Hmm... still another rootkit bypassing CFP?

I tried this rootkit installer detected as Win32/TrojanClicker.Agent.BCI by NOD32 on VT( the only detection on VT for it). It installs a hiddden driver via windows installer, so I removed pre-defined rules for windows installer in CFP, marking it as untrusted. I used max paranoid settings.

Hope some one can confirm my findings. I allowed all pop up alerts.

Here are my settings.

 

Here are the popups by CFP, no pop up about driver install/ loading though there is pop up about a new sys file craetion and services registry modification( probably showing ne service install but it must be more obvious like other HIPS). Even no popup alert about SCM access alert.

 

Alerts by EQS about driver install/ loading.

 

They have repsponded to all other queries and in all cases it was a real bug, nothing wrong on my side.

Only this issue is not addressed so far and I am almost sure that again here it,s a bug in CFP.

 

It is a bug of cfp, I just want it be fixed as soon as possible

 

But if you block the new file creation, I suppose the driver gets blocked? But yes it should give the alert about driver loading anyway. I think the problem with CFP is that it´s giving way too many alerts, it should get smarter.

 

For those who are interested,

I can personally confirm that DefenseWall v2.45 successfully blocks and contains install.exe's rootkit driver, dll's and malicious new program installation. I have attached both my DW events log and rollback list as proof.


Peace & Gratitude,

CogitoErgoSum

 

Code:

HKLM\SYSTEM\ControlSet001\Services\msliksurserv.sys

There's something wrong with the registry path.

 

What's wrong with it?

 

Code:

HKLM\SYSTEM\ControlSet001\Services[COLOR="Red"]\(?..)\[/COLOR]msliksurserv.sys

Unless this is intentional!

 

From where u took the two paths?

 

Just by looking at the pics you posted, isn't the path supposed instead to be something like HKLM\SYSTEM\ControlSet001\Services\ServiceName\ImagePath\msliksurserv.sys ?

Btw, I'm planning to try CFP with D+ soon. I haven't tested D+ since MANY months.

 

good job on these tests aigle, they should be paying you for all this work

quick question though, which eqsecure are you using? 3.41 or 4.0 beta?

 

I am guessing this isn't going to be fixed in CFP, but in CIS when it comes out in 3-4 weeks.

 

Thanks zopzop.

I was using EQS 3.41.

 

Hmmm... I think only Comodo people can tell about this.

 

Kudos to Eset. See.....

How did GW do against it.

 

Just tested SBIE 3.28 against it.
Rootkit safely contained in the sandbox.

 

Thanks for the testing!

 

Hi,

I´ve tested this malware on two VM´s and I got strange results. First of all both SSM Pro and NG pass the test. However, on one of my machine I saw the strangest thing, it looked like Windows Installer was sort of infected by this rootkit, because everytime I tried to launch a .msi file, it was trying to infect my machine with the msliksurserv.sys rootkit!

So this means that if you didn´t pay any attention (and even if you did) you could end up infecting your system when executing a harmless app. I never saw this before, seems to be very advanced malware. Rootkit Unhooker also reported seeing stealth code on the system, it also detected a parasite inside itself. The question is how to stop this rootkit from modifying/infecting Win Installer, NG couldn´t do it, but I didn´t get to see this behavior when I tested SSM Pro.

 

GW stops it but ATM there is a small problem. U mighht fail to launch trusted applications untill u reboot or kill the malware process manually.

In any way system is not compromized at all. I hope that the minor issue will be fixed as it is being investigated.