HIPS products & malicious scripts from websites.

Discussion in 'other anti-malware software' started by Lebowsky, Sep 24, 2009.

Thread Status:
Not open for further replies.
  1. Lebowsky

    Lebowsky Registered Member

    Joined:
    Dec 3, 2004
    Posts:
    161
    http://www.spamfighter.com/News-131...ust-2009-Top-Ten-Malicious-E-threats-List.htm
    As you all know, this Zeus/Zbot threat making headlines a couple of weeks ago.In summation, according to:
    http://www.thetechherald.com/article.php/200938/4459/Zeus-Trojan-moving-past-anti-Virus-protections
    So, while all this is going on, im wondering, wont the HIPS products like DefenseWall, GesWall, AppGuard block this very easily?
    The "malicious scripts" will be blocked right?!
    I just was curious, the guys only using traditional AV's are freaking out over this news, and im wondering should i freak out too?:blink: :ouch:
     
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    This was discussed here:

    https://www.wilderssecurity.com/showthread.php?p=1545647#post1545647

    I don't know hos DefenseWall, GesWall work, but AppGuard will block the Zeus executable from running in both the drive-by attacks, and social engineering attacks where the user clicks on a link which triggers a download of the executable.

    If Zeus cannot install/run, it cannot execute any script.

    ----
    rich
     
  3. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    mamutu didnt give me any alert for this Zeus:) appranger remove it;)
     
  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    i am sure HIPS and sandboxes wil stop this bot dead cold. I tried zbot sample already.
    Can any one PM me the link which downloads bot as a drive by or as a social engineering trick. Thanks
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hi aigle,

    Working Links are hard to come by:

    1) Published analyses often blur out the link so you can't see it

    2) The links are taken down rather quickly by the time they are discovered and exposed

    The social engineering exploit is even more difficult to come by. The analyst I mentioned in the other thread could not give me the file for proprietary reasons - he was the incident response investigator, paid by the bank.

    You may remember the RTF document exploit I wrote about earlier - It took a week of emails back and forth before I could get the file. They want to be sure it's not going to be used in another exploit!

    However, I'm sure in both cases - drive-by or embedded in a document, Zeus would be easily snagged by any decent product with Execution Protection. After all, it's just another executable!

    ----
    rich
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks Rmus, I understand that but I love to test HIPS and sndboxes against live ''in the wild'' exploits. It,s so fascinating n interesting.
     
  7. Lebowsky

    Lebowsky Registered Member

    Joined:
    Dec 3, 2004
    Posts:
    161
    hmm, im thinking if AppGuard will block it, so will Defensewall and Geswall,
    as they also will prevent anything from executing in an untrusted browser.

    I have no real idea of what 'scripts' are or what they do, i do have a vague recollection that No-script pops up a tab saying that some 'cross filtering script' was blocked, and ff was prevented from being redirected to another site.

    So, once again HIPS apps. trumps over these malicious attempts.:thumb:
     
  8. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,123
    Location:
    Pennsylvania.
    Since this is a malicious script I'm guessing Noscript can stop it right?
     
  9. Lebowsky

    Lebowsky Registered Member

    Joined:
    Dec 3, 2004
    Posts:
    161
    I think so.
    But if you for some reason in no-script you click 'temporary allow this page',
    thinking that it is a safe site,
    then, if you had DefenseWall or GesWall, the script still wouldnt be able to infect/inject malicious code your system.
    Thats my understanding.
     
  10. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,123
    Location:
    Pennsylvania.
    I always have Noscript blocking unless the site isn't working then I check WOT for each script's site rating.
     
  11. Espresso

    Espresso Registered Member

    Joined:
    Aug 1, 2006
    Posts:
    975

    http://www.malwaredomainlist.com ~snip~

    "WARNING: All domains on this website should be considered dangerous. If you do
    not know what you are doing here, it is recommended you leave right away. This
    website is a resource for security professionals and enthusiasts."


    You should be able to find a few links there.
     
    Last edited by a moderator: Sep 25, 2009
  12. Lebowsky

    Lebowsky Registered Member

    Joined:
    Dec 3, 2004
    Posts:
    161
    Thanks Espresso, zeus/wsnpoem v2 trojan url link is available.
     
