Hmm... still another rootkit bypassing CFP?

Discussion in 'other anti-malware software' started by aigle, Aug 2, 2008.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I tried this rootkit installer detected as Win32/TrojanClicker.Agent.BCI by NOD32 on VT( the only detection on VT for it). It installs a hiddden driver via windows installer, so I removed pre-defined rules for windows installer in CFP, marking it as untrusted. I used max paranoid settings.

    Hope some one can confirm my findings. I allowed all pop up alerts.

    Here are my settings.

    3.jpg
    4.jpg
    s.jpg
     
    Last edited: Aug 2, 2008
  2. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Here are the popups by CFP, no pop up about driver install/ loading though there is pop up about a new sys file craetion and services registry modification( probably showing ne service install but it must be more obvious like other HIPS). Even no popup alert about SCM access alert.

    1.jpg 2.jpg
    5.jpg 6.jpg
    7.jpg
     
    Last edited: Aug 2, 2008
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Alerts by EQS about driver install/ loading. :thumb:
     

    Attached Files:

  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    They have repsponded to all other queries and in all cases it was a real bug, nothing wrong on my side.

    Only this issue is not addressed so far and I am almost sure that again here it,s a bug in CFP.
     
  5. baerzake

    baerzake Registered Member

    Joined:
    Aug 18, 2007
    Posts:
    44
    It is a bug of cfp, I just want it be fixed as soon as possible
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,055
    Location:
    The Netherlands
    But if you block the new file creation, I suppose the driver gets blocked? But yes it should give the alert about driver loading anyway. I think the problem with CFP is that it´s giving way too many alerts, it should get smarter.
     
  7. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    For those who are interested,

    I can personally confirm that DefenseWall v2.45 successfully blocks and contains install.exe's rootkit driver, dll's and malicious new program installation. I have attached both my DW events log and rollback list as proof.


    Peace & Gratitude,

    CogitoErgoSum
     

    Attached Files:

  8. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    Code:
    HKLM\SYSTEM\ControlSet001\Services\msliksurserv.sys
    There's something wrong with the registry path.
     
  9. ambient_88

    ambient_88 Registered Member

    Joined:
    Jun 23, 2008
    Posts:
    854
    What's wrong with it?
     
  10. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    Code:
    HKLM\SYSTEM\ControlSet001\Services[COLOR="Red"]\(?..)\[/COLOR]msliksurserv.sys
    Unless this is intentional!
     
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    From where u took the two paths?
     
  12. Alcyon

    Alcyon Registered Member

    Joined:
    Jan 16, 2008
    Posts:
    438
    Location:
    Montr?al, Canada
    Just by looking at the pics you posted, isn't the path supposed instead to be something like HKLM\SYSTEM\ControlSet001\Services\ServiceName\ImagePath\msliksurserv.sys ?

    Btw, I'm planning to try CFP with D+ soon. I haven't tested D+ since MANY months.
     
    Last edited: Aug 3, 2008
  13. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    good job on these tests aigle, they should be paying you for all this work :D

    quick question though, which eqsecure are you using? 3.41 or 4.0 beta?
     
  14. Coolio10

    Coolio10 Registered Member

    Joined:
    Sep 1, 2006
    Posts:
    1,124
    I am guessing this isn't going to be fixed in CFP, but in CIS when it comes out in 3-4 weeks.
     
  15. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks zopzop. :)

    I was using EQS 3.41.
     
  16. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hmmm... I think only Comodo people can tell about this.
     
  17. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    Kudos to Eset. See.....:D

    How did GW do against it.
     
  18. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Just tested SBIE 3.28 against it.
    Rootkit safely contained in the sandbox.
    sbie.JPG
     
  19. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks for the testing!
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,055
    Location:
    The Netherlands
    Hi,

    I´ve tested this malware on two VM´s and I got strange results. First of all both SSM Pro and NG pass the test. However, on one of my machine I saw the strangest thing, it looked like Windows Installer was sort of infected by this rootkit, because everytime I tried to launch a .msi file, it was trying to infect my machine with the msliksurserv.sys rootkit!

    So this means that if you didn´t pay any attention (and even if you did) you could end up infecting your system when executing a harmless app. I never saw this before, seems to be very advanced malware. Rootkit Unhooker also reported seeing stealth code on the system, it also detected a parasite inside itself. The question is how to stop this rootkit from modifying/infecting Win Installer, NG couldn´t do it, but I didn´t get to see this behavior when I tested SSM Pro.
     
  21. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    GW stops it but ATM there is a small problem. U mighht fail to launch trusted applications untill u reboot or kill the malware process manually.

    In any way system is not compromized at all. I hope that the minor issue will be fixed as it is being investigated.
     
Loading...
Thread Status:
Not open for further replies.