New release. GSS v1.420

Discussion in 'Ghost Security Suite (GSS)' started by Jason_R0, Mar 11, 2008.

Thread Status:
Not open for further replies.
  1. cafeshop

    cafeshop Former Poster

    Joined:
    Feb 20, 2008
    Posts:
    36
    Hi SystemJunkie,

    So far, the box is no problem with the setting of {Muxtex: block;}.
    The GSS1.4.20 log shows that on my box, SMSS.exe (a component of windows XP; not a win32 executable) always shown running a rootkit at everyboot of the box. It can be guessed that the BSOD is to come if it is to set {Driver Install: Block; }; further more, the AppDefend panel does not show SMSS.exe

    Any comments.
     
  2. SYS 64738

    SYS 64738 Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    130
    Installed flawless on my old win2k laptop. I didn't have time to play around with it yet, but i found that Appdefend does not detect this imaging program: http://selfimage.excelcia.org/ o_O
     
  3. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    2u4076d.png

    The old behavior.. this event started 2 or 3 years ago
    a flood of discussion about bios/rootkits and it is still alive in GSS.:D :D

    Rootkit Driver installation allowed by smss.exe.
     
  4. rodsoto

    rodsoto Registered Member

    Joined:
    Mar 18, 2004
    Posts:
    77
    Location:
    Australia
    Hey Jason, just downloaded it will test it after reboot.

    I was wondering whenever you implement GhostWall into it, whether the IP block list will be functioning? I am hoping to use the peerguardian p2p IP address blocks, the source code of the program is free, and can be downloaded from here:

    PeerGuardian p2p Source for Developers

    The peerguardian list can be used in default format, however you may want to implement a conversion program to prevent any security issues, as well as obviously listing IP addresses and being able to tick the 'companies' (such as advert companies) by deselecting them individually. IE, so i can at least have HTTP blocking - but allowed to go to say adobe.com if that companies web IP addresses were listed.

    Thanks
     
  5. cafeshop

    cafeshop Former Poster

    Joined:
    Feb 20, 2008
    Posts:
    36
    I am getting the same doubled issue I didnot know it; smss.exe is not a win32 executable to run in win32. If trying to set {driver install : block / ask (block)}, windows is going to get BSOD when reboot.

    Can you confirm that and solution ?
     
  6. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    I don´t want to try it..:D But sounds logical, if we assume that shadow table (win32k) works very close together with session manager subsystem (smss) and you block this procedure at start up, windows will high likely crash.

    Session manager subsystem is only needed at boot up you can kill smss.exe directly after it is loaded, some security tools do that by default because of obvious reasons.

    But if we talk in terms of Rootkit. Smss.exe would be a perfect target too, e.g. the stealth rootkit would load itself with one of the earliest alive processes in windows and then likely disappear but infected subsystem would remain even if you´d close smss.exe (it could for example transfer the bad code into explorer.exe), good stealth factor, imo, especially related to sophisticated poly file infectors (smss-explorer.exe as main targets).
     
    Last edited: Mar 19, 2008
  7. cafeshop

    cafeshop Former Poster

    Joined:
    Feb 20, 2008
    Posts:
    36
    It sounds great to me, and it seems the issue lookin is on the right track ? A bug stay still or an earliest-boot windows stealth rootkit ?
    Jason is going to jump in to address the issue and an explain.

    It is pretty sure that why all my boxes have been having BSOD issues with all versions of GSS after the ver.1.100beta .

    Thanks to SystemJunkie.
     
  8. SYS 64738

    SYS 64738 Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    130
    Detected it now, don't now why it didn't catch it the first time...
     
  9. cafeshop

    cafeshop Former Poster

    Joined:
    Feb 20, 2008
    Posts:
    36
    On my laptop DELL 1720 running winxp sp2 x32 and win2k3 server, BSOD is the problem when set "ask/block" to { execution ; start application ; install driver ; terminate } , and whatever to the other options. It seems GSS1.4.20 having problem with something "smss install rootkit at very early of booting"

    SESSION3_INITIALIZATION_MANAGER_FAILED.....

    Hope Jason confirm & address the issue.
     
  10. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Usually I would say smss rootkit install is false positive but I don´t think so anymore, because we have cryptic attachment at the end of smss and explorer .exe, there are some people outthere who are searching for the reason of this mystery for many many years.

