Protecting processes against one of the stealthiest attacks: code modification

Discussion in 'ProcessGuard' started by Wayne - DiamondCS, Jan 21, 2004.

Thread Status:
Not open for further replies.
  1. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    A common concern of security experts is "how do I prevent my security processes from being terminated?". Until the release of Process Guard there was no protection available - processes were considered vulnerable and it was assumed that there was nothing that could be done about that (we weren't even sure ourselves if we'd be able to make Process Guard a reality - the six months worth of research was very much a gamble, especially as other security companies had already said that it couldn't be done - we have since proved them wrong, and created a new class of security software in doing so: process integrity protection). And just in creating a new class of security software gains an added element of security, because nobody was expecting the creation of such a program, not even trojan authors - most of whom still don't even know about Process Guard.

    However, termination is only one attack vector that a rogue process can use against a security process (for example, a remote access trojan vs. a firewall) ... there's an even stealthier attack that trojans can launch - code modification. Termination can sometimes be a giveaway, especially if windows are visible and suddenly disappear, but code modification attacks are usually without any visual effects. As an example of this, somewhere in the program code of your anti-virus scanner is a statement that essentially reads "If a virus was detected, jump to the Alert subroutine". A rogue trojan or virus could modify this statement so that it executed as "If a virus was detected, DON'T jump to the Alert subroutine" - effectively silencing the anti-virus scanner. Likewise with a firewall it could change the program code so that no Block rules are applied, essentially turning off the firewall. Such code modifications typically only require changing one or two bytes so the changes are very subtle and not easy to detect, but Process Guard can easily render this attack null and void, simply by denying WRITE access to protected processes. IMHO Process Guard would be worth having just for this protection capability alone, yet this is only the tip of the iceberg as far as protection goes :)

    For a more detailed example of this type of attack, see the Process Guard helpfile, "Known Attacks\Code Modification" section. :)
     
  2. Eliot

    Eliot Registered Member

    Joined:
    Aug 8, 2003
    Posts:
    854
    Location:
    Arkansas, USA
    Re:protecting processes against one of the stealthiest attacks: code modificatio

    Excellent post!!!!! I won't do without PG. Its a relaxing thought to know that it is on the "guard". hehe :D :rolleyes: I can't say enough good things about the DiamondCS folks. Give yourselves all a pat on the back. Way to go :)
     
  3. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Re:protecting processes against one of the stealthiest attacks: code modificatio

    Eliot, I am pleased to report that the latest PG beta1.200 is now underway and working very well on this PC with some very nice new protection added, such as SetWindowsHookEx amongst other things,
    Also driver contention errors corrected & better logging :)
     
  4. Eliot

    Eliot Registered Member

    Joined:
    Aug 8, 2003
    Posts:
    854
    Location:
    Arkansas, USA
    Re:protecting processes against one of the stealthiest attacks: code modificatio

    I would like to be a beta tester for PG if you folks are interested in one. Gladly help out on the new ones. I have bought the latest PG if that is needed :cool:
     
  5. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Re:protecting processes against one of the stealthiest attacks: code modificatio

    Usually users are made beta testers after 150? posts on the DCS forums - Although sometimes posts in these forums are also taken into account :)

    Anyway, thanks Eliot for your offer.
     
  6. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Re:protecting processes against one of the stealthiest attacks: code modificatio

    Yep, although not 150 as such (there's no specific limit), users are typically only admitted into the beta team (a very exclusive club) after making significant contributions to helping others with DiamondCS software at either the DiamondCS and/or Wilders forums. :)
     
  7. Eliot

    Eliot Registered Member

    Joined:
    Aug 8, 2003
    Posts:
    854
    Location:
    Arkansas, USA
    Re:protecting processes against one of the stealthiest attacks: code modificatio

    [me=Eliot]takes notes. :D[/me]
     
  8. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Re:protecting processes against one of the stealthiest attacks: code modificatio

    just a firewall & PG combined increase dramatically your security as it has never be seen, don't miss it !
    The current beta stops even far more like rootkits...

    :)
     
Thread Status:
Not open for further replies.