Kraken botnet bypassed NG, Defence Plus

Discussion in 'other anti-malware software' started by aigle, Apr 11, 2008.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
  2. dmenace

    dmenace Registered Member

    Joined:
    Nov 29, 2006
    Posts:
    275
    Ah the sad reality of leaktest focused software... ;)

    Quoting egemen: "This happens under some rare circumstances. So Next week should be just fine for the update"

    Rare circumstances heh! :D Hmm the new kraken botnet is a rare circumstance! :D
     
  3. MikeNAS

    MikeNAS Registered Member

    Joined:
    Sep 28, 2006
    Posts:
    697
    Location:
    FiNLAND
    SAS blocked those. I test 3 different md5 files. After disabling SAS 2 just gives error but third one want to install some driver to system32 folder (Samurai HIPS told this). Running those all the time untrusted with DW.

    EDIT1: Samurai HIPS can't block that driver (exe file) even I click block.

    EDIT2: I have to say that SAS satisfy me more and more. It memory usage is incredibly small and support is superb too.
     
    Last edited: Apr 11, 2008
  4. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    aigle, here we have the difference between a meaningless POC test and real malware. No offense against products that score 100% in leaktests intended. ;)
     

    Attached Files:

    • 1.PNG
      1.PNG
      File size:
      25.2 KB
      Views:
      804
    • 2.PNG
      2.PNG
      File size:
      23.5 KB
      Views:
      804
  5. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    Solcroft,
    What security level do you use with Threatfire?
    Do you use custom rules?
     
  6. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    I don't believe in setting up rigged tests. ThreatFire advertises itself as providing cutting-edge zero-day protection without any configuring, and that's exactly how I test it.
     
  7. MikeNAS

    MikeNAS Registered Member

    Joined:
    Sep 28, 2006
    Posts:
    697
    Location:
    FiNLAND
    Tested that with TF too. Level 3 blocks my samples. Alert is of course different with level 5.

    BTW SAS didn't block all samples :( NOD32 founds all :D I have tested 4 samples now.
     
  8. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Hello aigle,

    Under Vista 32 SP1, with Returnil 2008 personal ed. in "session lock" mode, DefenseWall v2.30 was able to block and restrict all of the actions of the four Kraken samples that I tested.


    Peace & Gratitude,

    CogitoErgoSum
     
  9. MikeNAS

    MikeNAS Registered Member

    Joined:
    Sep 28, 2006
    Posts:
    697
    Location:
    FiNLAND
    I forget to test DefenseWall itself. Of course it can rollback those.
     
  10. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Maybe Samurai only blocks some methods of driver install.
    What are the names that SAS gives to these samples?
     
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    ThreatFire has a partial failure just like CFP and NG- no difference at all. It did not stop malware.exe from making its copy in system32 folder in the very first instance. It caught it later and stopped. Same with CFP and NG.

    I don,t mind any offence, I do like TF as well and I am not bound to any software in particular. :)
     
  12. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    The key difference is that, when caught, your system was cleaned up and returned to its original state. I assume that didn't happen with CPF and NG.

    Bugs aside, there's no such thing as a "partial failure" with TF - as long as it can catch the malware anywhere along the infection process, the infection is cleaned up and removed. Not so for CPF. This is why CPF/NG suffers a partial failure and let an infected file remain on your computer, while TF doesn't.
     
  13. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    CFP has no quarantine feature so far, NG does have this feature and can remove the file just like TF( atleast in this particular case, though not in all cases).

    Quarantine is not the job of a HIPS.
     
    Last edited: Apr 12, 2008
  14. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    OA free v 2.1.0.95 bypassed. It neither detected creation of executable in system32 nor the execution of executable from system32. :eek: :eek:

    SafeSpace contained it well.

    Seems a nice piece of malware.:)
     
  15. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Exactly. They cannot undo malicious changes to your computer once a virus bypasses them or is allowed, which is why they must block the virus every step of the way, while the opposite is true for intelligent behavior blockers.

