Sinowal/Mebroot, perfectly bypass threatfire v4.7.0.53

Discussion in 'other anti-malware software' started by a256886572008, Sep 26, 2011.

Thread Status:
Not open for further replies.
  1. a256886572008

    a256886572008 Registered Member

    Joined:
    Oct 26, 2007
    Posts:
    103
    1.I went to the exploit url, comodo popuped alert windows, but threatfire was not.

    http://i.imgur.com/qRv4D.png

    ci43.png

    2.I opened the active process list from comodo, and then I checked the PID of the malware.

    http://i.imgur.com/VlxK8.png

    ci44.png

    3.I opened the task manager and checked the PID of the malware.
    they are regsvr32.exe

    http://i.imgur.com/eb6xq.png

    ci45.png

    4.I viewed the system activity monitor

    http://i.imgur.com/8PEQc.png

    ci46.png

    5.The malware deceived threatfire successfully.

    system environment:
    XP SP3 32bit

    java version 6.0.220

    IE 8
     
    Last edited: Sep 26, 2011
  2. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,485
    Location:
    Poland - Cracow
    First - in which security level was TF? Second - HIPS and behavioral bloker don't work the same and don't point the same action.
    I am not a "defender" of the TF, but one thing is important ... TF is based on the heuristic analysis and each higher level represents an increase of sensitivity.
    The second matter - TF and Comodo indicated that suspicious file have a certificate of Microsoft, what is also important in identifying some infections.
     
  3. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    very true;) :thumb:
     
  4. PJC

    PJC Very Frequent Poster

    Joined:
    Feb 17, 2010
    Posts:
    2,959
    Location:
    Internet
    Once upon a time, TF was popular, here.
    It is Not the same anymore...;)
     
  5. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    very true cyberhawk;) :thumb:
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    TF is dead infact. Useless for newer threats. Sad indeed.
     
  7. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    Reading about TF, I thought let's give it a try.
    D/l'ed from PC Tools site, the TF installer had version 4.11.2.22. I thought; WOW!
    But no, it's the tested v4.7.0.53.
    Perhaps they've done real serious work on the installer...:rolleyes:
     
  8. Ibrad

    Ibrad Registered Member

    Joined:
    Dec 8, 2009
    Posts:
    1,949
    I have a quick question about this:

    Would creating a custom rule be able to help protect against this type of attack? Now I am going by the guide Kees made here (https://www.wilderssecurity.com/showthread.php?t=253507&highlight=ThreatFire+tutorial) and I do not have ThreatFire installed in front of me. However if I am reading it the rule would look something like this.

    Set regsvr32.exe to be monitored when creating/executing a file from C:\documents and settings\Local\temp or C:\users

    Also this rule would need to have the trusted vendor list ignored.

    Sorry if I am understanding this incorrectly I don't have a machine with TF installed at the moment and Kees is the expert on making these rules.
     
  9. ichito

    ichito Registered Member

    Joined:
    Jan 14, 2011
    Posts:
    1,485
    Location:
    Poland - Cracow
  10. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,954
    Could someone explain why the certificates are being read as being from MS?
     
  11. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    619
    Location:
    Sydney Australia
    Because the process launching the malware component is the genuine regsvr32.exe, meaning regsvr32.exe is the file being verified.
     
Thread Status:
Not open for further replies.