Stuxnet .(lnk exploit malware) versus HIPS

Discussion in 'other anti-malware software' started by aigle, Apr 20, 2011.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Stuxnet is the malware that has a political background and is made not by criminals, rather it,s backed by some governments.

    A very interesting aspect of stuxnet is that it not only used a unique windows vulnerability but also defeated many HIPS software. Until now many HIPS are poor against this malware. :mad:

    I played with this sample and here are my findings.

    1- OnlineArmor proved great in dealing with stuxnet. It successfully intercepted malicious dll execution by explorer.exe without any single pop up alert for any legit dll execution. Very well done. :thumb:
    oa syuxnet 1.jpg
    oa stuxnet 2.jpg
     
  2. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    2- CIS, of course has no way to intercept dll execution. So total fail.
     
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    3- GesWall has a prtial pass. It will not allow untrusted dll execution by/ into a trusted process. So it will stop malicious dll loading from NTFS hard disk/ partitions. But if dll is on a USB stick it will fail as current version still lacks a feature of USB devices isolation.
     

    Attached Files:

  4. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    aigle, how would a not novice like me, know that is even Stuxnet. To me it might be Adobe and I allow it. HIPS are cool but need to be written in common day language.
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    4- AppGuard- I am not sure. Malicious dll was loaded but I have no way to know whether it was isolated/ mitigated or not( the developers claim that any dlls executed from USb devices are isolated and can,t harm the system). I saw in process explorer that it was loaded in explorer.exe and nothing in AG log.
     

    Attached Files:

  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    5- Old CIS v 3 can be configured to intercept dlls. Configured so it does intercepts malicious stuxnet dll loading but still i will call it a fail practically as CIS v 3 doesn,t intercept dlls on default settings and moreover if you set it to intercept dlls, you get literally bombarded with hundreds of dll execution alerts and no user can stay with such settings.
     

    Attached Files:

  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    6- Finally a little gem- NoAutoruns. Very nice interception. I love this utility.
     

    Attached Files:

  8. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    7- Out of curiosity I just checked Prevx safeonline. Normall I don,t test Prevx as it,s mainly signature based( though in the cloud) but I tested it as I know that prevx scans files on execution rather than simple file read/ write( unlike most of other signature based antimalwares). I just wanted to check whether Prevx scans dlls on execution or not. And yes, it did. It scanned and caught the malicious dll.

    1.JPG
    2.JPG
     
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Here is another test with stuxnet POC. All same results. OA- Pass. CIS fails again. OA and NoAutoruns pass. GesWall partial Pass. AG.... hmm I don,t know!! :mad:

    oa poc.jpg
    gw poc.jpg
    gw log.jpg
    nar poc.jpg
    nr poc 2.jpg
     
    Last edited: Apr 20, 2011
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Who said HIPS are for novice? :)
     
  11. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    Sandboxie and DefenseWall handle Stuxnet, don't they?
     
  12. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Microsoft already patched this, so it's not much of a concern.
     
  13. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    Aigle, if my memory serves me right, the Windows 7 OS by default only allows Autorun from CDs and DVDs, but not for example removable media like USB sticks, is that correct? Thanks
     
  14. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Yes but .lnk exploit has no relation with autoruns.
     
  15. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    You are right. But it shows that malicious dlls are difficult to intercept by HIPS. Don,t forget the recent dll execution vulnerabilities and who knows how many are still there.
     
  16. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    They must I think.
     
  17. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    I don't think they exploit .lnk shortcuts though, which are very hard to avoid.

    Anyways, I'm kind of surprised at Comodo's results, does the sandbox work at containing the threat?
     
  18. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Comodo doesn,t intercept dlls, just like most other such HIPS, no surprise in it.
     
  19. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    So no alerts at all huh.
     
  20. harsha_mic

    harsha_mic Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    791
    Location:
    India
    Could you please test CIS again by adding rundll32.exe as a limited app.

    Please look at Post Nbr #21,22,24,25 for more information here
     
  21. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
    Nice thread :)
    Could you check against Mamutu on normal and paranoid settings?
     
  22. Ranget

    Ranget Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    846
    Location:
    Not Really Sure :/
    did comodo detect the Outgoing connections o_O

    o_O


    great topic

    Plz continue testing it :argh:


    also what version of windows you're testing on

    i saw XP and 7

    on 7 what UAC reaction was o_O
     
  23. kiko78

    kiko78 Registered Member

    Joined:
    Aug 1, 2008
    Posts:
    106
    And with spysheltero_O?
     
  24. Ibrad

    Ibrad Registered Member

    Joined:
    Dec 8, 2009
    Posts:
    1,949
    Does Malware Defender pass?
     
  25. Night_Raven

    Night_Raven Registered Member

    Joined:
    Apr 2, 2006
    Posts:
    388
    If I recall correctly by default it fails, as it doesn't monitor loading of libraries. However if this feature is enabled in the rules, then it is able to prevent the exploit, i.e., it passes.
    For the record: same thing should apply to Real-time Defender.
     
Loading...
Thread Status:
Not open for further replies.