Process Guard Rootkit prevention - in need of an update?

Discussion in 'other anti-malware software' started by nicM, May 8, 2007.

Thread Status:
Not open for further replies.
  1. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    Hi everyone,

    I just wanted to post here, since I really don't know if Diamondcs is still alive :doubt: .

    I've noticed, during some tests, a rootkit which is able to load its driver/service without PG noticing it at all.. Then I think the program is in need of an update, since the statement made on the website (PG "is the only program available that can prevent the infection of all known rootkits", "PG blocks all driver install points", etc) could become outdated.

    I will not disclose details here, but it seems that there is at least one driver install point that PG doesn't manage. This rootkit is not a lab sample, this is a current malware, spreading for few months.

    I did mail Wayne about it, but I didn't receive any reply yet, and do not know if I'll ever receive o_O .

    Just wanted to let you now.

    Cheers,

    nicM
     
  2. Riverrun

    Riverrun Registered Member

    Joined:
    Feb 19, 2007
    Posts:
    376
    Location:
    ~

    Hi nicM
    The following is a cut and paste from 'Announcements' on the Wilders welcome page:


    DiamondCS Support Forums closed
    Dear members,

    During the existance of this board, we have been and still are providing room as well as bandwidth for several security software companies, focussed on hosting their Official Support Forum(s). Part of this service was and still is: frequent and solid support provided by official representatives from those companies, both over on this board as well as company customer care is concerned.

    In this context, we are sad to announce DCS does no longer live up to the standards set as mentioned above, although we have provided the company in question quite a long time to live up to those standards again.

    As a result, we have no choice left other then closing as well as archiving all (sub)forums from DCS. We do advise those having paid for software but never received keys, serial numbers, etc. to contact the appropriate channel(s) in order to get a refund.

    The DCS softwares are allowed to be discussed in other appropriate forums over on this board. Keep in mind though, there's no official backup anymore from company representatives and therefore, don't expect official company responses.

    In closing: we do regard this decision a very difficult - but needed one. In the end, we do have to make sure the standards from this board are respected for the benefit of members, lurkers, and last but not least, this board. Closing down and archiving the DCS (sub)forums is - sadly - the only way to do so.

    On behalf of the staff,

    Paul Wilders
     
  3. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    Hi Riverrun,

    Yes, I know, but who can tell the actual status of the company? I mean, the website is still online, for example...

    The "grey zone" where seems to be Diamondcs (I've not seen anywhere that the company ceased business) is difficult to handle.
     
    Last edited: May 9, 2007
  4. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Hi N

    The post above says it all but from a security standpoint/software assessment point of few the execution control of the free version would have offered a chance to block the droppers from running and the loading driver part becomes irrelevent.

    In plain english inorder to load the drivers you had to click on files to execute(run)them in the first place:D
     
  5. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    The obvious question to ask is did you have Services.exe set in the 'Protection' tab to be allowed to install drivers? If you did then it would not be surprising if PG allowed the rootkit installation. To be protected from rootkit installation, PG full must be configured to block rootkit installation and, in addition, Services.exe must be prevented from installing drivers.
     
  6. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    Hi TopperID,

    Yes it was, and the service was loaded directly by one of the dropped files. But since this rootkit has -to a certain point- a kind of random behaviour, I'll double-check this with a new test.
     
  7. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    TopperID, I had to redo the test twice, because of the random behaviour of this rootkit I talked about before (1st attempt was "classic" driver loading request), but now I have the proof of what I told in the 1st post, thanks to screenshots I took during the 2nd try :D , 5 mn ago.

    No time to develop now, will post about it later.

    Cheers,

    nicM
     
  8. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    Hi fcukdat,

    And sorry, I didn't see your post upon the one by TopperID.

    This is true, of course, in fact risk is actually mitigated by that point. But as you understand, the fact remains that, once allowed, there are process that manage to load services in a way that PG doesn't manage. I thought it was important. (i mean, one can't say a program blocks a rootkit just by preventing the file from running - at least when we talk about tests).

    As you can see, services.exe install driver/service privilege was removed :

    http://img341.imageshack.us/img341/3721/20070508193835za8.th.png

    And in order to let the dropper start rootkit install, I had to decrease protection settings, for example several modification protection had to be removed (for explorer, svchost, etc), Install global hook protection disabled. This is a TEST setup, just made for that purpose.

    But Install driver/Service option is of course enabled, and this privilege was removed for services.exe, svchost.exe.

