Response to Self Protection Testing

Hello all,
Over the last eleven days, EP_X0FF/DiabloNova, the author of Rootkit Unhooker, has been publicly disclosing potential ways of bypassing Prevx's self protection without notifying us or taking any standard measures to ensure users remain fully protected. What began as a bit of sport for someone to leverage our brand to increase their popularity and raise some interesting, albeit unlikely, vectors of attack, has however been useful. It has enabled us to test and prove our responsiveness and our ability to react to specifically targeted and persistent attacks. Our feelings on this, as echoed by many of our customers, are that we performed well.

We are as committed as ever to improving our product but should these exploits appear in the wild we have demonstrated more than enough ability, agility, and promptness to deal with them professionally. While to this date, despite thousands of threats attempting to do so every day, zero actual in-the-wild threats have ever penetrated the Prevx self protection, we nevertheless take any attempt seriously and always try to stay several steps ahead of malware authors, or even committed hackers whatever their motivation.

On a technical level, all of these exploits require full debug-level administrative rights to function within the system. At this level, while it may be possible to terminate any and all security applications, including Prevx, it is also possible to steal user files and data, install rootkits, load drivers, overwrite the Master Boot Record, erase the entire operating system, or do any variety of nefarious actions.

Prevx has always advocated a layered approach including a steadfast commitment to interoperability that allows our products to be used alongside most other security solutions. An approach which most other security companies do well to emulate sooner than forcing users to use their products as a lone and many times inadequate security set up.

Inevitably, if a user, hacker or process is given full administrative rights, the self protection components of any antivirus product are totally vulnerable. Any determined hacker with heavily elevated rights could easily remove any AV with little work at all. At an even more basic level, there have been some recent tests where automated scripts were developed that simply ran the MSI uninstall routines of the top 10 major AVs - uninstalling them completely without warning. Additionally, many infections today do not bother terminating the antivirus product as it is the one telltale sign of an infection and today's threats try to survive covertly.

Self protection, in the context of an antivirus solution, is primarily focused on preventing users from terminating the product (i.e. in a corporation which requires an antivirus product to be installed) and from preventing threats from terminating it under limited user accounts. Outside of these cases, self protection becomes a cat and mouse game with no winner. The first step is always prevention and Prevx's centralized database was able to automatically add protection for all 20+ variants of "UnPrevx" within minutes of each of their releases - many before they were actually released, resulting in the need for EP_X0FF to manually modify the builds several times until they got through, a case that was only successful because of the limited behavioral profile of the exploit. If UnPrevx were a real world threat, it would try to perform additional actions like stealing user data, an action that would not only be logged against the threat itself, condemning it as malicious, but one that would be blocked by SafeOnline automatically even if Prevx's processes were not loaded.

Throughout this exercise, we have released a few updates to improve self protection but across all of the exploits, none were able to remove the underlying kernel-level components of Prevx. Therefore, if this was an actual piece of malware, Prevx would still have the upper hand on the system. There were several core versions of UnPrevx released - the Prevx database learned of the first instance before it was released, against .179, which resulted in us updating the protection of Prevx in release .185, still before UnPrevx was actually released. EP_X0FF then changed techniques and we released .186 with a minor improvement in self protection on XP, completing the additional protection changes and distributing them to our public alpha testers less than one hour after the release of the exploit. EP_X0FF then changed techniques again, and we released .187, again less than one hour after the exploit. After changing techniques yet again, we released .188 which blocked his new, XP-based attack generically. Each of these rounds has required a mere tweak and very little actual new technology and it is worth saying that all of these exploits are only relevant on XP as Vista/7/2008 all use an entirely different hooking structure. With .189, we have now fully blocked all of his techniques and while Prevx automatically restarts if it is killed, now it is unable to be killed by any known techniques. Ironically, his Rootkit Unhooker and nearly every other AV on XP has been vulnerable to these techniques, hence the escalating arms race.

We surmise that EP_X0FF has targeted Prevx because of our fast responses. He has targeted other vendors in the past but they took several weeks to patch their holes while we patched each publicly within the same hour. He has also publicly complained multiple times now about Prevx adding protection/detection for the exploits themselves. The centralized Prevx database automatically analyzes software installations as a whole and is therefore made aware of aberrations such as the ones introduced by UnPrevx. EP_X0FF has considered us to be "cheating" with this, but the UnPrevx samples have each been blocked automatically - sometimes not on the first user, but each within the first couple users, despite the samples themselves not doing anything besides targeting Prevx. If UnPrevx had been a real malicious threat and our database did not automatically add detection for it, we would have of course added detection manually and tuned our rules accordingly, then released the necessary product updates as quickly as possible. Not doing so would be like building a force field and then saying that if someone with a gun was accidentally allowed in and we later saw the gun, we would still let him attack. The sum of the parts of Prevx is where the protection really shines, and we feel that this exercise has clearly demonstrated that the layered approach of Prevx protection as a whole is strong - even when someone is adamantly attacking it.

