Malware download trick - Safe Admin option?

Discussion in 'other security issues & news' started by Kees1958, Oct 20, 2010.

Thread Status:
Not open for further replies.
  1. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    I have been chasing some malware domains to learn what tricks are used.

    One easy target which is often used is the

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass

    and

    Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Intranet

    Followed by a download (without user prompt because it is in the Intranet Zone, giving malware domain blockers using Proxy filter no chance because it bypasses the proxy).

    It is not a new entry point of attack it is a very old one, but it is often used. Since most browsers follow internet zones in some sort of implementation, it is not a Internet Explorer limited trick. So should we protect those registry keys in safe admin from tampering (off course we would include all zones)?

    Anyone?
     
    Last edited: Oct 20, 2010
  2. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    I know some members do a lot of malware testing (e.g. Franklin, RMUS), I would appreciate their input and observations of entry points intrusion used. I am specially interested in Internet based attacks. Because Safe-Admin will block execution of downloads I am focussing on the steps which precede an (automatic) execution

    Often stopping malware in its first steps is the easiest and most effective way of dealing with malware.

    THX
     
    Last edited: Oct 20, 2010
  3. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I'm listening :D
    Are these reg keys off limits to low/medium integrity levels or vitualization? Would they need to be modified before the exploit could happen?

    Does this mean that the browser/OS is tricked into thinking the remote site is (via proxy) actually a local site (intranet)? How can a remote file be treated as a local file?

    Seems the fix all (and unknown if best solution) is simply to apply an ACE to the registry keys being used, giving modify rights to no one. I would like to know more, as I am still inside the bowels of registry and it would be a good time to add it if it is worthy.

    Sul.
     
  4. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857

    Attached Files:

  5. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Sul,

    Don't worry see picture. Virtualisation would protect the HKLM/Software so running EMET-2, virtualisation and low rights makes Safe-Admin resistant to these type of attacks

    I was merely thinking of adding this (HKU + HKLM zones and zonemap) as a precaution to make Safe-Admin a bit harder to crack when running a browser as admin to update flash or other plug-ins etc. When you run browsers in low rights container you might need to run as admin from time to time to update (that is why it is good that admin cuts through NW inheritage).



    So far I have not found a drive by/web based exploit which managed to evade Safe-admin :D :thumb:
     

    Attached Files:

    Last edited: Oct 20, 2010
  6. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Would enabling Zone 0 the My Computer Zone help ?

    z.gif

    iez.gif

    And also setting the Intranet Zone in a similar way, as well as configuring ALL the setiings in ALL zones extremely strictly.

    I've had my comps since 98 days set up this way, with no problems ;)
     
  7. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Yep, but you are a smart cookie :thumb: It is a good idea to increase these values when you are not using the PC for homework (and need access to company intranet, FTP, etc). For strict personal use it is a good precaution.

    For Safe-admin we would not focus on increasing all security settings (with the risk of breaking functionality for home work usage), but preventing malware to use these lower security settings.
     
  8. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ Kees1958

    Not so smart ;) just learnt a few things that i found helped :)

    I have to say that hasn't been my experience over the years with 98 & XP set up strictly.

    Understood.
     
  9. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    I have also increased settings by assigning different levels in the GPO, for strict personal use you would not run into any broken functionality.
     
  10. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hi Kees,

    I'm not much help here, since I know very little about the Registry. Besides, these exploits I've tested from the malware domains, and this year, the BLADE-defender malware database, are blocked at the execution stage, so they never make it to the Registry.

    regards,

    rich
     
  11. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Thx Rich,

    Just trying to mobilise all the forum knowledge. This is good to know anyway.
     
  12. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
  13. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,040
    Hi Kees

    Simple answer on dealing with it from me. Sandboxie. That would stop this cold.

    Pete
     
  14. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Yep, but Safe-admin and the low-rights world for threat gates is as effective on Vista and Windows7, so for x64 folks it will be a joy (no CPU or Cash required, all courtesy of M$ and Sully). When you use Chrome as browser with safe-admin it will be more safe than SBIE + IE8/9, Opera or FF on x64 (for browsing that is) :D
     
  15. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    What a @#$% load of registry entries this malware is messing with :D

    Thanks
     
  16. Newby

    Newby Registered Member

    Joined:
    Jan 12, 2007
    Posts:
    153
    Sul, Kees

    You guys posted a lot about Safe-Admin, but when do you guys walk the talk

    WHEN WILL IT BE READY FOR BETA TESTING?

    Don't get me wrong, I am not complaining, just waiting for it. As far as I understand it, I will get a combination of AppGuard and PEGuard for free. So stop the clifhangers, give us the real deal



    Greetings Newby
     
  17. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543

    As the game company, Blizzard, always says "When it's ready" :D

    Seriously, this isn't something you do in two days, and those two are trying to cover as many bases as they can. Also, keep in mind this tool is being created with both the more experienced and the "noobs" in mind. That balance isn't always easy to get. Be patient. I'm itching for a taste myself, trust me.
     
  18. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Too true. It is much easier to create it with someone like myself in mind - all technical jargon and very geeky. It is very very challenging to create something that is usable by those who don't know as much. Way more challenging that I thought it would be.

    Keep in mind too, that I could have already popped this out into beta and spent the next months going back in to fix issues and add features. Would it create negative views? What if it did something I had not expected that caused your system to become borked? Would that be worth it? Not to me. I have a tendency to think it through all angles first, then play with it from the angles and see if what I thought holds true. I tend to envision things one way, then as I test/test/test and then re-test, modify it radically. Not good for maintaining timelines, but I feel it makes things better.

    Please don't forget too that this is not how I make my living. I am a self-taught hobbyist ;) I have a family and a job, lots of honey-do's and various other 'emergencies' that crop up. I don't expect or desire fame and accolade from this, I simply love doing it. It is my R&R, as it were.

    The initial thoughts were just to create a shell for the registry values. It has expanded (due to my overactive imagination) to be much more than that. I am finishing up the registry portions, moving on to the Integrity Levels and ACL stuff. After that will come EMET stuff. When these, the core operations, are working, I will release this in a beta form. It will be context menu driven only, to test there are no problems. Novice users probably won't want to participate unless they are prepared to modify things manually due to a meltdown. But most likely there will be no such event, because I don't want there to be one. Thus, test/test/test and re-test.

    BTW, I am not taking it personally and am not trying to lace this with attitude, so whomever, don't take it that-a-way :)

    Sul.
     
  19. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Ha, ha I allready PM-ed Sul that I felt guilty for tricking him into this quest, sofware development is 20% inspiration and 80% transpiration (actually making it work). Considering we share the inspiration part, Sul does 90% of the hard work. :thumb:

    Dw426, Moonblood, Avinash, Sevenstar and Wat0114, Konata Izumi and hopefully some others will help with the beta testing

    I repeat, no web based threat goes past safe-admin until now :thumb: and I am really doing a lot of malware domain hunting (PM me I have an offline image so I can thrash my play PC with convidence, it can better happen to me than you when Safe-Admin is life :D )
     
Loading...
Thread Status:
Not open for further replies.