    Well, during infection, as you can see only file execution are allowed :

    http://img116.imageshack.us/img116/1084/20070508203225zl4.png

    ...But service is loaded :ouch: , for sure : Rootkit Unhooker is able to see kernel drivers :

    http://img490.imageshack.us/img490/7122/20070508204012sk5.png

    In fact, 5 different services are loaded, but as you can see, once the last temp file was allowed to run, PG isn't able to monitor activity anymore (several exe were launched after 8.tmp) :

    http://img411.imageshack.us/img411/199/noexecutioncontrolpa4.th.png

    ...It's already bypassed, since the rootkit has restored all ssdt hooks :blink: . Except those of the rootkit, all hooks are gone.

    Presence of the rootkit revealed in registry, with RegReveal (IceSword is unable to load its service, once the rootkit is running) :

    http://img45.imageshack.us/img45/6707/20070508204902fn7.th.png


    I had to get help by malware analysts to figure out how it is working, because its install method is weird :eek: .


    Well, that was just to say that there is some service install method apparently not detected by PG.

    nicM
     
    Last edited: May 8, 2007
  9. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    nicM,
    This sample is well detected by AV/AT/AS scanners? What's the behavior of this malware (i.e. spambot, password stealer, backdoor)? Are firewalls bypassed once the rootkit is installed?
    Sadly, when a kernel driver is loaded, all protection is lost :(
    So, prevention (i.e. execution interception) is still the core of any security setup.
     
  10. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    lucas1985, here is a virustotal repport of one of the installers I got tonight,

    Code:
    Complete scanning result of "D5_1_.EXE", received in VirusTotal at 05.09.2007, 00:28:22 (CET).
    
    Antivirus	Version	Update	Result
    AhnLab-V3	2007.5.9.0	05.08.2007	no virus found
    AntiVir	7.4.0.15	05.08.2007	TR/Drop.Age.afg.2.A
    Authentium	4.93.8	05.08.2007	W32/Agent.BVH
    Avast	4.7.997.0	05.07.2007	no virus found
    AVG	7.5.0.467	05.08.2007	no virus found
    BitDefender	7.2	05.08.2007	Trojan.Dropper.Agent.BOL
    CAT-QuickHeal	9.00	05.08.2007	no virus found
    ClamAV	devel-20070416	05.08.2007	no virus found
    DrWeb	4.33	05.08.2007	Trojan.Spambot
    eSafe	7.0.15.0	05.08.2007	suspicious Trojan/Worm
    eTrust-Vet	30.7.3618	05.08.2007	Win32/Rlsloup
    Ewido	4.0	05.08.2007	Not-A-Virus.SpamTool.Win32.Agent.u
    FileAdvisor	1	05.09.2007	no virus found
    Fortinet	2.85.0.0	05.08.2007	W32/Tibs.gen
    F-Prot	4.3.2.48	05.08.2007	W32/Agent.BVH
    F-Secure	6.70.13030.0	05.08.2007	SpamTool.Win32.Agent.u
    Ikarus	T3.1.1.7	05.08.2007	Trojan-Dropper.Agent.BOL
    Kaspersky	4.0.2.24	05.08.2007	SpamTool.Win32.Agent.u
    McAfee	5026	05.08.2007	Spam-Loot
    Microsoft	1.2503	05.08.2007	no virus found
    NOD32v2	2250	05.08.2007	Win32/Nidis.G
    Norman	5.80.02	05.08.2007	no virus found
    Panda	9.0.0.4	05.08.2007	Suspicious file
    Prevx1	V2	05.09.2007	no virus found
    Sophos	4.17.0	05.08.2007	Troj/Botspa-Gen
    Sunbelt	2.2.907.0	05.05.2007	no virus found
    Symantec	10	05.09.2007	no virus found
    TheHacker	6.1.6.110	05.08.2007	Trojan/Agent.u
    VBA32	3.12.0	05.08.2007	SpamTool.Win32.Agent.u
    VirusBuster	4.3.7:9	05.08.2007	no virus found
    Webwasher-Gateway	6.0.1	05.08.2007	Trojan.Drop.Age.afg.2.A
    
    Aditional Information
    File size: 107012 bytes
    MD5: b0a4b27fb2efe7a8a51b5a4f967b8c6b
    SHA1: 2c0e5c832dabb0582810ffc9e6044b8676cb7349
    packers: UPX
    packers: UPX
    packers: UPX
    But this stuff is complex, there are more than 10 files involved in installation, I can't scan everything right now (I think the main file was detected as Trojan Wopla by Antivir, last week).

    More important, the dropper, responsible of the rootkit install, is know as Conhook, and is fairly well detected :

    Code:
    Complete scanning result of "morph.exe", received in VirusTotal at 05.09.2007, 00:35:42 (CET).
    