  13. Lebowsky

    Lebowsky Registered Member

    Joined:
    Dec 3, 2004
    Posts:
    161
    also, try here :argh: :eek:
    Code:
    http://www.malwarebytes.org/forums/index.php?showforum=30
     
  14. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    Here is another that I use!
    [FONT=&quot][/FONT]
    Code:
    http://www.malwareurl.com/listing-urls.php?urls=on
    [COLOR=DarkRed][B]WARNING: All domains/IPs listed on this website should be treated with extreme caution.
    Some of them will automatically infect your computer.[/B][/COLOR]
    TH
     
  15. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Unfortunately, these lists mostly contain links to the executable itself, rather than the exploit page for zbot. However, there was one, drive-by download that attempted to dump Zbot.

    Connecting to the site brings up an alert:

    zs-IE.gif

    The page code analyzes as malicious:

    zs-wepawet.gif

    There were 4 exploits packaged as a kit - a common technique.

    zs-wepawet2.gif

    The only exploit that executed was the first, MDAC, an old IE6 exploit.

    I ran the exploit again and let the file download. It scanned as Trojan.Zbot!IK

    Referring to the article mentioned in the first post:

    The script can't do anything unless Zbot can first install on the computer. Unfortunately, the articles that sensationalize stuff like Zbot fail to point out that secure preventative measures nullify these exploits at the gate.

    This is not to downplay the seriousness of such malware, but just to keep things in perspective!

    The other exploits included a PDF and SWF, and these files display in the cache:

    zs-cache.gif

    They scan as:

    Exploit/Win32.Pidief

    Trojan.SWF.Dropper!IK


    ----
    rich
     
    Last edited: Sep 26, 2009
  16. Lebowsky

    Lebowsky Registered Member

    Joined:
    Dec 3, 2004
    Posts:
    161
    wow, fun stuff, err well its not fun if you are the one who is infected :ouch:
    but i mean, does anyone else find this exciting?!!:argh: o_O

    Thanks for the pictures Rmus!
     
  17. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    it is fun indeed:D :cool:
     
  18. Athletic

    Athletic Registered Member

    Joined:
    Jan 21, 2009
    Posts:
    90
    I agree,automatic exploits from websites are more dangerous because users without good HIPS,or behavior analyzer can't even decide to allow it or not,malware just walk in the PC.....and like is well known most malware live only 24 hours on the internet,and AV definitions against this new samples are slow,and too late...
     
  19. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I'm glad you enjoyed the fun!

    To see if the PDF or FLASH exploits would work, I enabled javascript and plugins in Opera. The IE exploit won't work, of course.

    The PDF file loaded into the i-frame, but nothing happened - I have an old version of Acrobat Reader, so it evidently wouldn't execute anything.

    This is the code:

    Code:
    <i frame src=ethicsModel.pdf></i frame>
    zs-opera.gif

    The malware that these PDF and SWF exploits would download would also have been file.exe, (bot.exe), according to the analysis:

    zs-wepawet3.gif

    The VirusTotal report shows the same MD5

    This is typical of "packaged" or "kit" exploits, as described here:

    ZBot data dump
    http://www.thetechherald.com/articl...vered-with-over-74-000-FTP-credentials-Update
    Very clever, but easy to prevent. Note that I had to reduce security in the browser for the PDF exploit even to run.

    With the browser properly configured, no additional security is required to handle these PDF exploits!

    ----
    rich
     
  20. gh0st

    gh0st Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    15
    A good host file ( to bypass old exploits against deprecate reader...) and a sandboxed browser is less risky when you visit them.

    I was beta tester long ago for Sunbelt and they spam me with their glorious advertisements not to mention their fat products with neverending bluescreens with any unconventional low Test PC ... and their crappy uninstaller.
     
    Last edited: Oct 13, 2009
  21. tipo

    tipo Registered Member

    Joined:
    Dec 29, 2008
    Posts:
    408
    Location:
    romania
    you do realize that because of you many of the unexperienced members of wilderssecurity will get infected.... you could have sent a pm to whoever you want it but not post it... :thumbd:
     
  22. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    No they won't. MDL does not list hyperlinks to malware. It would take some effort to get infected.
     
  23. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,123
    Location:
    Pennsylvania.
    Plus he put a big ol warning haha.
     
  24. osubuck

    osubuck Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    18
    If someone manages to copy and paste the link without reading the big disclaimer then proceeds to copy and visit the malware links from the list then they deserve to get infected. You can't fix stupid.
     
Loading...
Thread Status:
Not open for further replies.