Malware download trick - Safe Admin option?

I have been chasing some malware domains to learn what tricks are used.

One easy target which is often used is the

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass

and

Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Intranet

Followed by a download (without user prompt because it is in the Intranet Zone, giving malware domain blockers using Proxy filter no chance because it bypasses the proxy).

It is not a new entry point of attack it is a very old one, but it is often used. Since most browsers follow internet zones in some sort of implementation, it is not a Internet Explorer limited trick. So should we protect those registry keys in safe admin from tampering (off course we would include all zones)?

Anyone?

 

I know some members do a lot of malware testing (e.g. Franklin, RMUS), I would appreciate their input and observations of entry points intrusion used. I am specially interested in Internet based attacks. Because Safe-Admin will block execution of downloads I am focussing on the steps which precede an (automatic) execution

Often stopping malware in its first steps is the easiest and most effective way of dealing with malware.

THX

 

I'm listening

Are these reg keys off limits to low/medium integrity levels or vitualization? Would they need to be modified before the exploit could happen?

Does this mean that the browser/OS is tricked into thinking the remote site is (via proxy) actually a local site (intranet)? How can a remote file be treated as a local file?

Seems the fix all (and unknown if best solution) is simply to apply an ACE to the registry keys being used, giving modify rights to no one. I would like to know more, as I am still inside the bowels of registry and it would be a good time to add it if it is worthy.

Sul.

 

http://support.microsoft.com/kb/182569


No the idea is to evade software which blacklist IPs using the proxy (therefore evade proxy), then add URL/IP in a registry key to lower security

See http://support.microsoft.com/kb/182569

Mostly used are adding domains and/or change protocol zone (f.i. change HTTP from 3 to 0)

see pic

 

Sul,

Don't worry see picture. Virtualisation would protect the HKLM/Software so running EMET-2, virtualisation and low rights makes Safe-Admin resistant to these type of attacks

I was merely thinking of adding this (HKU + HKLM zones and zonemap) as a precaution to make Safe-Admin a bit harder to crack when running a browser as admin to update flash or other plug-ins etc. When you run browsers in low rights container you might need to run as admin from time to time to update (that is why it is good that admin cuts through NW inheritage).



So far I have not found a drive by/web based exploit which managed to evade Safe-admin

 

Would enabling Zone 0 the My Computer Zone help ?





And also setting the Intranet Zone in a similar way, as well as configuring ALL the setiings in ALL zones extremely strictly.

I've had my comps since 98 days set up this way, with no problems

 

Yep, but you are a smart cookie It is a good idea to increase these values when you are not using the PC for homework (and need access to company intranet, FTP, etc). For strict personal use it is a good precaution.

For Safe-admin we would not focus on increasing all security settings (with the risk of breaking functionality for home work usage), but preventing malware to use these lower security settings.

 

@ Kees1958

Not so smart just learnt a few things that i found helped

I have to say that hasn't been my experience over the years with 98 & XP set up strictly.

Understood.

 

I have also increased settings by assigning different levels in the GPO, for strict personal use you would not run into any broken functionality.

 

Hi Kees,

I'm not much help here, since I know very little about the Registry. Besides, these exploits I've tested from the malware domains, and this year, the BLADE-defender malware database, are blocked at the execution stage, so they never make it to the Registry.

regards,

rich

 

Thx Rich,

Just trying to mobilise all the forum knowledge. This is good to know anyway.

 

Rogue "Antivirus Action" install log which shows proxy hijacks.

View attachment Antivirus Action Install Log.txt

 

Yep, but Safe-admin and the low-rights world for threat gates is as effective on Vista and Windows7, so for x64 folks it will be a joy (no CPU or Cash required, all courtesy of M$ and Sully). When you use Chrome as browser with safe-admin it will be more safe than SBIE + IE8/9, Opera or FF on x64 (for browsing that is)

 

What a @#$% load of registry entries this malware is messing with

Thanks

 

Sul, Kees

You guys posted a lot about Safe-Admin, but when do you guys walk the talk

WHEN WILL IT BE READY FOR BETA TESTING?

Don't get me wrong, I am not complaining, just waiting for it. As far as I understand it, I will get a combination of AppGuard and PEGuard for free. So stop the clifhangers, give us the real deal

Greetings Newby

 

As the game company, Blizzard, always says "When it's ready"

Seriously, this isn't something you do in two days, and those two are trying to cover as many bases as they can. Also, keep in mind this tool is being created with both the more experienced and the "noobs" in mind. That balance isn't always easy to get. Be patient. I'm itching for a taste myself, trust me.

 

Too true. It is much easier to create it with someone like myself in mind - all technical jargon and very geeky. It is very very challenging to create something that is usable by those who don't know as much. Way more challenging that I thought it would be.

Keep in mind too, that I could have already popped this out into beta and spent the next months going back in to fix issues and add features. Would it create negative views? What if it did something I had not expected that caused your system to become borked? Would that be worth it? Not to me. I have a tendency to think it through all angles first, then play with it from the angles and see if what I thought holds true. I tend to envision things one way, then as I test/test/test and then re-test, modify it radically. Not good for maintaining timelines, but I feel it makes things better.

Please don't forget too that this is not how I make my living. I am a self-taught hobbyist I have a family and a job, lots of honey-do's and various other 'emergencies' that crop up. I don't expect or desire fame and accolade from this, I simply love doing it. It is my R&R, as it were.

The initial thoughts were just to create a shell for the registry values. It has expanded (due to my overactive imagination) to be much more than that. I am finishing up the registry portions, moving on to the Integrity Levels and ACL stuff. After that will come EMET stuff. When these, the core operations, are working, I will release this in a beta form. It will be context menu driven only, to test there are no problems. Novice users probably won't want to participate unless they are prepared to modify things manually due to a meltdown. But most likely there will be no such event, because I don't want there to be one. Thus, test/test/test and re-test.

BTW, I am not taking it personally and am not trying to lace this with attitude, so whomever, don't take it that-a-way

Sul.

 

Ha, ha I allready PM-ed Sul that I felt guilty for tricking him into this quest, sofware development is 20% inspiration and 80% transpiration (actually making it work). Considering we share the inspiration part, Sul does 90% of the hard work.

Dw426, Moonblood, Avinash, Sevenstar and Wat0114, Konata Izumi and hopefully some others will help with the beta testing

I repeat, no web based threat goes past safe-admin until now and I am really doing a lot of malware domain hunting (PM me I have an offline image so I can thrash my play PC with convidence, it can better happen to me than you when Safe-Admin is life )