    Antivirus	Version	Update	Result
    AhnLab-V3	2007.5.9.0	05.08.2007	Win-Trojan/Conhook.25798
    AntiVir	7.4.0.15	05.08.2007	TR/Dldr.ConHook.AZ.2
    Authentium	4.93.8	05.08.2007	W32/Backdoor.ANXS
    Avast	4.7.997.0	05.07.2007	Win32:ConHook-AU
    AVG	7.5.0.467	05.08.2007	Downloader.Generic4.FSS
    BitDefender	7.2	05.08.2007	no virus found
    CAT-QuickHeal	9.00	05.08.2007	TrojanDownloader.ConHook.az
    ClamAV	devel-20070416	05.08.2007	Trojan.Dropper-772
    DrWeb	4.33	05.08.2007	Trojan.Packed.49
    eSafe	7.0.15.0	05.08.2007	Suspicious Trojan/Worm
    eTrust-Vet	30.7.3618	05.08.2007	Win32/Darksma.AK
    Ewido	4.0	05.08.2007	Trojan.Small
    FileAdvisor	1	05.09.2007	no virus found
    Fortinet	2.85.0.0	05.08.2007	W32/Small.GDX!tr
    F-Prot	4.3.2.48	05.08.2007	W32/Backdoor.ANXS
    F-Secure	6.70.13030.0	05.08.2007	Trojan-Downloader.Win32.ConHook.az
    Ikarus	T3.1.1.7	05.08.2007	Trojan-Downloader.Win32.Zlob.and
    Kaspersky	4.0.2.24	05.09.2007	Trojan-Downloader.Win32.ConHook.az
    McAfee	5026	05.08.2007	New Malware.aj
    Microsoft	1.2503	05.08.2007	no virus found
    NOD32v2	2250	05.08.2007	no virus found
    Norman	5.80.02	05.08.2007	W32/Suspicious_U.gen
    Panda	9.0.0.4	05.08.2007	Suspicious file
    Prevx1	V2	05.09.2007	no virus found
    Sophos	4.17.0	05.08.2007	no virus found
    Sunbelt	2.2.907.0	05.05.2007	Trojan-Downloader.Win32.ConHook.gen
    Symantec	10	05.09.2007	no virus found
    TheHacker	6.1.6.110	05.08.2007	no virus found
    VBA32	3.12.0	05.08.2007	Trojan.Packed.49
    VirusBuster	4.3.7:9	05.08.2007	Packed/Upack
    Webwasher-Gateway	6.0.1	05.08.2007	Trojan.Dldr.ConHook.AZ.2

    I'll make a more detailed note on this malware later, since I used it for some tests, and will publish a review about these ;) .
     
  11. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Hi nicM

    So you found IE updater.exe and let the the infection come to town,this is one of the ugliest(if not the!!!) in the wild:eek:

    Wincom32 ineffect
    Haxdoor (Poof/ntio256.sys)
    Risloup/ip6fw.sys/main.sys
    Patched ndis.sys
    Patched winlogon.exe
    Rustock B(50%)

    and other assorted technicolour bots :D

    Hope you got twin airbags:p
     
    Last edited: May 8, 2007
  12. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Interesting, but an artificial situation as far as PG users are concerned, because so much had to be allowed to run in order to get that far (allowing execution of cmd.exe, Rundll32.exe and all those tmp files etc). From the practical standpoint PG still holds up - though clearly something is happening to allow those service installations that should not and unfortunately this problem may not be addressed in the future.

    One final question, were you using PG 3.410 (I assume that is the case)? Edit - oh yes, I see you were!
     
  13. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    :D Lol , in fact I do not remember that ieupdater file, but I've seen all goodies you mention in the last 2 weeks :D

    Rustock is terrible, but is a breeze to block, compared to this stuff!

    Btw, I wanted to thank you, since I think I've used some link you posted on sysinternals, to get some of the files for my tests :D - good work!

    No problems to recover, protected by Rollback here :cool: .
     
  14. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    Hi TopperID,

    Yes, I agree, as I said, I had to use a "special" setup, and to allow lots of executions, just to demonstrate that driver loading hypothesis.
     
  15. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Thanks nicM :thumb:
    So, there's a good coverage at Virustotal.
    We'll wait your detailed report :)
     
  16. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    It might be renamed but the initial trojan downloader that fires up is Murlo/Delphi downloader var which sets itself up as service listed in 023 of HiJackThis.It quickly imports a further mix of 4-8 trojan droppers that bring in the badboyz for the *royal hosing* as experienced by Elite@Sys forums:oops: and i'm sure quite a few malware researchers & victims alike:rolleyes:

    Your welcome and glad to share the data for research/testing purposes :thumb:

    Heh Chicken:p

    SAS free & IceSword manual hack combo works in this instance for recovery of my victim PC:D

    Fwiw the ironry is on my victim machine i use PG free(executable control) to stagger the infection process thus allowing for the retrieval of a large majority of the files utilized/dropped during the infection process for later research etc
     
  17. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    Yes, I remember this one now ;) .



