PG, Mydoom & In-process server, SFP

Discussion in 'ProcessGuard' started by shapechanger0, Feb 2, 2004.

Thread Status:
Not open for further replies.
  1. 1.
    PG 1.200 will protect users from ordinary DLL trojans which inject a DLL via CreateRemoteThread or SetWindowsHookEX.

    According to

    http://www.sophos.com/virusinfo/analyses/w32mydooma.html

    i-worm Mydoom.A includes a backdoor (a DLL trojan called shimgapi.dll). The DLL is registered as an in-process server so that it is run on startup.

    My question is whether such start-up method will circumvent PG's protection mechanism? If yes: Would it be possible to change this? (I understand that PG also covers the "AppInitDLLs" registry entry.)

    2.
    I addition, I believe that PG is meant to protect the user from file viruses etc. which dynamically disable SFP and then modify system files.

    I would like to know whether this also applies to WfpAdmin
    v2.00 by http://www.collakesoftware.com/ . I am not sure whether my own test results are correct (I have not used the PG full version).


    TIA.
     
  2. By the way, it seems to me that there are many more possibilities to register in-process servers. For example, you may force the browser to load a DLL trojan each time the browser is started ...
     
  3. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Any program which allows plugins to be written for it runs the risk of someone maliciously using it, especially programs like Internet Explorer, MSIMN, etc, which are on everyones computers. Your best bet is to run programs which don't allow unverified plugins/DLL's to be used or better yet, don't load any at all ;) .

    Yes, Process Guard blocks WFP disabling, which you can see in full detail here. We wrote our own tool for this, but it does exactly the same trick as Jeremy's WFPAdmin, and you're correct that viruses could also easily do this to enable them to modify system files.

    -Jason-
     
  4. Jason:

    "Your best bet is to run programs which don't allow unverified plugins/DLL's to be used or better yet, don't load any at all"

    I will need to check out whether there are any safe browsers. It seems to me that there are many possibilities for registering in-process servers ...

    "We wrote our own tool for this, but it does exactly the same trick as Jeremy's WFPAdmin,"

    I have protected winlogon.exe with PG 1.2 trial. Then I used WPFAdmin, switched off SFP and deleted help.exe and help32.exe from Windows folder. PG and SFP stayed silent. Am I doing something wrong?
     
  5. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Shapechanger0, Did you check that Close Message Handling was enabled on Winlogon? The PG Winlogon default setting does not set the CMH switch.

    BTW I have not tried it, just guessing :)
     
  6. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Thats interesting shapechanger, I will have to look at the newest version soon.

    Wayne just tried WFPAdmin on a test machine and the Windows XP system got corrupted, so I will try it after I know it is safe. :)

    -Jason-
     
  7. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    shapechanger,
    As Jason just mentioned, I tried WFPAdmin v2 (I hadn't tried this new version before), and it doesn't appear to use the same trick anymore, although it does have several options so maybe one of those options still does the same trick (the winlogon.exe-based method).

    However, it hosed the test machine i tried it on (XP SP1) and I am currently in the process of rebuilding it. To give you an idea of how hosed the machine was, we couldn't even boot into Safe Mode, and then when trying a Repair installation the actual setup.exe program crashed, basically leaving us with little option but to rebuild the machine - we've got backup images so it won't take too long, but it's a hassle we weren't anticipating from something as 'simple' as disabling WFP.

    In other words, if you use WFPAdmin, you do so at your own risk!, and be prepared to possibly have to rebuild your machine afterwards.

    Exactly what trick it uses I'm not sure - I won't have any time for analysis until after I get this test machine back on its feet, but unlike the relatively 'safe' winlogon.exe-based method, this method seems very dangerous - use with extreme caution.

    I'll email Jeremy about it later this evening, I need a newer copy of PECompact anyway.

    Cheers,
    Wayne
     
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,046
    Hi Wayne

    A suggestion. Get GoBack (it's by Roxio, but now sold by Symantec.) Its perfect for these situations. I had a similiar situation, when testing firewalls. One of them totally hosed me for some reason. Couldn't boot windows in any form or fashion. GoBack gives you a repair option right after the bios load, long before windows even starts to load. You pick a time, before the problem, and bingo, it puts the disk right back like it was then. My recovery time was 5 minutes.

    Also great if you want to mess with new stuff. If you don't like whats going on, rather than try uninstalling and cleaning out the registry, I Goback. Adds about 2 minutes to a reboot, and puts everything back before you started. It is really neat.

    Pete
     
  9. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    Re: PG, Mydoom & In-process server, SFP

    Has the situation with WFPAdmin been resolved? I worry about this being a potential area of attack against PG.


    Starrob
     
  10. newbornii

    newbornii Guest

    Re: PG, Mydoom & In-process server, SFP

    Is it that this is another way to bypass PG and wreck havoc to the windows box? If they can slip through PG, how home users can protect their windows boxes? Please help...help....out!
    thx all
     
  11. ,.-

    ,.- Guest

    Re: PG, Mydoom & In-process server, SFP

    I tested it in the meantime: http://boardadmin.bo.funpic.de/viewtopic.php?p=143#143

    I would be grateful if Jason or Wayne could explain whether there are any disadvantages if you enable read access protection for winlogon.exe. If no: why is this not the default setting?
     
  12. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Re: PG, Mydoom & In-process server, SFP

    Excellent to hear, it certainly looked that way from just reading the source code for the exploit... it looked like it would need to read the winlogon process to get the "special" file handles to close down

    Even though it was speculative, I enabled read protection on winlogon last week sometime and haven't noticed anything wrong yet

    One more bandaid for this specific issue but it doesn't address and protect from use of the API that allows for system files to be changed "properly"
     
    Last edited: Dec 12, 2004
  13. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Re: PG, Mydoom & In-process server, SFP

    Please see my response in the other thread. ProcessGuard does protect against WFPadmin and the rootkit.com method if READ access is protected on winlogon.exe . WFPAdmins method is the same as the rootkit.com method. Back in February when asked about this issue I discovered that WFPadmin could disable WFP very easily using this technique which he said was "secret". I guess the author of the rootkit.com article disassembled wfpadmin like I did to find how it worked and posted his results.

    I should have remembered that this is one issue that was better fixed in the 3.0 versions of ProcessGuard than the previous versions as to regards to this specific exploit, however ProcessGuard does not currently handle "the actual method" used to disable WFP. It indirectly blocks it.
     
Thread Status:
Not open for further replies.