storage alert?

http://support.kaspersky.com/kis2011/settings/appcontrol?qid=208282306

 

I haven't tried with 2011 but AFAIK there were no changes in what "protected passwords storage" is between 2011=>2012, so chances are very high that 2011 would prompt the same.

WinLock/Pornoblocker (mentioned in the tech article) is an entirely different Ransomware compared to GPCode, so it's highly unlikely the added reg keys would improve the situation with GPCode, as the keys target WinLock specifically.

I'm guessing (since I don't have great knowledge of internal workings of GPCode or KIS) that KIS monitors a Windows cryptographic API that GPCode uses to encrypt data, hence blocking the HIPS popup protects data from being encrypted; which would probably be bypassed if GPCode used its own crypto.

 

Thanks for the info.

Please, don't give them ideas

 

To beat this, d/l TrueCrypt, reinstall your OS over your existing OS with a CUSTOM install to an encrypted drive, and create some folders inside folders inside folders. Set the TAIL of your TEMP VARS PATHS to THESE folders. A few other tweaks, you can forget LUAs, security software. Problem is, once a week, yo've got to delete droneware files. You can screw up the minds of the malware very easily. Fun thing to do, reregister all sockets and other critical files to open with or depend on different registry keys.

Malware is sometime fun.

Dave

 

looks fun! can you make a more detailed tutorial? I want to try this

 

Aigle, sorry for the late reply. As far as I know Online Armor's AE feature kinda works like a blacklist. It works in protecting against file spoofing like when you have double file extensions. The last i checked it protected against the following combinations of double file extensions. They may have added more by now since this information was given to me over 2 months ago, and i'm not positive it was a complete list then.

avi|bmp|wmv|doc|docx|xls|xlsx|torrent|gif|jpg|tiff|pdf|zip|rar|mp3|mp4|jpg
bat|cmd|com|exe|hlp|hta|lnk|js|jse|pif|scr|shb|shs|vb|vbe|vbs|ws|wsf

I really love this feature though. If they keep working on their AE feature then it could stop most attacks by itself.
I don't believe Online Armor offers this feature in the free version, but don't quote me on that. I've always used the premium so i'm not positive. It just seems like someone asked that question before over at the beta test forum, and I believe that was the answer I remember seeing.

 

Thanks for the detailed reply.

I am not sure but i think this feature is there in free version.

 

it is very cool they added files/registry protection for unknown/untrusted applications/programs/files i change from default to block unknown and untrusted files

 

OK, It's really easy. But backup first. It's easy to sneeze accidentally during the process and wipe your OS. DON'T WANNA DO THAT! Another thing, you DO NOT WANT TO DO THIS IF YOU TRUST MS Windows Update, MS IE, MS Security Center, MS Firewall, or install MS service packs, which I DO NOT, because registry hacking, registry protection and file monitoring are far better that MS!

It's just like installing Linux, Vista, Win 2000, XP, Win 98 SE all on the SAME partition. Just create the virtual encrypted drive. Create some folders on the drive. Turn off all security software. Drag the install files to one of those folders. Begin the install from within the folder. And be sure to choose ADVANCED or CUSTOM options during the setup. Choose a directory on the encrypted drive. Install to another folder on the encrypted drive. When that is done, you'll have a dual boot system. Now create folders anywhere. Create folders inside those called say TEMMMMP, and set these as your Temp folders for the OS on th encrypted drive.

If you don't feel comfortable doing this, another way is to put your temp folders on an encrypted drive with trust-no-exe or MD to watch those folders.

Dave

PS: Lemme know if you run into any problems. PM me.