Stuxnet .(lnk exploit malware) versus HIPS

the bad news is that Pirated copies allow updates



sorry but sure i have to work on my social skills
and i use an original copy of windows or that what i think it's

 

I don't think pirated copies are the bad news here. I rather think the bad news is that people are using pirated copies that cannot update and allow these types of exploits to spread to validated copies of not updated Windows systems.

 

Microsoft is very willing in allowing you to verify this.
Just use their WGA/Windows Genuine Advantage 'tool'.
(Mind you, it might end up in being genuinly advantageous for MS only )

 

You're getting dangerously close to being off topic here. We're talking about the exploit being able to spread through pirated copies of Windows that aren't up to date.

 

Don't get your panties in a bunch.
Ranget wrote, he thought he was using a legal Windows version. Or perhaps not.
He, apparantly, isn't sure about it and I made a remark about how to check.
I thought that would be rather to the point if, as you write, the topic is 'an exploit being able to spread through pirated copies'.
But report me to the mods if you feel obliged to do so...jeez.

 

I did not see this video but I used maximum settings, also what happens with CIS installed, for that see post of 'superior'.

 

Oh, I'm sorry, it must be that English isn't my first language. We're all walking around in circles not understanding each other! In no way was my intention to report anyone to the mods. I obviously misinterpreted your hint that you were encouraging him to validate his MS Windows!

 

Could anyone test this against mamutu?
Thx

 

I'd be interested too. I am one year into a three year license of Mamutu, and still have no idea how effective it is.

I am relying on Sandboxie to dump exploits of this sort.

 

and with a antivirus

very interesting test

may i ask a fool question ?

in a system OS non patched , for example windows 7 or xp with not the hotfix , an antivirus like avira or avast or other can stop it ?

 

Re: and with a antivirus

They will as long as they have the signature like the one I tested here.

 

as long OA passed i guess there is a big chance for mamutu to do the same ..but i am going to give it a try if agile doesnt mind

 

i would like to see torchsoft Malware Defender free version

 

i am sorry about my assumption you completely right ..tried it and failed

 

Could you also try with Paranoid mode on?

 

same result

 

Thanks for testing. Sure we should not expect a behav blocker to intercept it, like Mamutu, ( dying) Threatfire etc.

 

It will be same as CIS v3 or EQS. It will detect dll execution but practically useless as you will get hundreds of legit dll execution alerts.

 

Thx for testing

Hmm I'm still confused about difference between BB and HIPS
Can u tell us why it won't intercept?

 

All behav blockers have builtin trigger rules, they monitor the system and get triggered by certain malicious behaviors, this is coupled with a smart white list and/ or blacklist.

The developers obviously did not add any smart rules to detect such a malware.

 

thx for the answer, looking forward for another test

 

One of our respectable memebers, Rmus, has objected that why I have used the .dll files instead of .tmp files( stuxnet actually used .tmp files though those .tmp files were infact spoofed dlls).

Actually I used dlls as I got the samples as dll. Also I am very much concerned about malicious dlls as they are the weak point for non-signature based security software like HIPS, Sandboxes and Behav blockers, so I was happy to test HIPS against dlls.

Ok, I have repeated the tests with .tmp files. Surprisingly all results are same for Online Armor, Comodo Defence Plus( Default n Paranoid Settings), GesWall, NoAutoruns and AppGuard. Some screenies.

 

CIS v3 can be configured to intercept .tmp file execution though you will get more than usual alerts.