    So you can't correctly say that TF suffered a partial flaw like CFP. Just like quarantine isn't the job of a HIPS, alerting on every action isn't the job of an intelligent behavior blocker. The key to note here is that TF succeeded in doing its job, while CFP didn't.
     
  16. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Interesting.

    Loool. Shark easily bypasses Comodo too hopefully they found a way to prevent this. The big difference is with sophisticated trojans Comodo remains quiet, no messages, no popups, only a light delay. Probably appinit injection not the best way.
     
    Last edited: Apr 12, 2008
  17. MaB69

    MaB69 Registered Member

    Joined:
    Dec 9, 2005
    Posts:
    540
    Location:
    Paris
    Hi all

    aigle, i wish to thank you for sending me the link to this malware but i have to disagree with your result because OA paid both in Standard Mode (= OAfree) and in advanced mode notify me about a non trusted apps (malware.exe) trying to create an executable (not related to the path of creation). If i block this action, no child process was created (confirmed by Tiny Watcher)

    2.jpg

    Regards,

    MaB
     
    Last edited: Apr 12, 2008
  18. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Well. I went further. I allowed creation of the strange exe and got another bunch of alerts.

    1.) created exe wants to start - allowed
    2.) created exe tries to create autorun - blocked
    3.) created exe tries to create another autorun - blocked
    4.) created exe tries to connect - blocked
    5.) created exe tries to use DNS API - blocked

    then I rebooted to be sure no new process will be autostarted.
    after reboot no new process was detected.
     
    Last edited: Apr 12, 2008
  19. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Why did you test such an old version ?

    Current version is 127. And this version passes the threat fully.
     
    Last edited: Apr 12, 2008
  20. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Still TestMyPC rates CPF as the best leakpasser. Yes, it passes tests very well. Unfortunately, it passes malware not that good.
     
  21. MikeNAS

    MikeNAS Registered Member

    Joined:
    Sep 28, 2006
    Posts:
    697
    Location:
    FiNLAND
    Leaktests and real malwares are two totally different things.
     
  22. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    Hi Alex,

    I know you're a big fan of OA but this is below the belt. Comodo have acknowledged the bug and are bringing a new version out to overcome it. I think that OA may have done exactly the same thing a number of times. In fact, I can't even use OA at the moment because of an issue with Outlook Express.

    I prefer to use EQS for my file/registry protection anyway and I'm pleased that EQS passed this test. I'm not sure what OA offers in terms of file/folder protection. I was a bit surprised that it detected the attempt to create the .exe file. Can you point me to any more information on this? I couldn't find anything in the on-line help.
     
  23. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,654
    Location:
    Sydney, Australia
    I agree completely. There is no need for this sort of comment to be made, and it is not something that we support. It is not necessary to bash competitive products in order to highlight your favorite - and that is as true when OA is your favorite product as it iswhen you prefer Comodo.


    Mike
     
  24. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    I ever had quite peacefull mood, until recently there was completely unacceptable attack from some people all of which are using the same product.. Ok. This is why I went a bit inadequate toward them. Not that I like this kind of things, sorry :(

    Back to the topic :)

    OA has file creation control. Though, it is hardcoded for the moment and cannot be adjusted. The only option you have in advanced program options is "Allow/Ask/Block to create executables". But it seems they said that fully configurable file monitor is on todo list. Coming from the speed they work I think it is at most half of the year it to be implemented. That's all I can say.

    PS. And this is why I get fun of betatesting. Almost every new week brings new surprises :)
     
    Last edited: Apr 12, 2008
  25. 3xist

    3xist Guest

    Okay I just need to comment here...

    This is indeed unnecessarily, I completely disagree with you on the part where "it passes malware not that good". As Mike said, This "Kraken botnet" has been fixed in the upcoming update (Due next Tuesday or Thursday) Along with the chkdisk bug, and a few other bugs.

    3xist.
     
Thread Status:
Not open for further replies.