    :D But this way, I can afford to redo this test 3 or 4 times in a row, and to collect (while staying collected :D ) files locked or hidden by rootkit from an offline snapshot saved during infection, after a clean reboot :cool: - isn't that great? :D - this is just one fo the advantages.

    Really? Unable to start IceSword here, when this particular rootkit is running (btw this is not the usual "cannot start service" error message, as I wrote in a previous post):

    http://img515.imageshack.us/img515/6836/20070508203245oo4.png

    For this reason, I used RegReveal, a very useful tool.

    I sometimes proceed this way too, but usually, when you prevent something from installing, you miss some of the malware files which are not created; for this reason, I sometimes let stuff install completely, to get more nasties.

    Cheers,

    nicM ;)
     
  18. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    FYI IceSword opened before infection runs,it love stuff hidden from winAPI and copy file is godsend when files refuse to play ball but for *clean up use* is after SAS has had its fill on the loaded stuff and only patched system/new to SAS bots remain then it is forced delete(Circa. You are the weakest link....goodbye:thumb: ) .

    Ahh methinks you misunderstand my harvesting process here,the infection is allowed to run its full course over several login sessions but the use of executable control is to allow me to scoot around many different folders inbetween granting new run rules looking for both temp and dropped files for retrieval(saving).If anything quite a few files are deleted(short lived) during the infection process(or during startup) can be grabbed where as they are unavailable at the end of the infection process/reboot;)
     
  19. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    For some reasons, when I made this test with IceSword running, rootkit wouldn't start :blink: (did it 15 or 20 times since last week indeed, lol), it really has some kind of random behaviour. I use it too to get hidden files copies, usually, but when IS won't start, heh, at least I can count on Rollback :D - nothing can hide in an offline snapshot.

    OK I see now, didn't understand it that way. Used TotalUninstall free at some point to check deleted stuff (to see if there were files to get before deletion, in a next test), but I've stopped doing, scan takes too much time when you have 30 test or more to do o_O .
     
  20. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Hahaha... yes I don´t understand why they not release this tool as complete freeware.. due to the facts shown above. Beside the freeware version together with some other tools gives better protection then pg full alone surely.
     
  21. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    If modification protection is deliberately removed from certain key processes, enabling them to be exploited, and the overall protection levels of PG full are neutered in order to test one specific feature of the prog, it is a moot point as to whether you can fairly critisise the product if a service is installed in the Registry.

    Exactly the same thing could happen if you were running Registry protection and create wide ranging application rules permitting legitimate files to have carte blanche making Reg changes to the 'services' keys. If those legitimate files get exploited they could install the service.

    In real life the service installation would not have happened and the user would have been protected. However it is true to say that the most important features of PG are those to be found in the free version; Global Protection Options being more about damage limitation.
     
  22. nicM

    nicM nico-nico

    Joined:
    Jul 15, 2004
    Posts:
    631
    Location:
    France
    I do not agree, because none of the system process accessed by malware files had "allow driver/service install" privilege.

    It's true that security setup was reduced, but not to a point making it irrevelant.

    I may add that the drivers are loaded by malware files, not by services.exe or any other windows process. This rootkit is just using a sort of "brute force" service install that PG doesn't handle. The researcher who made an analysis of this rootkit talked about a kind of "russian dolls" method, kind of overflow with the help of multiples temp files, service being installed in registry first.

    It would be interesting to test it with something as Regdefend, with services keys protected, upon PG used with same settings. Didn't do yet.
     
  23. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Ah! That does put a different complexion on it since that should not be happening.
    It would be very interesting indeed to know whether RD/PG combo defeats the install. I'm not certain how stable RD would be when subjected to a multiple attack of this sort (especially by an overflow of cascading Russian dolls! :D )
     
  24. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Wow, tell me more, I really like those stories.

    Beside some years ago I could follow a live attack against zone alarm firewall from infostream.ru, this overflow method seems to be a favorite method of russian freaks. Zone Alarm was killed but Tiny IDS blocked the attack.
    (at that time I used to use the mentioned tools, actually I do not)
     
  25. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    IMO i totally disagree based on the following excepted security thinking.

    So to summarize from a computer security perspective the executable run control of PG free is its best *Rootkit* protection feature of the software(and no it dose not need updating).

    Stop the dropper executing and the rest is history as with all malwares.

    PG free can be configured to lock a system down hence why it can be the *Big Iron*:cool:

    Its weakest point is the chair to keyboard human interface (user error) but then every whitelist software have this potential achillies heel once malicious code has been allowed to execute.

     
Loading...
Thread Status:
Not open for further replies.