Testing bifrost against various HIPS/sandboxes...

Re: what a hell APPdefend is INSECURE

Thread split from an AppDefend forum thread as the topic changed focus.

___________________________
Did somebody tried it against other HIPS/ sandboxes etc?

Thanks

 

Re: what a hell APPdefend is INSECURE

yes lol
the funnies thing is kav proactive is still bypassable after all this months
so , what was the result was that physical\memory thing
did you find out what it is exploiting?

 

Re: what a hell APPdefend is INSECURE

EQsecure
Ng
GW- all passed I think. See the pics.
Also have a looke here( they are same).

https://www.wilderssecurity.com/showthread.php?t=179003&highlight=SSM

Also see tests by nicM( SSDT Unhookers tests).

 

Re: what a hell APPdefend is INSECURE

aigle,nice to see your product passing..

 

Re: what a hell APPdefend is INSECURE

lol, it,s not mine!
I am just a user.

 

Re: what a hell APPdefend is INSECURE

deadly wrong it failed my test
i only allowed process execution and blocked the rest here is the result lol
bifrost sucessfully unhooked the SSDT
EQSecure for System 2007 v3.41 Result
ntcreatekey
ntcreatesection
ntcreatethread <----- unhooked
ntdeletekey <------ unhooked
ntdeletevaluekey <------unhooked
ntloaddriver
ntopenprocess
ntopensection
ntprotectvirtualmemory <----- unhooked
ntrequestwaitreplyreport
ntrestorekey
ntsetcontextthread
ntsetsysteminformation
ntsetsystemtime
ntsetvaluekey <---- unhooked
ntshutdownsystem
ntsuspendprocess
ntsuspendthread
ntsystemdebugcontrol
ntterminatejobobject
ntterminateprocess
ntterminatethread
ntwritefile
ntwritevirtualmemory <-- unhooked
====================================

so what was the alarm up there agile posted was it blocked ? naaa if the server was configured to unhook ntsystemdebugcontrol
all will be Silent lol
so EQsecure is too INSECURE

 

Re: what a hell APPdefend is INSECURE

Hi gangABang, thanks for ur testing. It,s interesting. Sorry if I have posted wrong results.

1- I did not check for all SSDT hooks( it was my fault). I just had a glance on SSDT table in IceSword and saw most of hooks there, so I thought EQS passed.

2- If I remember well, NicM has tested Bifrost recently and according to him, EQS (but it was version 3.4 not 3.41 ) passed the test- SSDT unhooking tests.

I am not sure at the moment. I will repeat the test today or tomorrow by God,s will and post my results here. Will also see how GW and NG beahve.

Please let me know which toll you used to see SSDT table hooks.

Thanks

 

Re: what a hell APPdefend is INSECURE

i used rkunhooker btw i tested it only xp sp2. i duuno how sp1 behave so test it there too.

 

Re: what a hell APPdefend is INSECURE

I tried on XP SP2.

Give me some time and I will report back, may be tomorrow!

 

Re: what a hell APPdefend is INSECURE

You talk about version 1.21?
I thought it is pretty buggy... imho bifrost does not represent such a great danger nowadays.. as far as I remember, but maybe you are talking about a newer version..

 

Re: what a hell APPdefend is INSECURE

it is not bifrost that makes it dangerous the theqniques used to bypass are what make it dangerous since every other virus or tr0jan could take advantage of it.

 

Re: what a hell APPdefend is INSECURE

You mean this little checkbox that allegedly should unhook everything? Beside Bifrost isn´t open source so why do you think other trojans will use this too? Bifrost was the only sophisticated Rat as far as I remember there is no serious opponent, but Bifrost is still very limited and imho not to take seriously. Since Bifrost nothing really new has happened except these exploit kits I guess, so where are all those so called super dangerous tools? Rootkit.com does not publish anything new... actually the defenders are much more productive then the aggressors in my opinion.. at least related to public productions.

 

Re: what a hell APPdefend is INSECURE

Bifrost is to be taken seriously and the team developing it surely has friends as they are a group who seem to mostly have their own individual releases besides Bifrost.

Edit: Interesting information on the origins of Bifrost's chosen name: http://en.wikipedia.org/wiki/Bifröst

 

Re: what a hell APPdefend is INSECURE

Then I suggest you investigate your testing measures, because EQSecure passed with no problems on my end, as did ThreatFire.

