Rogue slips right through Comodo!

Discussion in 'other anti-malware software' started by hamzah95, Jul 28, 2009.

Thread Status:
Not open for further replies.
  1. hamzah95

    hamzah95 Registered Member

    Joined:
    Jun 22, 2009
    Posts:
    108
    So I was doing my weekly tests when I found I link to a rogue antivirus. I copy pasted it and downloaded it. It wasn't in the NOD32 databases so it was missed, i can accept that. But then when I tried to run it, Comodo didn't even give me a execution alert and only gave one alert, that even if you block it, the rogue runs happily.
    The rogue's name is XP Security deluxe (Something like that).
    DefenseWall was able to keep it in untrusted. Comodo does the same when I set up Defense+ to Paranoid.
    Would love to see how other HIPS do on this.
    The rogue was posted on the site on 2009/07/23_00:00 by Michael Arrigoni /
    I can pm you the link if you guys want.

    I did this yesterday.
    EDIT:Ok so I checked it again, and it is now detected by NOD32 but comodo still can't stop it with its HIPS
     
    Last edited: Jul 28, 2009
  2. hamzah95

    hamzah95 Registered Member

    Joined:
    Jun 22, 2009
    Posts:
    108
    Ok i have uploaded the rogue and not a lot of antiviruses detect it. 9 out of 21 detected it on jottis scan.

    Edit: removed the link
     
    Last edited: Jul 28, 2009
  3. thathagat

    thathagat Guest

    hi can you pm the link....plus i think the jotti link is not allowed here
     
  4. hamzah95

    hamzah95 Registered Member

    Joined:
    Jun 22, 2009
    Posts:
    108
    LOL i had to rely on my last one to save me, DefenseWall:p
     
  5. hamzah95

    hamzah95 Registered Member

    Joined:
    Jun 22, 2009
    Posts:
    108
    Totally agree:doubt:
     
  6. hamzah95

    hamzah95 Registered Member

    Joined:
    Jun 22, 2009
    Posts:
    108
    But I have seen some other malware being stopped by Defense+s heuristics, was surprised when I saw that!
     
  7. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    There's nothing for Comodo or any other HIPS to detect (beyond its execution) because all it does is add a desktop shortcut and then do a bogus scan. Simple social engineering. Tested against Malware Defender 2.3.2 and verified with Sandboxie 3.39.02 on Vista SP2.
     
    Last edited: Jul 28, 2009
  8. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,654
    Location:
    Sydney, Australia
    Could you PM me the link, please?
     
  9. hamzah95

    hamzah95 Registered Member

    Joined:
    Jun 22, 2009
    Posts:
    108
    What about the tray icons?
     
  10. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    From MD's log when denied...

    7/28/2009 01:45:55 c:\windows\explorer.exe Create new process e:\files\samples\072809\xpdeluxe.exe Denied [App]* Cmd line: "E:\files\samples\072809\xpdeluxe.exe"
     
  11. hamzah95

    hamzah95 Registered Member

    Joined:
    Jun 22, 2009
    Posts:
    108
    Even comodo gives a memory alert, access to explorer.
    Does the rogue run with malware defender?
     
  12. tsec

    tsec Registered Member

    Joined:
    Nov 18, 2008
    Posts:
    181
    Image Execution monitoring set to normal or aggressive?

    I'll give this a go myself later on tonight (am re-building my Ubuntu machine at the moment :p )
     
  13. tsec

    tsec Registered Member

    Joined:
    Nov 18, 2008
    Posts:
    181
    Give the rogue a try with it set to aggressive. See if that makes any difference (it did with the previous POC nasty we were looking at).

    :)


    (I love my Linux, but it doesn't love my HP lappy - am damned if I can get any audio... :p )

    EDIT - just saw YOUR edit, ssj100 :p
     
  14. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Funny thing is Windows Defender (and I always keep it on because it never conflicts with any other security here) detected it as a "fraud tool" right after it was saved to the disk by my browser :)
     
  15. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Not when I deny it.
     
  16. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    anyone got screenshots of this rogue, ssj i think said it was convincing looking so im curious now.
     
  17. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Linux is vulnerable to the rootkits, worms and trojans as well as any other PC platform. But it is very resistant to the Windows exploits. Though, that is to say, Windows is very resistant to the Linux exploits in return :)
     
  18. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    not at home :doubt:
     
  19. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Here you go...
     

    Attached Files:

  20. tsec

    tsec Registered Member

    Joined:
    Nov 18, 2008
    Posts:
    181
    It's kinda pretty for a piece of malware.

    Almost makes me wanna head on down to IRC and apply to join a botnet :p
     
  21. tsec

    tsec Registered Member

    Joined:
    Nov 18, 2008
    Posts:
    181

    Any idea on who owns the IP's?
     
  22. hamzah95

    hamzah95 Registered Member

    Joined:
    Jun 22, 2009
    Posts:
    108
    You are right, when i set image execution to aggressive, defense+ gives lots of alerts and when all are blocked, the rogue doesn't run. The alerts showed that the rogue was accessing A LOOOOOOOOT of windows files.
    EDIT: Success!!! LOL but only if its set to super high mode
     
  23. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    I know. I've got a nice collection of rogues. The UI's are convincing. This one is clever with its minimalist approach (no real system intrusion beyond a desktop icon).
     
    Last edited: Jul 28, 2009
  24. tsec

    tsec Registered Member

    Joined:
    Nov 18, 2008
    Posts:
    181
    How interesting, considering that ssj100 said that with img ex set high, the rogue was still able to do its stuff.

    Now I am really looking forward to playing with this later on :)
     
  25. hamzah95

    hamzah95 Registered Member

    Joined:
    Jun 22, 2009
    Posts:
    108
    Can anyone plz test this sample against Online Armor, geswall, outpost and other popular HIPS? with the default or settings that you are using right now and then with the highest only if the default fails.
     
Loading...
Thread Status:
Not open for further replies.