TDL4 rootkit can pwn any security product

Discussion in 'other security issues & news' started by hawki, May 1, 2014.

Thread Status:
Not open for further replies.
  1. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    1,957
    Location:
    DC Metro Area
    "TDL4 rootkit can be modified to pwn any security product, Bromium researchers discover

    Kernel mode rootkits are more viable than has been realised and could be used to bypass more or less any security product in existence, researchers at Bromium have discovered after conducting a proof-of-concept attack using a modified variant of in the infamous TDL4 malware....
    With a new payload, what this created was something lethal enough to overcome a variety of security layers the team tested against it such as antivirus, sandboxes and intrusion prevention, making it a sort of “Swiss Army knife” attack hiding behind ring zero...
    By simply tweaking the exploit, we found we could bypass the typical security software you’d expect to encounter on a corporate user machine...

    to work around these monitoring [security] tools does not require any sophistication..."

    Full story here: http://news.techworld.com/security/...ecurity-product-bromium-researchers-discover/
     
  2. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,434
    Location:
    Europe
    The very nice news to sleep soundly :D:D
     
  3. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  4. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Interesting that they did not test against disk level sandboxing (virtualization, B-t-R, etc)...
     
  5. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  6. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    I like how they use this as a platform for advertising their product. :rolleyes:

    @Coldmoon: yes, I was thinking that. A lot of businesses run their Windows servers on top of VMWare ESXi or other such hypervisor platforms, which can allow rollback or replacement of VMs, and even detection of compromise to some degree (by network traffic logging). There are even free options (Xen, Oracle VM, Xtratum).
     
  7. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,985
    Location:
    Canada
    The only exploit of this type of any interest to me is this one, and I don't see how this even gets the ball rolling on my Windows 7 security setup.
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    Well, I would really like to see a demo of this attack, or it didn´t happen. :D

    But seriously, I always wondered if certain attacks could bypass all security layers, so in a way it´s kinda shocking.

    I always (try to) use:

    1 Anti Exploit
    2 Anti Executable
    3 Behavior Blocker
    4 Firewall
    5 Sandbox

    According to them, a zero day in the OS kernel can own all of these layers, what the hell. :confused:
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
  10. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    Probably more a matter of failing to detect it (heuristics may need some tweaking?) than being incapable of doing so. But this is why I don't like DeepSafe as a concept; engineering a hypervisor-based AV is (IMHO) rather like making a nuclear fusion powered subcompact car. The technology involved should by rights make the original problem completely moot.
     
  11. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Or even my XP/SP2 !

    Bromium offered this advice !

    If they had provided the following advice instead, it would solve the problem/s

    1 - Java disable

    2 - JavaScript selectively allow, others disable. Eg = NoScript

    3 - Use an Ad blocker

    4 - iframes disable

    5 - Install Request Policy

    6 - Install an .EXE/SYS blocker etc
     
  12. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,985
    Location:
    Canada
    Even in the Bromium Labs research of this exploit, they state:

    http://labs.bromium.com/
     
  13. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    get rid of Java, problem solved.
    that malware sieve will never see the light of day on my machine.:cautious:

    haven't there been enough horror stories about that framework yet?
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    Yes, but that´s not what this thread is about, this is about zero day bugs in the kernel, apparently user-mode based security tools can´t protect against those. :cautious:
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    Well, I don´t look at Deep Defender (DeepSafe) as an AV. I think it´s more meant to be a HIPS. Of course it can also use signatures to spot rootkits, but the main task is guarding the OS kernel, like KPP: http://en.wikipedia.org/wiki/Kernel_Patch_Protection

    Also, now that I think of it, Deep Defender is meant to spot kernel-mode rootkits, I don´t think it´s designed to spot user-mode rootkits, so I would really like to see some details about this attack. :)
     
    Last edited: May 3, 2014
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    Btw, I´ve read some whitepapers and Bromium is really pounding on its competitors. It seems to be a really vicious battle between companies like Trusteer, Invincea, Bromium and FireEye, to name a few. All claim to offer the best protection for the enterprise, not surprisingly. :)

    Some more info:

    http://www.computerweekly.com/news/2240181869/New-approach-blocks-all-zero-day-malware-says-Trusteer
    http://www.invincea.com/knowledge-center/white-papers/
    http://www.cnet.com/news/bromium-secures-computers-by-holding-apps-in-isolation/
    http://www.fireeye.com/products-and-solutions/virtual-execution-engine.html
     
  17. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,985
    Location:
    Canada
    The labs.bromium.com link I referred to has everything to do with the thread title: "TDL4 rootkit can pwn any security product".
     
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    No, not really, the link refers to an exploit which abuses Java, there is nothing scary about that. :)

    This thread refers to an exploit which abuses some hole in the Windows OS kernel, which can not be stopped by security tools, at least according to Bromium.
     
  19. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    The last link from wat0114 refers to Chromium Labs Blog with quote;
    Not the other 'java' one. That's something else indeed.
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
  22. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
    I see no comments there at all.
     
  23. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    If this rootkit can't execute and run and install itself into the kernal then it can't infect, So I would assume an anti executable program would block it??
     
  24. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,985
    Location:
    Canada
    It depends on the attack method, but I think in some cases, sure a HIPS would block. At any rate, in most cases I think a HIPS should be considered as a second line of defense, with the browser's security (think js control) a first line.
     
  25. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    If your Anti blocks or prompts for both .EXE & .SYS you're covered, as long as you don't allow !
     
Loading...
Thread Status:
Not open for further replies.