    Then I checked some smss and explorer with attachment like this at the end:(and I saw the dhlptx phenomenon)
    0#0*070U0^0g0s0
    6,7:7C7`7g7n7{7
    9!9'9L9U9_9x9
    3 4&464<4A4G4p4y4
    5(5>5K5a5n5
    X0^0g0w0
    >%>*>4>A>G>L>_>i>s>
    ,0<0B0I0R0Z0`0f0
    777=7I7O7T7]7v7
    9"9(909`9o9t9z9
    :":':,:1:6:;:E:M:W:a:g:q:
    ;%;.;R;\;a;i;
    =%=)=3=F=P=T=Y=
    >#>'>1>6>;>L>Q>V>]>b>i>
    ?2?B?K?b?h?t?
    0/0H0Q0V0[0
    3(30363F3O3V3n3|3
    4%414H4S4d4n4x4
    8N8T8[8w8~8
    9:9A9`9i9o9w9
    576G6Q6Y6e6
    :9;E;R;x;
    0 040<0P0X0d0l0t0x0
    1 1(10181<1L1T1X1h1p1
    2L2P2T2X2\2`2d2

    They use obfuscation mechanism with a 048 code (typical for trojan downloaders) as far as I´ve found out.
    048 means e.g.: 0 0000 0000 1 1111 1111 2 2222 2222 3 3333 3333 4 4444 4444 5 5555 5555 6 6666 6666 7 7777 7777 8 8888 8888 9 9999 9999 and most time d h l p t x between the lines, which is part of crypto lessons, things
    like that also used by military.

    Example2: End of Explorer.Exe SP2:
    > >$>(>,>0>4>8><>@>D>H>L>P>T>X>\>`>d>h>l>p>t>x>|>
    ? ?$?(?,?0?4?8?<?@?D?H?L?P?T?X?\?`?d?h?l?p?t?x?|?
    2'232D2H2L2P2T2X2\2`2d2
    : :(:Q:W:t:
    1C2V2c2i2}2
    9S9Y9r9|9
    2#2D2L2T2\2d2l2t2
    :L:';8;<;@:D;H;L;P;T;X;\;`;d;h;l;p;t;x;|;
    ......
    3/4:4E4P4[4f4q4|4
    0 0$0(00040<0@0D0L0P0T0\0
    0 1(1<1H1P1p1x1
    5 5$5(5,5054585<5@5D5 6$6@6D6H6L6P6T6X6\6

    End of Explorer Exe SP3 RC:
    A0H0O0V0]0d0k0t0
    4 4A4k4x4S5f5m5
    5.6D6J6d6q6v6
    9<:B:I:p:X:\:`:d:h:l:p:t:x:|:
    ;;;B;l;p;t;x;
    5Q5d5l5t5|5
    9V:m:t:
    >B>J>P>o>
    a0h0p0{0
    :$:/:::E:p:[:f:q:
    0$0(0,0004080<0@0D0H0L0T0X0\0
    5 5$5(5,50545@6D6`6d6h6l6p6t6x6|6
    ________________________________
    So you see 5 methods of Obfuscation:
    1. Old hxdef method e.g.: I am here: I/A/M/H/E/R/E
    2. dhlptx - crypto method
    3. 048 downloader method
    4. A=1 B=2 and so on.
    5. Permutation in the lines e.g.: Hello lloeH
     
    Last edited: Mar 25, 2008
  11. Dogbiscuit

    Dogbiscuit Guest

    Sounds like someone has on his tinfoil hat.
     
  12. farmerlee

    farmerlee Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    2,585
    Just been checking out this new version. I haven't used gss in a while so maybe i'm missing something but when did the network control get removed? Is it permanent?
     
  13. duweoi

    duweoi Registered Member

    Joined:
    Mar 23, 2008
    Posts:
    7
    Hi SystemJunkie,

    You mentioned that GSS does not pass all the firewall tests at http://www.firewallleaktester.com. However how does AKLT determine that a function call (say GetKeyState) is illegitimate?

    Does it essentially spawn an independent process which then tries to call GetKeyState on AKLT.exe and tries to read AKLT.exe 's viewspace? If so how
    would it do this. (p.s. I know next to nothing about Win API function calls)

    Thanks
     
  14. Disciple

    Disciple Registered Member

    Joined:
    Nov 14, 2002
    Posts:
    292
    Location:
    Ellijay, Georgia - USA
    It was removed in the 1300a3_nonet release, there were many having looping BSOD problems. As for whether it is permanent or not, I have mixed feelings about it. At first I hated to see it go, but then quickly became accustomed to having one less alert to Allow/Block. Besides, as you know, install GSS on a clean system, practice safe hex, and one could do without having to permit network access. But that is just my opinion.
     
