Prevx bypassed !

Discussion in 'Prevx Releases' started by CloneRanger, Aug 4, 2010.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    ......
     
  2. SIR****TMG

    SIR****TMG Registered Member

    Joined:
    May 31, 2004
    Posts:
    757
    Wow very good read indeed...Thank You....
     
  3. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    We already had a look at the code and we are going to fix the issue.

    On a side note, I would underline that the tool needs some specific privileges (SeDebugPrivilege) that are not available by default unless you are running under administrator account.

    Code:
    Set_Privileges:
    push    offset _oldStatus
    push    0
    push    1
    push    14h
    call    RtlAdjustPrivilege
    
    If you have administrative privileges, then it's game over actually. Yes, you can enforce your self-defense (Prevx 4 has fully rewritten self-defense module that filter out this PoC attack too by design) but you and attackers are both playing at same privilege level. It's just a matter of time then.

    Moreover, this self-defense bug is present only in Windows XP - Prevx 3 uses another self-defense mechanism in Windows Vista and 7 which is much more effective. Proof of concept code is aware of this actually:

    Code:
    mov     ds:dword_4032C4, 114h
    push    offset dword_4032C4
    call    RtlGetVersion
    cmp     ds:dword_4032D0, 0A28h [I][B]; is Windows XP?[/B][/I]
    jz      short loc_40156A [I][B]; if not, then "Unsupported OS"[/B][/I]
    Anyway, we are going to address this shortly :)

    Marco
     
    Last edited: Aug 4, 2010
  4. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
    Thanks for your reply, nice explanation :)

    How about UAC admin accounts?
     
  5. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    Do you mean administrator account with UAC enabled? If so, then it's the same as a limited account. It's an administrator account in Admin Approval Mode. It needs your interaction to gain administrative privileges
     
    Last edited: Aug 4, 2010
  6. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    ;)

    :thumb: When did you discover this POC ?

    *

    Ran the POC

    Prevx v3.0.5.179 - XP/SP2 - Admin

    um1.gif

    z1.gif

    n.gif

    The only alert i got was from Zemana :thumb: but even allowing that it still failed = :) but ?
     
  7. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    703
    Thanks CloneRanger for the link :thumb:
    Tried this POC running as admin :eek:

    Returnil RSS 2011 stopped it as soon as I tried to run it and Zemana with my custom settings just terminated it (look at the bottom line in the screenshot). Not the same as a real malware trying to get at Prevx perhaps but interesting in that it shows the power of Returnil RSS and custom configured Zemana to stop anything unwanted executing.
     

    Attached Files:

  8. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
    Yes, that was what I meant, thank you. A while ago I read somewhere that admin accounts with UAC enabled would be less secure than limited accounts, so I asked just to be sure :)
     
  9. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    703
    Prevx now detects this POC :thumb:
    Trusted it and then allowed it to run but with Returnil Lite 2011 this time as backup silently stops it. Nothing happens, Prevx still chugging along
     

    Attached Files:

  10. sparviero

    sparviero Registered Member

    Joined:
    Apr 23, 2009
    Posts:
    88
    Do not worry!

    Actually methods used to break Prevx self-protection is very old (3-4 years).

    And is not representative of any of today's malware break methods, so it is largely a waste of time in terms of testing.

    Prevx focuses on finding only advanced (VIP) threats break methods, and guarantees, what ? LOL

    I wish you a very beautiful day...
     
  11. sparviero

    sparviero Registered Member

    Joined:
    Apr 23, 2009
    Posts:
    88
    Prevx .187 successfully terminated with all it's hooks from pure user mode !!!

    Guys, what do you do? this is a joke? lol

    EraserHW, (prima di sviluppare un tuo driver di auto-difesa) dica agli lettori Italiani (i swear i will read msdn to fix my bugs), un saluto a nV 25;)

    I wish you a very beautiful day...
     
    Last edited: Aug 5, 2010
  12. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
  13. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Pretty ironic that it's now just a video being posted and not a link :p If you would wait 10 seconds, Prevx will re-execute :)
     
    Last edited: Aug 5, 2010
  14. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Also, probably worth noting, all of these exploits ONLY apply to XP - if you are using Vista/7/2008, you've been fully secure this entire time :)
     
  15. pling_man

    pling_man Registered Member

    Joined:
    Feb 11, 2010
    Posts:
    465
    Location:
    UK
    I know! :D There's also an extra layer of protection for those running with UAC on as far as I can see.
     
  16. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    It didn't work on my XP when i tested it post 6 Not complaining but wonder why ?
     
  17. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    read my post above :) As PrevxHelp said, it's only on Windows XP with admin rights :)
     
  18. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    That's exactly true :)
     
  19. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    this is entertaining. :D
     
  20. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ EraserHW

    I know, please see my Post 6


    Still failed to work :D = Why is what i'm wondering ?
     
  21. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Hackers today just aren't like they used to be :D
     
  22. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ PrevxHelp

    Don't let EP_X0FF hear you say that :D

    Fact is, it didn't work, so i thought you'ld be interested to try and find out why ?

    At the moment it's no biggy, still got a newer POC to be released so ? But i would have thought that if the real baddies make use of these, and/or similar techniques, it "might" be ?
     
  23. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    Not sure actually :) Do you use any other security software?
     
  24. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    The area that they're using is generally quite unstable so it's understandable that it wouldn't work well. The technique has been around for a while, but I have only extremely sparingly seen malware using these techniques (and Prevx automatically restarts itself anyway). As mentioned earlier, it is a bit of wasted effort - why bother killing the AV, alerting the user that something is wrong, when you already have full access to the system?
     
  25. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    That's funny, i thought Prevx had ESP :D

    https://www.wilderssecurity.com/showthread.php?t=278273

    Err, yes :p but only Zemana picked up on it, see post 6
     
Thread Status:
Not open for further replies.