HIPS and Behavior Monitoring

Hi,

We´ve been talking about the ultimate HIPS and stuff, but I just wonder about which behaviors they all should be monitoring. We all know that if it´s only missing one thing (programming errors aside) you can already get infected. Most HIPS nowadays are monitoring stuff that is used by malware in real life, but now and then they seem to completely miss some things. So let´s make a list of areas/behaviors HIPS should be monitoring.

 

So, have I covered just about everything? Feel free to come up with more areas and to comment about this subject. Keep in mind that it´s not only about classical HIPS who can guard these areas, sandboxes will automaticly protect/restrict certain vulnerable apps against most, if not all, of this, of course without asking any questions.

 

I think, HIPS fail in one regard,
Specifically where it concerns web browsers and server cross scripting as they are not monitoring web browser based injections. I believe most do pickup executables at the activation point however if not activated by commands invoked by the browser. That is why in the case of Firefox an Adon such as NoScript is necessary.

 

I´m a bit surprised about the lack of comments, I would like to see the developers of the various HIPS to comment, I wonder, does your HIPS protect against this stuff, have I missed something, are their perhaps any new attack vectors?

Perhaps also an idea to make a list of the most important registry keys, I´ve seen quite a few lists but I still don´t know what are the most essential ones.

Of course the Windows system files should be protected against modification. And what about NTFS permissions? According to Solcroft they can be used to lock a user out of his/her system.

I´ve noticed that both TF and NG fail to protect against this, so perhaps an idea to virtualize these actions, like SBIE does. Also, can HIPS protect against other types of (none destructive) file infectors?

Let´s say you´re infected with a rootkit, is killing invisible processes enough to prevent the rootkit from doing any damage (stealing data etc.)?

Well, the question is if HIPS should monitor this, perhaps an idea to add this feature in the future, but perhaps it´s better if protection is build into the browser itself?

 

Trojan.Srizbi runs completely in kernel mode (no user mode payload/injection) so it doesn't have a process.

 

Yes indeed.

 

Very interesting! So this rootkit can do whatever the hell it wants without a process? You know what I was thinking, I wonder if HIPS will ever be able to stop already installed malware, so basically the HIPS must be some kind of "see it all" super rootkit, that can still spot malicious behavior from other stealthy malware.

Care to explain this LUSHER, what do you mean?

 

this one should be included?

Anti directly I/O port access: With directly I/O, one APP can read/write the disk in sector or send data to internet via netcard.

 

Can you give a bit more details, and are there any HIPS which are already monitoring this? I do recall seeing something like this in VirusKeeper, but never really understood it. Also, NG offers protection against "remote shell execution", is this different from cmd.exe?

 

Yes, the kernel driver does all the work, even spamming. Most rootkits only use the kernel driver to hide their files/processes/services/registry keys, but the "real work" (spamming, DDoSing, displaying ads, etc) is done at the user level injecting code into a system process.
Impressive stuff indeed.

 

He (probably) means low-level disk access (talking to disk.sys or even lower level stuff) and talking directly to the NIC driver (bypassing NDIS).

 

To answer my own question:

But if cmd.exe can´t execute, a remote shell can´t be launched I assume.

This one isn´t on my list, can someone give a bit more info about it? Is this related to process memory modification?

I was looking at some old tests from nicM, and this caught my attention, DSA was still able to spot certain behavior after its kernel hooks were wiped, I wonder if other HIPS can do this too?

 

LUSHER, I´m still waiting for your answer? Did I miss something? And where are the HIPS developers at? Can someone perhaps answer my questions? What other areas need to be guarded?

Interesting qoute from Peter2150 (at the PS forum), can you give a bit more info perhaps? I guess it´s too noisy?

 

Yes, All the time... All the time Rasheed...

As it occured to you that maybe your questions show you don't understand a thing, and hence anyone who knows anything isn't borthering to answer because it would be a waste of time?

Don't feel bad, I don't know enough to phrase a proper question either.

 

another post removed and suggest that if this thread is to continue, it does so by discussing HIPS and Behavior Monitoring only. It's not open for comment concerning post removals, whether in jest or seriousness.

Thanks,
Bubba

 

Meanwhile, back at the ranch...

A) For a good comparison of behaviorists/HIPS check it out HITHER & THITHER.

B) As to non-replies by HIPS proponents: most of the stand-alone HIPS are 1-man operations -- e.g. SysSafetyMonitor (Vitali), Prosecurity (Jie) -- so they rarely have time to visit Wilders.

C) Threatfire mainly replies to posts on their support forum although they do visit Wilders from time to time.

D) Winpooch, Neoava, Coreforce, & 3 or 4 other HIPS are "abandonware" at the moment, mainly because their proponents are busy with other affairs & have zero time for their respective HIPS program.

E) Comodo's HIPs is quite good, but also is mainly responsive to posts on their own forum. Those who DO comment here at Wilders are mainly to be found in the Firewall forum because Comodo3 is mainly regarded as a firewall with a HIPS glued onto it.

 

Although it was a very rough decision for me to change, in EQS i saw a chance to make a break from System Safety Monitor which is been iron-clad and reliable as ever.

But the HIPS EQSecurity seems to offer me more options to set rules on nearly everything they,ve compiled it to cover, including file and extension coverage. Malware is been notorious in changing extensions to their own designated programs to run and EQS affords the user to keep watch for such a change and block it entirely.

Even to this day, i still not completely addressed every potential entry point they could manipulate. The freeware app RegTick is a good starter to hunt down the resgistry entries that all malware needs to do is change a 0 to 1 to disable many common settings. I wish MS had not offered in XP the option to disable so many settings, so a HIPS is the only way to monitor all these registry entries as well as file extensions.

Behavior Monitoring & HIPS are closely related in some ways and yet distant in others. The whitelists of HIPS are fantastic and even the suspending mechanisms Behavioral Monitors & HIPS rely on are the best innovations i have ever seen for any behavioral app. I suppose they took a page from the AV's book on that, but it sure is nice to have an unknown and potential malware file stopped dead in it's track for a user to research first then just simply notifying as well as allowing it to continue.