New Man-in-the-Middle attacks leveraging rogue DNS

This may sound silly, but does anyone know if HIPS can protect against this stuff?

http://blog.phishlabs.com/new-man-in-the-middle-attacks-leveraging-rogue-dns

 

Technically no, but HIPS will prevent the malware from installing in the first place so you should be ok. Once malware is on your system you're pretty screwed.

 

So this stuff can´t be stopped by protecting the registry and file system, for example?

 

I'm pretty sure HIPS would prevent it from making the required changes to your PC in the first place.

 

Can't say without more knowledge of how the attack works...

If the embedded binary is invoked with CreateProcess, CreateProcessEx, then a HIPS will probably block it. Likewise for library loading system calls, if the HIPS is configured securely.

If on the other hand the malicious code runs in the word processor's memory space, without invoking one of those system calls, then it's down to restrictions on other system calls, including filesystem and registry access. In that case you would hope it doesn't try to escalate privileges first thing. But on the other hand, if it uses a memory exploit to get off the ground, then EMET would probably block it.

If on the other hand it is one of those long chains of self-extracting packed executables, a HIPS will probably block it (or at least make a lot of noise).

But in any case this doesn't strike me as particularly threatening, since the vector involves opening a spam attachment.

 

There's quite a few more variables involved. Several HIPS can also monitor specific keys in the registry. The DNS settings may or may not be on its default list. With SSM pro for example, you can add any keys you want to the coverage.

Such an attack could also be defeated at the firewall by creating IP specific rules for DNS. If the PC tries to use another IP, the firewall blocks it.

To my knowledge, any decent HIPS should prevent the initial execution of the changer. If that fails, registry protection should prevent the change as the settings are stored in the registry. If that is also bypassed, a properly set firewall should block the altered DNS. That's layered security. Multiple points at which the attack can be defeated.

 

Yes, that´s what I was thinking also, I wonder if current HIPS are monitoring DNS settings?

But now that I think of it, a specialized tool like Trusteer Rapport should probably be able to stop this specific attack.

 

From the article:

Any decent program with whitelisting will block an unauthorized executable program file from launching.

Five years ago I found an RTF document exploit which contained an executable disquised as a Package Object:

http://www.urs2.net/rsj/computing/tests/rtf

----
rich

 

@ Rmus and others

I should have been more clear. Of course anti-exe and anti-exploit will stop this stuff.
But I was talking about the methods that is used by this malware.

I already figured out that with good old SSM (Win XP), it´s possible to protect DNS settings. Perhaps y'all can check out others HIPS on Win 7/8, you can test it with DNS Angel.

I´m not sure where root certificates (Certificate Authority) are stored in Windows? I suppose it´s in: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\, at least on Win XP.