Kraken botnet bypassed NG, Defence Plus

My thread is here.

http://forums.comodo.com/empty-t21733.0.html;topicseen

This bot bypassed CFP Defence plus and NeoavaGuard.

GesWall and EQS were able to stop it. I wonder how about other HIPS.

 

Ah the sad reality of leaktest focused software...

Quoting egemen: "This happens under some rare circumstances. So Next week should be just fine for the update"

Rare circumstances heh! Hmm the new kraken botnet is a rare circumstance!

 

SAS blocked those. I test 3 different md5 files. After disabling SAS 2 just gives error but third one want to install some driver to system32 folder (Samurai HIPS told this). Running those all the time untrusted with DW.

EDIT1: Samurai HIPS can't block that driver (exe file) even I click block.

EDIT2: I have to say that SAS satisfy me more and more. It memory usage is incredibly small and support is superb too.

 

aigle, here we have the difference between a meaningless POC test and real malware. No offense against products that score 100% in leaktests intended.

 

Solcroft,
What security level do you use with Threatfire?
Do you use custom rules?

 

I don't believe in setting up rigged tests. ThreatFire advertises itself as providing cutting-edge zero-day protection without any configuring, and that's exactly how I test it.

 

Tested that with TF too. Level 3 blocks my samples. Alert is of course different with level 5.

BTW SAS didn't block all samples NOD32 founds all I have tested 4 samples now.

 

Hello aigle,

Under Vista 32 SP1, with Returnil 2008 personal ed. in "session lock" mode, DefenseWall v2.30 was able to block and restrict all of the actions of the four Kraken samples that I tested.


Peace & Gratitude,

CogitoErgoSum

 

I forget to test DefenseWall itself. Of course it can rollback those.

 

Maybe Samurai only blocks some methods of driver install.

What are the names that SAS gives to these samples?

 

ThreatFire has a partial failure just like CFP and NG- no difference at all. It did not stop malware.exe from making its copy in system32 folder in the very first instance. It caught it later and stopped. Same with CFP and NG.

I don,t mind any offence, I do like TF as well and I am not bound to any software in particular.

 

The key difference is that, when caught, your system was cleaned up and returned to its original state. I assume that didn't happen with CPF and NG.

Bugs aside, there's no such thing as a "partial failure" with TF - as long as it can catch the malware anywhere along the infection process, the infection is cleaned up and removed. Not so for CPF. This is why CPF/NG suffers a partial failure and let an infected file remain on your computer, while TF doesn't.

 

CFP has no quarantine feature so far, NG does have this feature and can remove the file just like TF( atleast in this particular case, though not in all cases).

Quarantine is not the job of a HIPS.

 

OA free v 2.1.0.95 bypassed. It neither detected creation of executable in system32 nor the execution of executable from system32.

SafeSpace contained it well.

Seems a nice piece of malware.

 

Exactly. They cannot undo malicious changes to your computer once a virus bypasses them or is allowed, which is why they must block the virus every step of the way, while the opposite is true for intelligent behavior blockers.

So you can't correctly say that TF suffered a partial flaw like CFP. Just like quarantine isn't the job of a HIPS, alerting on every action isn't the job of an intelligent behavior blocker. The key to note here is that TF succeeded in doing its job, while CFP didn't.

 

Interesting.

Loool. Shark easily bypasses Comodo too hopefully they found a way to prevent this. The big difference is with sophisticated trojans Comodo remains quiet, no messages, no popups, only a light delay. Probably appinit injection not the best way.

 

Hi all

aigle, i wish to thank you for sending me the link to this malware but i have to disagree with your result because OA paid both in Standard Mode (= OAfree) and in advanced mode notify me about a non trusted apps (malware.exe) trying to create an executable (not related to the path of creation). If i block this action, no child process was created (confirmed by Tiny Watcher)



Regards,

MaB

 

Well. I went further. I allowed creation of the strange exe and got another bunch of alerts.

1.) created exe wants to start - allowed
2.) created exe tries to create autorun - blocked
3.) created exe tries to create another autorun - blocked
4.) created exe tries to connect - blocked
5.) created exe tries to use DNS API - blocked

then I rebooted to be sure no new process will be autostarted.
after reboot no new process was detected.

 

Why did you test such an old version ?

Current version is 127. And this version passes the threat fully.

 

Still TestMyPC rates CPF as the best leakpasser. Yes, it passes tests very well. Unfortunately, it passes malware not that good.

 

Leaktests and real malwares are two totally different things.

 

Hi Alex,

I know you're a big fan of OA but this is below the belt. Comodo have acknowledged the bug and are bringing a new version out to overcome it. I think that OA may have done exactly the same thing a number of times. In fact, I can't even use OA at the moment because of an issue with Outlook Express.

I prefer to use EQS for my file/registry protection anyway and I'm pleased that EQS passed this test. I'm not sure what OA offers in terms of file/folder protection. I was a bit surprised that it detected the attempt to create the .exe file. Can you point me to any more information on this? I couldn't find anything in the on-line help.

 

I agree completely. There is no need for this sort of comment to be made, and it is not something that we support. It is not necessary to bash competitive products in order to highlight your favorite - and that is as true when OA is your favorite product as it iswhen you prefer Comodo.


Mike

 

I ever had quite peacefull mood, until recently there was completely unacceptable attack from some people all of which are using the same product.. Ok. This is why I went a bit inadequate toward them. Not that I like this kind of things, sorry

Back to the topic

OA has file creation control. Though, it is hardcoded for the moment and cannot be adjusted. The only option you have in advanced program options is "Allow/Ask/Block to create executables". But it seems they said that fully configurable file monitor is on todo list. Coming from the speed they work I think it is at most half of the year it to be implemented. That's all I can say.

PS. And this is why I get fun of betatesting. Almost every new week brings new surprises

 

Okay I just need to comment here...

This is indeed unnecessarily, I completely disagree with you on the part where "it passes malware not that good". As Mike said, This "Kraken botnet" has been fixed in the upcoming update (Due next Tuesday or Thursday) Along with the chkdisk bug, and a few other bugs.

3xist.