HIPS products & malicious scripts from websites.

http://www.spamfighter.com/News-131...ust-2009-Top-Ten-Malicious-E-threats-List.htm

As you all know, this Zeus/Zbot threat making headlines a couple of weeks ago.In summation, according to:
http://www.thetechherald.com/article.php/200938/4459/Zeus-Trojan-moving-past-anti-Virus-protections

So, while all this is going on, im wondering, wont the HIPS products like DefenseWall, GesWall, AppGuard block this very easily?
The "malicious scripts" will be blocked right?!
I just was curious, the guys only using traditional AV's are freaking out over this news, and im wondering should i freak out too?

 

This was discussed here:

https://www.wilderssecurity.com/showthread.php?p=1545647#post1545647

I don't know hos DefenseWall, GesWall work, but AppGuard will block the Zeus executable from running in both the drive-by attacks, and social engineering attacks where the user clicks on a link which triggers a download of the executable.

If Zeus cannot install/run, it cannot execute any script.

----
rich

 

mamutu didnt give me any alert for this Zeus appranger remove it

 

i am sure HIPS and sandboxes wil stop this bot dead cold. I tried zbot sample already.
Can any one PM me the link which downloads bot as a drive by or as a social engineering trick. Thanks

 

Hi aigle,

Working Links are hard to come by:

1) Published analyses often blur out the link so you can't see it

2) The links are taken down rather quickly by the time they are discovered and exposed

The social engineering exploit is even more difficult to come by. The analyst I mentioned in the other thread could not give me the file for proprietary reasons - he was the incident response investigator, paid by the bank.

You may remember the RTF document exploit I wrote about earlier - It took a week of emails back and forth before I could get the file. They want to be sure it's not going to be used in another exploit!

However, I'm sure in both cases - drive-by or embedded in a document, Zeus would be easily snagged by any decent product with Execution Protection. After all, it's just another executable!

----
rich

 

Thanks Rmus, I understand that but I love to test HIPS and sndboxes against live ''in the wild'' exploits. It,s so fascinating n interesting.

 

hmm, im thinking if AppGuard will block it, so will Defensewall and Geswall,
as they also will prevent anything from executing in an untrusted browser.

I have no real idea of what 'scripts' are or what they do, i do have a vague recollection that No-script pops up a tab saying that some 'cross filtering script' was blocked, and ff was prevented from being redirected to another site.

So, once again HIPS apps. trumps over these malicious attempts.

 

Since this is a malicious script I'm guessing Noscript can stop it right?

 

I think so.
But if you for some reason in no-script you click 'temporary allow this page',
thinking that it is a safe site,
then, if you had DefenseWall or GesWall, the script still wouldnt be able to infect/inject malicious code your system.
Thats my understanding.

 

I always have Noscript blocking unless the site isn't working then I check WOT for each script's site rating.

 

http://www.malwaredomainlist.com ~snip~

"WARNING: All domains on this website should be considered dangerous. If you do
not know what you are doing here, it is recommended you leave right away. This
website is a resource for security professionals and enthusiasts."

You should be able to find a few links there.

 

Thanks Espresso, zeus/wsnpoem v2 trojan url link is available.

 

also, try here

Code:

http://www.malwarebytes.org/forums/index.php?showforum=30

 

Here is another that I use!
[FONT=&quot][/FONT]

Code:

http://www.malwareurl.com/listing-urls.php?urls=on
[COLOR=DarkRed][B]WARNING: All domains/IPs listed on this website should be treated with extreme caution.
Some of them will automatically infect your computer.[/B][/COLOR]

TH

 

Unfortunately, these lists mostly contain links to the executable itself, rather than the exploit page for zbot. However, there was one, drive-by download that attempted to dump Zbot.

Connecting to the site brings up an alert:

​

The page code analyzes as malicious:

​

There were 4 exploits packaged as a kit - a common technique.

​

The only exploit that executed was the first, MDAC, an old IE6 exploit.

I ran the exploit again and let the file download. It scanned as Trojan.Zbot!IK

Referring to the article mentioned in the first post:

The script can't do anything unless Zbot can first install on the computer. Unfortunately, the articles that sensationalize stuff like Zbot fail to point out that secure preventative measures nullify these exploits at the gate.

This is not to downplay the seriousness of such malware, but just to keep things in perspective!

The other exploits included a PDF and SWF, and these files display in the cache:

​

They scan as:

Exploit/Win32.Pidief

Trojan.SWF.Dropper!IK

----
rich

 

wow, fun stuff, err well its not fun if you are the one who is infected
but i mean, does anyone else find this exciting?!!

Thanks for the pictures Rmus!

 

it is fun indeed

 

I agree,automatic exploits from websites are more dangerous because users without good HIPS,or behavior analyzer can't even decide to allow it or not,malware just walk in the PC.....and like is well known most malware live only 24 hours on the internet,and AV definitions against this new samples are slow,and too late...

 

I'm glad you enjoyed the fun!

To see if the PDF or FLASH exploits would work, I enabled javascript and plugins in Opera. The IE exploit won't work, of course.

The PDF file loaded into the i-frame, but nothing happened - I have an old version of Acrobat Reader, so it evidently wouldn't execute anything.

This is the code:

Code:

<i frame src=ethicsModel.pdf></i frame>

​

The malware that these PDF and SWF exploits would download would also have been file.exe, (bot.exe), according to the analysis:

​

The VirusTotal report shows the same MD5

This is typical of "packaged" or "kit" exploits, as described here:

ZBot data dump
http://www.thetechherald.com/articl...vered-with-over-74-000-FTP-credentials-Update

Very clever, but easy to prevent. Note that I had to reduce security in the browser for the PDF exploit even to run.

With the browser properly configured, no additional security is required to handle these PDF exploits!

----
rich

 

A good host file ( to bypass old exploits against deprecate reader...) and a sandboxed browser is less risky when you visit them.

I was beta tester long ago for Sunbelt and they spam me with their glorious advertisements not to mention their fat products with neverending bluescreens with any unconventional low Test PC ... and their crappy uninstaller.

 

you do realize that because of you many of the unexperienced members of wilderssecurity will get infected.... you could have sent a pm to whoever you want it but not post it...

 

No they won't. MDL does not list hyperlinks to malware. It would take some effort to get infected.

 

Plus he put a big ol warning haha.

 

If someone manages to copy and paste the link without reading the big disclaimer then proceeds to copy and visit the malware links from the list then they deserve to get infected. You can't fix stupid.