We'd like to thank EP_X0FF for his work and would always welcome his ethical approaches on things we can do to improve our product. In the event that we cannot deal with exploits in a timely fashion then we have no issue with him or anyone else posting these after a period of notice as is acknowledged ethical industry practice. However, many of the techniques he is now suggesting essentially bypass any and all security products and to provide a public forum in this way is merely improving state of the art in malware authorship and now borders on recklessness. We will continue to react to properly and ethically reported exploits with the same speed as ever produced by anyone who feels our protection is in need of strengthening against a probable vector of attack. Of course, should a large number of our customers feel there is a benefit of a rapid threat disclosure reaction thread which outweighs the obvious risks this poses to all security products we would of course consider re-opening the point. We would, however, need to hear the other viewpoints of other vendors on this type of disclosure as it does indeed open the door for attacks against their products as well.

For now we have closed the original thread but please feel free to respond to this post if wanted as we're always open to discuss our protection and the threats we see emerging on a daily basis.

Thank you all for your continued support!

 

thanks Joe. Kudos to Prevx.

 

With all of his 'talent', I would like to see him come up with his own security software.

 

Thanks Joe! (if i can call you joe now).

If some program has admin priviledges, they can terminate and uninstall prevx from the start menu.



Doesn't this mean there's no point in having self-protection if you're logged in as an administrator user. Does this show that people should seriously consider using a standard/limited user account (at least vista/win 7 users, you need a 3rd party app for win xp).

Maybe I'm missing the point of self-protection, but it doesn't seem to offer much protection for people signed in as an admin user.

(This is why we need one of those "Captcha" thingy's so the uninstall only runs when a human types it in - like they have in Rapport )

 

That also doesn't do any good A program running with administrative rights can do anything it wants - uninstall an AV, low-level format the harddisk...

The main purpose of self protection is what I mentioned in the post:

Outside of that, there is no way to 100% block code running at the same level.

 

"Lo PrevX Help:
That was a thoughtful and composed statement.
Demonstrating PrevX's capabilities while also recognising that some "access points" can exist.

Giving credit to EP_XOFF's undoubted technical expertise while suggesting he could achieve come more concrete results by operating in a different way.

I would take some issue with your emphasis on keeping some disclosures "in house": we've been down that road before.

How about: #*%??@!

 

No, those where mine a few other Prevx users thoughts. Joe, well he has to walk that thin line. Lol

 

So i see, who gave you permission to close my thread ? oh you don't need it

Damn right i will

Even though you mentioned closing it earlier, and some others chimned in too i think it was worthwhile it lasted until it did. Apart from any short term "possible" embarrasment etc caused to Prevx, i believe on the whole, it has been a positive experience. Especially for me as none of the POC's ever worked, not even the latest

I'm sure it won't be the last we hear of these POC's etc, but he will no doubt find other fish to fry and move on.

I'm pleased about the way you & the team have handled this, and also the Wilders crew for allowing it. Other vendors/forums would have been less forgiving, to the their detriment. So looks like we've ALL learnt from it, which is

 

He updated tool to kill .189, but is for 'trusted' members only..
There is a vid however
http://www.kernelmode.info/forum/viewtopic.php?f=15&t=249&start=40

 

That's interesting. I wonder what Prevx' next move will be.

 

Are prevx users at risk because prevx's great compatability with other AV's results in a self-protection weakness? Or would this POC's approach work the same with other AM/AVs eg NIS?

I run Vista with UAC enabled, which I understand is useful if an ap is trying to disable/terminate my anti-malware. But for a user who has turned off UAC for convenience, the poor self protection in prevx is a worry - no? Is prevx protection stronger if running on it's own ie with no other anti-malware on system? EP_X0FF seems to be enjoying himself:

Re: Breaking Prevx 3 self-protection
by EP_X0FF » Tue Aug 17, 2010 11:06 am

Yes, LUA is good built in defense With sandboxing and rollback software in proper hands that the best security setup.

I'm currently working on another attack vector against newest Prevx. Specially for Daniel it will be named "TheEnd.exe"http://www.kernelmode.info/forum/viewtopic.php?f=15&t=249&sid=49e854daa01604645bb6d518bf5d4d3c&start=50

 

I'm getting a whole sense of 'MRG v Comodo' deja vu with this now.

The way I see it,given the Community based architecture of Prevx,this or any other similar threat will never be a serious issue.Worst case scenario those unlucky enough to be the first to encounter them will be affected,but all other users will be protected thereafter.