 

Re: what a hell APPdefend is INSECURE

i am very sure it is insecure the same for neoavaguard beta2.
on xp sp2 system

 

Re: what a hell APPdefend is INSECURE

Nice try. EQSecure blocks the unhooking attempt, does not get unhooked, and then proceeds to monitor the trojan's subsequnt behavior. AntiBot/PRSC and ThreatFire block and quarantine this trojan as well.

 

Re: what a hell APPdefend is INSECURE

which version of eQsecure did you try?? i ttested eqsecure 3.41.

 

Re: what a hell APPdefend is INSECURE

ok i have test this again on a different machine xp sp2 still eqsecure only warns "Debug at system level" repeatidly then i block it checking "remember this action" and all become silent and the server connected back to me i looked the ssdt the same result unhooked and has kicked eqsecure ass lol
i am 101% sure it bypasses eqsecure 3.41, appdefend alpha version and neoavaguard beta2
i donno about theatfire since i dont have the software.
if you dont believe ask someone to prove this for you.

//edit : are you sure you are on admin account(it needs admin account).

 

Re: what a hell APPdefend is INSECURE

I don't need someone else to prove it for me. EQSecure is working perfectly as advertised on aigle's and my system as well as another member on another forum who just tested this sample as well, so it's up to you to investigate your own test methods and find out why they're giving erroneous results.

 

Re: what a hell APPdefend is INSECURE

no they are proven and twice tried so i will not accept this.
maybe i have to disagree with you

 

Re: what a hell APPdefend is INSECURE

Hi here is my testing.

I used XP SP2. Used RKU( RootKit Unhooker) to examine SSDT. Loaded a fresh image of my working system. Uninstalled NeoavaGuard. Uninstalled older EQS v4. Installed latest EQS version 4.1.
Other software on system are ShadowSurfer and Antivir. I did testing under SS as I have no VM. Remember on my system due to overlap between security softwarre, RKU doesn,t show all hooks of EQS. Also when I am in ShadowMode, EQS hooks are even reduced and there are unknown hooks on SSDT which are probably sue to ShadowMode.

I tried GW and let Bifrost to run inside GW and to do whatever it wanted until it launched IE. I then killed IE and also killed isolated untrusted instance of explorer.exe launched by server.exe. Then I examined SSDT via RKU.

I then deleted an isolated9 GesWalled) copy of server.exe from program files> Bifrost.

Now I tried server.exe outside of GW.
EQS gave popup that server.exe is being executed-- I allowed.
2nd EQS popup -- Debug at system level -- I denied( with option to remember temporarily).
3rd popup -- explorer.exe memory modification -- I denied( with option to remember temporarily).

No more popups. Examined SSDT with RKU.

I am posting results as text files, so u can examine. These are 5 text files.

1- Base-line SSDT shwon by RKU without Shadow mode
2- Base-line SSDT in ShadowMode
3- SSDT after running server.exe inside GW
4- SSDT after running server.exe against EQS
5- GW log of server.exe isolation

Please tel me ur opinions and analysis of results.

Thanks

I did not try NG yet as it,s not yet installed on my new image and also as far as I know NG is still not supposed to protect against SSDT unhookers. I hope Arman will add this protection in future. I have already suggested this feature to him on their forums.

 

Re: what a hell APPdefend is INSECURE

Personally, it's none of my concern.

 

Re: what a hell APPdefend is INSECURE

OMG this is really wierd from the log it seems everything is okay.
i dont understand how come it bypasses unhookes eqsecure it not once not twice three times lol in my systems.

maybe i could be believe if some one more expreinced maybe Jason ofcourse if he is interested test this and find out with eqsecure.

 

Re: what a hell APPdefend is INSECURE

I think by mistake u have tested an older version of NG.
Latest version is beta 3 build 302.

http://www.smokey-services.eu/forum/viewtopic.php?t=6157

 

Re: what a hell APPdefend is INSECURE

If they use browser injection it is very easy to detect so I don´t take it serious. It´s stealthiness leaves a lot of traces.

Sure it is the only non-commercial remote tool that can be taken serious related to features and functions but nevertheless easy to detect. But I still think this trojan/rat scene is very weak, because since bifrost nothing better ever appeared, 3 years and people only talk about bifrost because nothing else is really good. So in reason there is nothing really scary out there, except this purple pill, shadow walker and rustock.c myth that even isn´t proven and only poc.. so hackers outthere where is your munition I don´t see anything really scary! Show us something scary and proven... not just proof of concept. The last strike from the scene was bifrost and hxdef, since then nothing real. So we come to the conclusion that 2004 was the last productive year with non-poc and non-beta results of the black hats.