Have you ever seen an AE/HIPS bypassed without user interaction?

Discussion in 'polls' started by Gullible Jones, Aug 29, 2013.

?

Have you ever seen an AE or HIPS bypassed with no user interaction?

  1. Yes

    4 vote(s)
    12.1%
  2. No

    29 vote(s)
    87.9%
  1. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    As per title. If yes, please mention what anti-executable or HIPS was bypassed, and under what circumstances.
     
  2. guest

    guest Guest

    Anti-executable is easy. We only need to exploit or hijack the whitelisted process. For CHIPS, as long as it's put into quite/safe mode then it's not really all that useful IMO. Otherwise, a chatty CHIPS should warn you if your trusted programs being manipulated or changed...

    ...plus other notifications. :D
     
  3. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Not yet, those are very rare.
     
  4. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    Not that i know of. :D
     
  5. guest

    guest Guest

    You know you can do it yourself actually. Just enable the whitelisting features and you will see lots of new trusted processes added without you knowing it. There, bypassed. Now before anyone start to blast their guns, the OP never said if it's a malicious bypass or not. So I'm safe. :p

    IIRC aigle-sensei had tested various HIPS programs in the past, here on WSF. I can't be sure but there were bypasses, although it might not be relevant now due to updates.
     
  6. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    Sorry, legit programs being allowed via preconfigured rules does not qualify as a bypass. If a completely unknown program were allowed via a rule intended for a legit one, that would be a bypass.

    I'm not a great fan of AE/HIPS programs on Windows, but let's at least be fair here.

    Anyway we all know that you can do nasty stuff in the address space of a compromised process. The question is whether anyone has actually seen it happen, outside of controlled environments such as hacking competitions.
     
  7. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    1,915
    IMHO good (i.e. controlling all threat directions) HIPS can hardly be bypassed without a user interaction. I guess Cruelsister has vast experience here.
     
  8. guest

    guest Guest

    >=V

    Okay, well, aigle's tests are still valid references, aren't they?
     
  9. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Why? If Firefox.exe is whitelisted and I run my malicious commands through it, why does it not qualify as a bypass? No, never seen it in wild. These programs are rarely used, so rarely targeted.
     
  10. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    So it's a somewhat arbitrary distinction... Perhaps I should rephrase my question:

    Have any of you ever seen actual malicious code executed by ITW malware or ITW client-side exploits, without any user interaction, on a Windows system running an AE/HIPS?
     
  11. guest

    guest Guest

    For that limited scope, no. Any bypasses I've ever seen are only on tests done by the experts. But I believe it's just a matter of time and popularity until we see it in real-life situations.
     
  12. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,434
    Location:
    Europe
    How it's possible to do it ?
     
  13. guest

    guest Guest

    Why do people keep asking hard questions to me these last few days? :ouch:

    Well, for one, if the anti-exe doesn't protect you from a certain executable, then it's possible to make use of the whitelisted process in order to do its malicious purposes, like DLLs or Macro scripts for example.

    Some info: hxxp://www.insanitybit.com/2012/06/04/why-i-dont-like-antiexecutables/

    P.S. : I'm not sure if I understand everything I've read correctly since I'm not an expert on this one. Pardon if my conclusion is such a big mistake.
     
    Last edited by a moderator: Sep 2, 2013
  14. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
  15. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    I've yet to have one bypassed by Test, POC or live Malware. (purposely trying of course)
    This is only from my own personal experience.
     
  16. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,280
    Here's a example of one bypassed in a test performed by Pedro:
    https://www.wilderssecurity.com/showthread.php?t=306496&highlight=xyvos

     
  17. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
  18. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,280
    It's an AE, "Whitelist Antivirus" is just a fancy comercial name...
     
  19. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    Perhaps, but not a very good one it seems.
     
  20. SLE

    SLE Registered Member

    Joined:
    Jun 30, 2011
    Posts:
    361
    Yes - HIPS.
    HIPS systems don't observe every actions if files use such unobserved they can easily be bypassed. Happened in the past in will happen in the future.
     
  21. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    May I ask which HIPS you are referring to and under what circumstances in which the bypass took place?
     
  22. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Yes, all of the time, with Faronics Anti-Executable (AE) installed.

    PDF exploits are a good example. Here is a file, analyzed as "malicious."

    wepawet_1.gif

    The was included in an Exploit Pack and the exploit triggered as I went to the booby trapped web site.

    This code embedded in the web page calls the PDF plug-in:

    [​IMG]

    Then, the code inside the PDF file uses Windows APIs to download a malicious executable file:

    [​IMG]


    At this point, even though malicious code has executed, the exploit fails because the malicious executable to be downloaded is not on my computer's Whitelist,and is flagged by AE:


    ff-acroAE.gif



    ----
    rich
     
  23. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    So the bottom line is that the system was not compromised.
     
  24. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    5,150
    would be good have a list of programs
    i mean some are more strong then others
     
Loading...