Sinowal/Mebroot, perfectly bypass threatfire v4.7.0.53

Discussion in 'other anti-malware software' started by a256886572008, Sep 26, 2011.

Thread Status:
Not open for further replies.
  1. a256886572008

    a256886572008 Registered Member

    Joined:
    Oct 26, 2007
    Posts:
    103
    1.I went to the exploit url, comodo popuped alert windows, but threatfire was not.

    http://i.imgur.com/qRv4D.png

    ci43.png

    2.I opened the active process list from comodo, and then I checked the PID of the malware.

    http://i.imgur.com/VlxK8.png

    ci44.png

    3.I opened the task manager and checked the PID of the malware.
    they are regsvr32.exe

    http://i.imgur.com/eb6xq.png

    ci45.png

    4.I viewed the system activity monitor

    http://i.imgur.com/8PEQc.png

    ci46.png

    5.The malware deceived threatfire successfully.

    system environment:
    XP SP3 32bit

    java version 6.0.220

    IE 8
     
    Last edited: Sep 26, 2011
  2. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,727
    Location:
    Poland - Cracow
    First - in which security level was TF? Second - HIPS and behavioral bloker don't work the same and don't point the same action.
    I am not a "defender" of the TF, but one thing is important ... TF is based on the heuristic analysis and each higher level represents an increase of sensitivity.
    The second matter - TF and Comodo indicated that suspicious file have a certificate of Microsoft, what is also important in identifying some infections.
     
  3. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,890
    Location:
    Canada
    very true;) :thumb:
     
  4. PJC

    PJC Very Frequent Poster

    Joined:
    Feb 17, 2010
    Posts:
    2,959
    Location:
    Internet
    Once upon a time, TF was popular, here.
    It is Not the same anymore...;)
     
  5. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,890
    Location:
    Canada
    very true cyberhawk;) :thumb:
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,110
    Location:
    Saudi Arabia/ Pakistan
    TF is dead infact. Useless for newer threats. Sad indeed.
     
  7. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,321
    Location:
    AmstelodamUM
    Reading about TF, I thought let's give it a try.
    D/l'ed from PC Tools site, the TF installer had version 4.11.2.22. I thought; WOW!
    But no, it's the tested v4.7.0.53.
    Perhaps they've done real serious work on the installer...:rolleyes:
     
  8. Ibrad

    Ibrad Registered Member

    Joined:
    Dec 8, 2009
    Posts:
    1,960
    I have a quick question about this:

    Would creating a custom rule be able to help protect against this type of attack? Now I am going by the guide Kees made here (https://www.wilderssecurity.com/showthread.php?t=253507&highlight=ThreatFire+tutorial) and I do not have ThreatFire installed in front of me. However if I am reading it the rule would look something like this.

    Set regsvr32.exe to be monitored when creating/executing a file from C:\documents and settings\Local\temp or C:\users

    Also this rule would need to have the trusted vendor list ignored.

    Sorry if I am understanding this incorrectly I don't have a machine with TF installed at the moment and Kees is the expert on making these rules.
     
  9. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,727
    Location:
    Poland - Cracow
  10. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,963
    Could someone explain why the certificates are being read as being from MS?
     
  11. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    634
    Location:
    Sydney Australia
    Because the process launching the malware component is the genuine regsvr32.exe, meaning regsvr32.exe is the file being verified.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.