Sinowal drive-by dll appears to bypass Online Armour HIPS

Discussion in 'other anti-malware software' started by undertow, Jul 31, 2011.

Thread Status:
Not open for further replies.
  1. undertow

    undertow Registered Member

    Joined:
    Jul 31, 2011
    Posts:
    4
    Hi all,

    I installed Online Armour free today in VMWare Player (running XP SP2) for some testing. Online Armour was set up with the wizard in "custom" mode, which scans all files against its whitelist before trusting them. I made sure learning mode was finished then tested some fresh links. Everything worked as expected, ie. unknown executables intercepted. However, I had trouble with one link:

    A blackhole exploit kit causes IE to drop the file adobeupdate.dll in the root directory, then executes regsvr32.exe with the argument -s C:\adobeupdate.dll. Regsvr32.exe is trusted, and OA therefore allows this action and doesn't see the dll being run/registered. No pop-ups or alerts. I installed Comodo, set for proactive security, and while it also trusts regsvr32.exe, it picks up on the malicious dll being launched. When run sandboxed in Comodo the dll attemps direct disk access. See screenshots below.

    *
    Currently detected by 14/43 scanners.

    Can OA be configured to block this without giving a flurry of pop-ups for every dll, or is it lagging behind Comodo here?

    Online Armour Free, default config
    OA.jpg

    Comodo, proactive security, default everything else
    CIS.jpg

    Comodo D+ log when sandboxed
    CIS2.jpg
     
    Last edited by a moderator: Jul 31, 2011
  2. Nizarawi

    Nizarawi Registered Member

    Joined:
    May 26, 2008
    Posts:
    131
  3. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    787
    Location:
    Germany
    Can you please send me a link via PM? Thanks.
     
  4. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    787
    Location:
    Germany
    We were able to reproduce the problem and it has been fixed in version 5.0.1.1276 which is currently in testing:

    oa_regsvr32.png

    If someone wants to help test this new version please drop me a PM.
     
  5. GrammatonCleric

    GrammatonCleric Registered Member

    Joined:
    Jan 8, 2009
    Posts:
    372

    Great!

    Will this be a GENERAL FIX that fixes some hole of some sort or just a "lets blacklist this file" fix?
     
  6. undertow

    undertow Registered Member

    Joined:
    Jul 31, 2011
    Posts:
    4
    Good work!

    A temporary fix is to untrust/ask when launching regsvr32.exe. Doesn't seem to cause any issues or popups when installing legitimate programs. I'm not quite sure how this sneaky attack works though, as from my (limited) understanding regsvr32 only registers dlls so they are available to other programs and doesn't actually run them.

    Fabian, does the fix also check for dlls with spoofed extensions? e.g:

    rundll32.exe c:\adobeupdate.dll is intercepted by OA
    if the file extension is changed to say dlx then rundll32.exe c:\adobeupdate.dlx is also intercepted :thumb:

    Will regsvr32.exe path\somefile.spoofedextention also be intercepted?

    Thanks
     
  7. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    619
    Location:
    Sydney Australia
    Refer to http://support.microsoft.com/kb/207132
    Note the LoadLibrary call.
     
  8. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    787
    Location:
    Germany
    It is a general fix. Handling for interpreters and host processes like regsvr32.exe has been in Online Armor for a very long time. There was just a minor bug in the handling that prevented it from working correctly under special circumstances. That bug has been fixed.

    It does run them. In general registering DLLs involves 2 steps:

    1. Load the DLL.
    2. Execute the exported DllRegisterServer function of that DLL.

    There are at least 2 possible execution vectors involved during loading (TLS and the DllMain function that is always executed when attaching or detaching a DLL to a process/thread) and one obvious one when the DllRegisterServer function is called.

    The special handling for interpreter or host processes includes command line parsing that identifies the file the process was called upon. It doesn't matter where the file is located or what the extension of the file is as long as it is there.
     
  9. jasonbourne

    jasonbourne Registered Member

    Joined:
    Aug 26, 2010
    Posts:
    247
    How can users of OA Premium ver5.00.1100 be protected from this Sinowal drive-by dll? When will be the update available?
     
  10. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    787
    Location:
    Germany
    The update will be part of Online Armor 5.1 that has entered the public beta phase today. If you don't want to switch to the beta you can simply set "regsrv32.exe" to "Unknown" by selecting the application in the "Programs" list and clicking the "Untrust" button. That way you will get an alert if an application tries to register a DLL using regsrv32.exe.
     
    Last edited: Aug 4, 2011
  11. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    thanks i will do that:thumb: :thumb:
     
  12. Blues7

    Blues7 Registered Member

    Joined:
    May 11, 2009
    Posts:
    858
    Location:
    Blue Ridge Mountains
    Fabian, if we made your suggested change manually, once the beta is later installed over the old version, should we change the settings for "regsvr32.exe" or leave the settings in place which were carried over (per your recommendation in the quoted text)?

    Thanks.
     
  13. jasonbourne

    jasonbourne Registered Member

    Joined:
    Aug 26, 2010
    Posts:
    247

    Thank you!
     
  14. Fabian Wosar

    Fabian Wosar Developer

    Joined:
    Aug 26, 2010
    Posts:
    787
    Location:
    Germany
    Once 5.1 has been released you can switch it back to "Trusted".
     
  15. Blues7

    Blues7 Registered Member

    Joined:
    May 11, 2009
    Posts:
    858
    Location:
    Blue Ridge Mountains
    So not in the current "beta"? (5.1.0.1285)

    Thanks.
     
  16. Nizarawi

    Nizarawi Registered Member

    Joined:
    May 26, 2008
    Posts:
    131
    the current beta
     
  17. Blues7

    Blues7 Registered Member

    Joined:
    May 11, 2009
    Posts:
    858
    Location:
    Blue Ridge Mountains
    thanks...i thought so but wanted to be certain before setting it to "trust". :thumb:
     
  18. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    Updating to new Beta :thumb:
     
Loading...
Thread Status:
Not open for further replies.