Prevx bypassed !

Discussion in 'Prevx Releases' started by CloneRanger, Aug 4, 2010.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,918
    ......
     
  2. SIR****TMG

    SIR****TMG Registered Member

    Joined:
    May 31, 2004
    Posts:
    818
    Wow very good read indeed...Thank You....
     
  3. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    We already had a look at the code and we are going to fix the issue.

    On a side note, I would underline that the tool needs some specific privileges (SeDebugPrivilege) that are not available by default unless you are running under administrator account.

    Code:
    Set_Privileges:
    push    offset _oldStatus
    push    0
    push    1
    push    14h
    call    RtlAdjustPrivilege
    
    If you have administrative privileges, then it's game over actually. Yes, you can enforce your self-defense (Prevx 4 has fully rewritten self-defense module that filter out this PoC attack too by design) but you and attackers are both playing at same privilege level. It's just a matter of time then.

    Moreover, this self-defense bug is present only in Windows XP - Prevx 3 uses another self-defense mechanism in Windows Vista and 7 which is much more effective. Proof of concept code is aware of this actually:

    Code:
    mov     ds:dword_4032C4, 114h
    push    offset dword_4032C4
    call    RtlGetVersion
    cmp     ds:dword_4032D0, 0A28h [I][B]; is Windows XP?[/B][/I]
    jz      short loc_40156A [I][B]; if not, then "Unsupported OS"[/B][/I]
    Anyway, we are going to address this shortly :)

    Marco
     
    Last edited: Aug 4, 2010
  4. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,103
    Location:
    Outer space
    Thanks for your reply, nice explanation :)

    How about UAC admin accounts?
     
  5. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    Do you mean administrator account with UAC enabled? If so, then it's the same as a limited account. It's an administrator account in Admin Approval Mode. It needs your interaction to gain administrative privileges
     
    Last edited: Aug 4, 2010
  6. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,918
    ;)

    :thumb: When did you discover this POC ?

    *

    Ran the POC

    Prevx v3.0.5.179 - XP/SP2 - Admin

    um1.gif

    z1.gif

    n.gif

    The only alert i got was from Zemana :thumb: but even allowing that it still failed = :) but ?
     
  7. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    747
    Thanks CloneRanger for the link :thumb:
    Tried this POC running as admin :eek:

    Returnil RSS 2011 stopped it as soon as I tried to run it and Zemana with my custom settings just terminated it (look at the bottom line in the screenshot). Not the same as a real malware trying to get at Prevx perhaps but interesting in that it shows the power of Returnil RSS and custom configured Zemana to stop anything unwanted executing.
     

    Attached Files:

  8. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,103
    Location:
    Outer space
    Yes, that was what I meant, thank you. A while ago I read somewhere that admin accounts with UAC enabled would be less secure than limited accounts, so I asked just to be sure :)
     
  9. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    747
    Prevx now detects this POC :thumb:
    Trusted it and then allowed it to run but with Returnil Lite 2011 this time as backup silently stops it. Nothing happens, Prevx still chugging along
     

    Attached Files:

  10. sparviero

    sparviero Registered Member

    Joined:
    Apr 23, 2009
    Posts:
    88
    Do not worry!

    Actually methods used to break Prevx self-protection is very old (3-4 years).

    And is not representative of any of today's malware break methods, so it is largely a waste of time in terms of testing.

    Prevx focuses on finding only advanced (VIP) threats break methods, and guarantees, what ? LOL

    I wish you a very beautiful day...
     
  11. sparviero

    sparviero Registered Member

    Joined:
    Apr 23, 2009
    Posts:
    88
    Prevx .187 successfully terminated with all it's hooks from pure user mode !!!

    Guys, what do you do? this is a joke? lol

    EraserHW, (prima di sviluppare un tuo driver di auto-difesa) dica agli lettori Italiani (i swear i will read msdn to fix my bugs), un saluto a nV 25;)

    I wish you a very beautiful day...
     
    Last edited: Aug 5, 2010
  12. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,918
  13. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Pretty ironic that it's now just a video being posted and not a link :p If you would wait 10 seconds, Prevx will re-execute :)
     
    Last edited: Aug 5, 2010
  14. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Also, probably worth noting, all of these exploits ONLY apply to XP - if you are using Vista/7/2008, you've been fully secure this entire time :)
     
  15. pling_man

    pling_man Registered Member

    Joined:
    Feb 11, 2010
    Posts:
    581
    Location:
    UK
    I know! :D There's also an extra layer of protection for those running with UAC on as far as I can see.
     
  16. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,918
    It didn't work on my XP when i tested it post 6 Not complaining but wonder why ?
     
  17. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    read my post above :) As PrevxHelp said, it's only on Windows XP with admin rights :)
     
  18. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    That's exactly true :)
     
  19. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    this is entertaining. :D
     
  20. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,918
    @ EraserHW

    I know, please see my Post 6


    Still failed to work :D = Why is what i'm wondering ?
     
  21. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Hackers today just aren't like they used to be :D
     
  22. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,918
    @ PrevxHelp

    Don't let EP_X0FF hear you say that :D

    Fact is, it didn't work, so i thought you'ld be interested to try and find out why ?

    At the moment it's no biggy, still got a newer POC to be released so ? But i would have thought that if the real baddies make use of these, and/or similar techniques, it "might" be ?
     
  23. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    Not sure actually :) Do you use any other security software?
     
  24. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    The area that they're using is generally quite unstable so it's understandable that it wouldn't work well. The technique has been around for a while, but I have only extremely sparingly seen malware using these techniques (and Prevx automatically restarts itself anyway). As mentioned earlier, it is a bit of wasted effort - why bother killing the AV, alerting the user that something is wrong, when you already have full access to the system?
     
  25. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,918
    That's funny, i thought Prevx had ESP :D

    https://www.wilderssecurity.com/showthread.php?t=278273

    Err, yes :p but only Zemana picked up on it, see post 6
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.