Of course it's bad for anyone getting their system compromised,but compared to most other security products where hundreds or thousands may be hit before a solution is offered,I feel Prevx comes out of this looking very good.The fact that EP_X0FF is having to work constantly to keep his toy alive illustrates that most real-world malware,without a specific anti-Prevx agenda would likely look for the many easier targets around.

 

Probably fix it as soon as they get the POC. Let's look at it in the positive way. It is like if PREVX has now a new employee that works around the clock and he does it for free Nice business model. All security companies would dream to get free staff these days!!

 

Couldn't agree more
Kudos to Joe and the Prevx team for being so open and upfront

 

I haven't followed this as close as others have, but the author of UnPrevx should have continued work on his sample, and illustrated its 'effectiveness', through a summary, screenshots or a video, rather than provide the sample to the general public.

It's now only available for trusted members? Should only be available to him and the company being targeted, prevx. He should be saying, 'today I've updated my program which does xyz, as seen by these screenshots and video, company has been notified'.

Providing it to the general public, although fun for some security enthusiasts/professionals to use, I agree isn't in the best interests of the security community. Kind of like a cop show, which doesn't just show the offender and the ramifications, but has police detailing in great lengths how not to get caught.

Great response Joe, and fantastic customer service you and your company has shown to your users and the business community who all support your product.

 

But the thing is when he uses his new POC it's uploaded to the cloud and will have detection soon after, that's one thing I like about Cloud AM such as Prevx!!

TH

 

Seems like it's only working under WinXP.
I've tested his POC in Win7 under Admin account, it doesn't even kill tasks, it didn't do anything.
Prevx detected it but for the sake of testing I added Blovex to exclusions, even stopped real-time protection, run it again, still nothing ...
Maybe it's just me, but that's how it went.
Prevx SafeOnline 3.0.5.187

 

Yes exactly I've just checked now and it looks like we blocked all copies - he's either faking the video saying he's gotten around it, or we've already blocked it heuristically.

Thank you I do think that EP_X0FF is ending up making us look good instead of succeeding in trying to smear our reputation. Yes, we've had to make a handful of additional releases, but so would any other antivirus company.

The PoC would get around virtually every AV today as it stands - I'm not sure what the new version is doing but him not sending it to us is like saying: "We broke into your bank and stole your money... but then we put it back and won't tell you how we did it - HA!" It is quite immature but we'll let him have his fun: it took longer to write the first post of this thread than it did to fix every one of the exploits combined so we certainly aren't complaining

Prevx does have to make adjustments to how it applies self protection on XP to remain compatible with other AVs, but on Vista/7, it can apply the full protection.

Unfortunately he is certainly not taking this higher-road. We've never received any information from him at all and based on his track record so far, probably don't expect to do so.

The difference with MRG is that they actually do contact a vendor first with any issues, like any professional tester should. I'm unsure what EP_X0FF's motivation is, but he certainly doesn't appear to be trying to help security as a whole, especially after releasing the source of his tool

We certainly aren't complaining!!

 

Yes, that's what I've highlighted before in this post
Actually the code changed a bit since the one I posted before, but the goal is the same

 

Glad to see that was resolved so fast! Just for good measure I always password protect my antivirus, and in some cases (as with Prevx and Panda) I protect them from termination using COMODO.

 

Simple PERMANENT solution to these POC's and in fact ANY unwanted executable, nasty or otherwise. Even without LUA etc etc

1- First of all don't run Anything you're not 100% sure of where the source of it/they originate, and that it's legit etc. Even then perfectly innocent apps and www's can and have and still do, get compromised. So ......

2 - Install an AntiExecutable program, and configure it properly.

3 - Install a Sandbox and or Virtualisation software, and configure it/them properly.

These things most of us on here already know, but for the wider public

 

Some of us know these things, but some of us don't use all of them. For example, I'm aware of anti-executable programs, but I don't use them mainly because I don't download that many programs. Those that I have come from mainstream vendors. I do use a sandbox when testing applications for security purposes such as rogues - I must admit, though, that I haven't done that for a while - but rarely browse sandboxed.

I have said this before, but how and why you get infected is down to some extent to what you do online. Those that get rarely infected or not at all are unlikely to come across malware based on the type of PoCs discussed here. That group of people probably worry less about this than some others.

It is good to have security protection and layered defenses, but at the end of the day, I believe it is up to the individual to minimise the risks as much as possible making those measures redundant. How we teach that to the wider public is a difficult one.

 

^ I find this funny.
I love you Joe!
I mean Prevx

 

Guys, I think that you can not save the world with this kind of semi LOL update, so relax and enjoy.

 

Hello all,
To prevent this thread from turning into the previous one, I'm going to close it for now. If EP_X0FF releases a new version, we will re-open the thread but for now there is no benefit of further discussion.

Please send me a PM if you feel otherwise