Idea for HIPS backend using native capabilities of WinXP and later

Thanks Kees. I thought that I would have to do something like that.

 

Maybe GJ ca write a piece of code using this http://msdn.microsoft.com/en-us/library/System.IO.IsolatedStorage(v=vs.110).aspx

 

Actually, I was not talking about stopping shell-code from running, anti-exploit can take care of that. But let's say shell-code can successfully run, most of the time it will download and execute some Trojan with rootkit capabilities. And if that trojan is using some advanced infection technique that's not covered by HIPS, it might be game over. Of course shell-code can also be a so called "reverse shell" running inside memory only, so without any files on disk. I'm not sure if HIPS would be able to defeat this.

 

@Rasheed187

Could you provide some background information of those "advanced injections" techniques?

Thx

 

Rasheed are you talking about the newest Powerliks Trojan?

 

Looked at Powerliks, can't be the advanced injections Rasheed mentions, because system hardening will probably prevent it

• Powerliks is usually dropped through Word or Excel document, EMET ASR prevents running VB and JavaScript in all Office Aps, GPO prevents 16 bits aps (dos-shell) and windows shell (cmd.exe) to run including scripts, so blocked I guess
• Powerliks is usually triggered through changing user autoruns, I block changing user-autoruns through GPO/ACL, so blocked I guess
• Powerliks secondly needs access to powerscript, I allow only signed PowerScripts to run, so problably needs some smart debunking to succeed. Secondly I have associated notepad.exe to PS1 files, thirdly I have added PS1 to the designated file types of SRP, so not going to happen I guess

IMO exploits is about running scripts in rich content and getting access to the shell. So limit running scripts and block access to the shell and most important keep your system patched.

Regards Kees

 

Does Powerlik only run from a reg key and not any file?

Thanks

 

https://blog.gdatasoftware.com/blog/article/poweliks-the-persistent-malware-without-a-file.html

 

Thanks but still why is a manual scan not able to detect this? I though all antimalware scanned memory these days. I must still be missing something. It runs from Reg but is executed in mem like everything else.
The reason I am interested in this Trojan is I we had this at my work and even on my work computer. I had no admin rights till their hired IT dude tried to fix it remotely at night with no success. As a side result I got admin rights and downloaded some programs like malwarebytes and rougekiller.
We already had Symantec endpoint on the machine's. Nothing worked until I did the Eset remover.

Conclusion
The analysis of this piece of code was uncommon and rather time consuming, with several code layers which were created to prolong the analysts’ work and certainly to hide the malware and to blend it into the usual system use without the user noticing the infection.
Poweliks is malware that does survive without any file creation, which is a rather rare and new technique, barely focused on – everything is performed within the memory. It only resides in the registry and executes programs from there. Furthermore, the developers hid the autostart registry key by using a non-ASCII character as the name of the key. This trick prevents a lot of tools from processing this malicious entry at all and it could generate a lot of trouble for incident response teams during the analysis. The mechanism can be used to start any program on the infected system and this makes it very powerful!

 

What are you suggesting everyday normal companies and home users use against this type attack? NOT DO but use> Since many companies use Norton or Mc affee?
Oh yes I also wanted to mention that article now needs to change the RARE wording LOL
It is out there and being changed daily as I am sure you know.

Interesting thread here: http://community.norton.com/forums/...hostexe-32-processes-and-powershell-windows-7

If I read it right, people are getting infected with Powerliks by just visiting an infected web site also?

I most of these infections I am seeing Norton as the one alerting that this infection exists but can't fix. It seems to be mostly on Windows 7 machines. I would be curious to know if there have been other systems compromised and being detected by other antimalware out there. Or are these other systems infected but do not know it? Just curious as to why Norton systems are mostly showing on these help forums. .


THanks

 

Well most AV with active protection module will guard HKCU user autoruns (EAM, KIS, etc). When you have an AV which scan's script in documents, it will problably trigger when the first word document is read. Don't know whether MBAE proytects against it, thought that APpGuard also protects HKCU autoruns.

 

maybe malwarbytes protects now, I don't know but a few weeks ago it did not an neither did any other HIPs as far as I know

All I can tell you is this, a few weeks ago , malwarbytes, Norton endpoint and Rougekiller did not stop it. Rougekiller would say it found the reg entry and deleted it but it would come back
wanted to reiterate that it is now not only word doc's but web pages.

I am sorry if I DO not understand your [posts.

System restore does not get rid of it. Only a complete reformat and restore does as I said many years ago when we first talked about rootkits.

 

Do a search for TDSS, I think it made use of some new code-injection technique. And don't forget about Uroburos who can bypass driver signing and PatchGuard if I'm correct.

No I haven't looked into to that.

 

Great find, very interesting.

 

I found another example of malware being able to bypass HIPS:

http://www.welivesecurity.com/2012/12/27/win32gapz-steps-of-evolution/

 

Wow and that was two years ago already.

Win32/Gapz: steps of evolution
By Aleksandr Matrosov posted 27 Dec 2012 - 02:00AM

 

The thing that bugs me about these kinda articles, is that they never explain how all of this can be stopped with HIPS. Here's another article (see link), about the powerful Shylock malware. To me it's quite clear that if you block code injection and the driver from running, then you have won the battle.

But let's say if you did allow the driver to run, is it still possible to block it from hooking other drivers (IRP hook)? If I'm corrrect HIPS can also stop modification to boot data/MBR. So the bootkit will be stopped. But how to stop the SOCKS proxy server, shouldn't the firewall block this type of attack? And lastly, if you block code injection, then the browser can not be hijacked.

http://baesystemsdetica.blogspot.nl/2013/03/pray-before-you-buy-with-shylock.html