Metasploit/Armitage vs. WinXP

As explained before.

Internet Explorer is trusted, therefore every actions done by the in-memory payload are allowed automatically. Exemption to the rule are all OA processes due to self-protection.

It's a known "bug" in Online Armor due to one of the kernel mode patches. We decided not to fix it for obvious reasons.

Internet Explorer is trusted, therefore every actions done by the in-memory payload are allowed automatically.

Which executable did you try to run?

In general, unless you start testing HIPS that contain exploit protections, you will likely see every HIPS fail to some degree, mostly because pretty much every HIPS out there will auto-whitelist popular applications like Internet Explorer. Of course you can disable those whitelists (or alternatively change the trust level of the browser manually), which will cause most HIPS to alert on all those actions performed by the in-memory payload as well, but you already saw the consequences this has when you disabled the whitelists in Comodo by putting it into Paranoid mode.

Bottom line is: Your test is thoroughly anti-HIPS, for the aforementioned reasons and every single HIPS will fail it to some degree without manual adjustments. It also demonstrates why a HIPS doesn't replace proper updates .

 

I see; thanks. Given that it sounds like my methodology isn't scientific enough to draw any real conclusions, I think I'll call it off at this point.

That is the main thing I'm taking away from this. Despite what some of the people here say, frequent patches seem to be an unfortunate necessity.

 

Well, I wouldn't put it that way to be honest. Your test is perfectly fine and valid. I just disagree with the conclusion you draw from your results. Since every HIPS will fail to some degree in your current setup, the result is not that all HIPS are bad and should be avoided. The result should be that you will loose if you don't keep high risk applications up-to-date, no matter what HIPS you use.

This is not solely a HIPS problem either. Sandboxie has to allow applications running inside the sandbox to communicate with services outside the sandbox for example. If it doesn't, the application simply won't run at all. However, this also means that if that service is somehow vulnerable due to a coding error or bug, the application will be able to escape the sandbox by exploiting said vulnerability. Every system is only as secure as its weakest link, which is why it is crucial to harden every aspect of your system, and not just put all your eggs in one basket.

For example: Updates would have kept you safe in your scenario. EMET would have kept you safe as well. Using a browser that is aware of its high risk status, like Internet Explorer on Vista and later OSes or Chrome, would have kept you safe. An AV software, scanning the network stream, would have likely picked up the exploit code before it reached your vulnerable browser, keeping you safe. Setting up your own custom HIPS rules for your high risk processes, would have helped mitigate the attack. There are dozens of things you can do to improve overall security by hardening the weak links in your overall equation.

They are. Which is why I always cringe when people ask me how they can stay secure once Windows XP support runs out. The only answer is by updating to Windows 7/8 or by switching to an up-to-date Linux distribution, because there is no way you will be able to keep your system safe after April 2014.

 

I agree, this is a valid type of tests but for whole internet suites. They are the only ones that (should) cover all the fields that you are demanding.

For example, when you say in your first post that Panda Cloud passes "the cheap way", "by recognizing the DLL as a known bad one", that's the only thing that you can expect from what's nothing but a cloud scanner with some other basic real time features.

A whole internet suite must detect the exploit kit first (some of them patch known vulnerabilities in the browser too). If not, they must control DLL and EXE drops (as Panda did), protect the browser from injections, detect dangerous behaviours and prevent unwanted internet connections. Since few years ago they offer a 'layered approach' in one single product. Asking the same from specialized programs is too much, I think.

One suite that have a proactive anti exploit module similar to MBAE is Kaspersky, I don't know if there are others.

 

I would also like to test it in my vm. SO I have pmed Gullible Jones for the malware and if I receive it I will also test it against strengthen and tweaked security suites like comodo.

 

There are changes to ESS v7 Suite (Eset) in this regard. It has introduced Exploit Blocker and Vulnerablity Shield to help wrt to high risk applications.

Not sure if its been put to test. (I would like some one to do that )

Here are details from their words --

 

I think F-Secure AV and IS 2014 have exploit protection now as well, as it's a part of the new DeepGuard 5 module.

 

But there is a live cd version ? I downloaded the ISO image and I burned it, but when I booted it in my system there was not a live option, only installing.

 

There should be a live option... At any rate I didn't use it live; I installed it to a KVM virtual machine.

 

Thanks ! I understood that you used a VM. I dind't find the live option, and usually Linux distros have.