  15. duweoi

    duweoi Registered Member

    Joined:
    Mar 23, 2008
    Posts:
    7
    Was installing Internet Explorer 7 and had a huge number of pop up windows. Might be useful to have an "Allow all for current session only" so as to easy the pain of an installation.

    Thanks
     
  16. duweoi

    duweoi Registered Member

    Joined:
    Mar 23, 2008
    Posts:
    7
    Also under AppDefend Rules, it might be useful to have a "delete all" button, which clears all the programs from the rules list.

    It might also be useful to be able to catagorise AppDefend Rules into User defined groups e.g. core rules, non-core rules etc. If I am compiling programs on an hourly basis, AppDefend Rules will become cluttered and it might be better to seperate the rules for my executables from the rules defined for things like winlogon.exe etc...
     
  17. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    The next version is taking a little longer due to the new registration system being setup (which requires writing linux apps for the webserver), but it should only be a few days away. There are also some small visual differences (and possibly other future things) I've added for the life members of products (customers who have purchased before the switch takes place). When you register the product now there is also a little animation of sorts which comes with it, which you can partially see some of below.
     

    Attached Files:

    Last edited: Mar 28, 2008
  18. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    The "rootkit driver method" AppDefend is detecting is probably a legitimate driver install, I have seen it on every machine I've tested. Microsoft simply use one of the "undocumented methods" they want others to stop using to load a driver. Once the log provides more info on the driver name and things of that nature it will be obvious it isn't malicious...
     
  19. smith2006

    smith2006 Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    793
    Hello Jason,

    Good to hear from you on the latest development. :thumb:

    By the way, is the coming version still a beta?
     
    Last edited: Mar 28, 2008
  20. cafeshop

    cafeshop Former Poster

    Joined:
    Feb 20, 2008
    Posts:
    36
    Anyway, with the setting { driver install : ask/block } is going to have BSOD on the next boot, Jason.

    For online purchase through Regsoft, they can not complete my orders with my creditcards; the reason is with Regsoft can not handle all banks - an issue of regsoft transaction handling. While We can complete orders with the same creditcards with other online services even a few outside of US online stores having transaction handling through paypal service (such as TallEmu.com). Hope you have a better solution for online payment system xp before your new license system goes.
     
  21. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Yes still a beta..... though not long to go now (this saying does get long in the tooth ;) ). The registration stuff took a little longer than I wanted, but I wanted to get a public key encryption system in place to allow for better key management and to simplify the process for people. Once this is done it is only minor things to improve before the final, this was the last major hump to do.
     
  22. duweoi

    duweoi Registered Member

    Joined:
    Mar 23, 2008
    Posts:
    7
    I was installing a big package (setup.exe) which installed many subpackages, and got loads of pop up windows for each subpackage installed. Might be useful to have a button which says "Allow current process, and all processes spawned by current process, for current session only". This makes installation easier.

    Note that this is more restrictive than an "Allow all processes for current session only".

    Ofcourse one could just switch GSS off during installation!! This is probably the simpler option.
     
  23. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    One of the things which will be added very soon is a whitelist of basic services/apps like smss.exe so that even if you change the default rootkit method to block it won't stop the system from booting. At the moment it's in a very "be careful what settings you change" state because of the assumption that only experienced users will tweak a lot of things. ;) But yes, I am aware that there are many minor annoyances like this which still plague AD and RD, I have a list to work from for such things. :)
     
  24. smith2006

    smith2006 Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    793
    Thanks for the reply! :)
     
  25. cafeshop

    cafeshop Former Poster

    Joined:
    Feb 20, 2008
    Posts:
    36
    You knew things you have been doing to build the ground-breaking technical piece of software - GSS - which is going to be greatest at all (smallest in size + most less computer resource use + ground-up from cratch newly built secure GUI library + Kernel Security + Kernel mode + lifetime upgrade policy + else). All users are going to have your new build release.

    For tweakings to GSS1.4.20, it is clear that even with setting (execution : ask/block), BSOD is going to be after reboot; the settings (execution : allow/ask(allow)) is not safe to boxes. Am I correct on this, please correct me.
    THanks.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.