 

@Gullible
can you also test SpyShelter Firewall?
thanks

 

@co22, et. al.: I won't be posting further results here, sorry. Thanks for the interest though.

 

thanks for replay
are you post Elsewhere further results?

 

Probably not, seeing as I don't have a blog or anything...

 

ok
but That was good and interesting i see your last result here for SpyShelter Firewall
even if it possible make video put it on youtube or skydrive!?
anyway thank you

 

Really I can't find a live cd version. Only one option is installing.

 

LOL, it certainly seems that way when you first start off. But after a couple weeks of use and whitelisting actions it becomes a very quiet, and formidable layer. I haven't heard a peep out of mine in awhile. I also delete the trusted vendors list for good measure... I always delete such lists. I'll be the judge of what I trust for myself.

Was a bit surprised that the patches made such a difference. That seems to confirm a theory I saw one person have that each patch doesn't merely block 1 vulnerability, but any associated ones that exhibit the same behavior... someone offered this up in another thread debating the usefulness of patches. These findings are convincing me even more to ditch XP when it's EOL comes. At the same time they've convinced me of what I already knew and preached vigorously... that XP can currently be made to be quite safe, just as any Windows OS since.

DefenseWall + Sandboxie seems a very good combination. Add imaging and hardening, and voila...

Major props for all the hard work.

 

Keep in mind though that a lot of users have neither the patience nor the skill to create such system of restrictions.

The patched OS was Windows 7 though. And in its case, it was almost invariable 7's native security mechanisms - not the HIPS or AV programs - that proved the biggest obstacle. People talk trash about UAC, but it's formidable when dialed up to max.

There's also that some of the kernel subsystems that HIPS themselves rely on are better designed on later versions of Windows. It may be possible to hook things on 7 that can't be hooked on XP, or to hook those things more effectively.

(In fact, Process Explorer uses some new features on Vista and 7 that make it more effective. It wouldn't surprise me if the same applies to various HIPS software.)

Not sure but I think DW and SBIE might be a bit redundant. Both of them implement copy-on-write filesystem virtualization, and policy restrictions... They work mostly at the same layer. Picking one I'd probably go with DefenseWall, beecause it includes a good outbound firewall and is much easier to use. They're both extremely good vs. anything short of a kernel exploit, though.

Personally I think that one should think about which layer each security measure operates on. This image says it better than I can:

http://0xdabbad00.com/2013/04/28/exploit-mitigation-kill-chain/

 

Oh I know, I'm only worrying about myself here. I'd never recommend such an approach to a person that wasn't an advanced end user. For me Comodo FW/D+ & Sandboxie, with my OS/browser hardening as well, can turn back about anything. And the VM makes persistence a lost cause.

I didn't know that DefenseWall was so similar to Sandboxie. I thought DW was more like a HIPS with an outbound FW as well... not like a traditional sandboxing app. If so that would be redundant. If I didn't already love Comodo's outbound FW control I might try DW out. But then I really, really love Sandboxie too. I'm just really happy with the way I have things right now. No desire to change a thing.

 

I don't know that DW + SBIE is redundant either; I only suspect.

 

Thanks for the diagram! I like it

From the webpage:

...then looking towards the top of the diagram after the delivery of malicious content to victim, the two possible entry points are email (social engineering) or website (watering hole). Just examples of infection starting points, I realize. Stopping the latter scenario is via IP blacklisting, browser site blocker. Very interesting! This was actually the entire premise of the thread I started yesterday (How might I get infected...?) where the only defense in place other than lua was NoScript. I can't help but wonder how many automated exploits (as opposed to social engineering) are delivered to potential victims where script blocking could halt them right from the get go, providing, of course, the target doesn't allow the malicious script embedded within the exploited web page?

 

Could you please test the latest version of TIGHTLY CONFIGURED Google Chrome on Windows XP Professional service pack 2 and on Windows XP Professional service pack 3 and than after that, the newer/higher versions of windows?

 

Unfortunately no. Vacation is over, Metasploit has gotten boring, and I have a million other things to juggle right now. Chances are high that I will not get back to this.

I am starting to teach myself some x86 assembly and reverse engineering stuff (see my other threads). May eventually post a write-up on some malware or other... Maybe. The real takes precedence over the virtual.

 

Too bad to hear that, but I do understand you. Thank you again for all tests and for sharing results.