Testing bifrost against various HIPS/sandboxes...

Discussion in 'other anti-malware software' started by aigle, Oct 18, 2007.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Re: what a hell APPdefend is INSECURE

    Thread split from an AppDefend forum thread as the topic changed focus.

    ___________________________
    Did somebody tried it against other HIPS/ sandboxes etc?

    Thanks
     
    Last edited by a moderator: Oct 21, 2007
  2. gangABang

    gangABang Registered Member

    Joined:
    Oct 12, 2007
    Posts:
    19
    Re: what a hell APPdefend is INSECURE

    yes lol :)
    the funnies thing is kav proactive is still bypassable after all this months
    so , what was the result was that physical\memory thing :)
    did you find out what it is exploiting?
     
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan

    Attached Files:

  4. gangABang

    gangABang Registered Member

    Joined:
    Oct 12, 2007
    Posts:
    19
    Re: what a hell APPdefend is INSECURE

    aigle,nice to see your product passing.. :)
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Re: what a hell APPdefend is INSECURE

    lol, it,s not mine!
    I am just a user.:D
     
    Last edited: Oct 18, 2007
  6. gangABang

    gangABang Registered Member

    Joined:
    Oct 12, 2007
    Posts:
    19
    Re: what a hell APPdefend is INSECURE

    deadly wrong it failed my test
    i only allowed process execution and blocked the rest here is the result :D lol
    bifrost sucessfully unhooked the SSDT
    EQSecure for System 2007 v3.41 Result
    ntcreatekey
    ntcreatesection
    ntcreatethread <----- unhooked
    ntdeletekey <------ unhooked
    ntdeletevaluekey <------unhooked
    ntloaddriver
    ntopenprocess
    ntopensection
    ntprotectvirtualmemory <----- unhooked
    ntrequestwaitreplyreport
    ntrestorekey
    ntsetcontextthread
    ntsetsysteminformation
    ntsetsystemtime
    ntsetvaluekey <---- unhooked
    ntshutdownsystem
    ntsuspendprocess
    ntsuspendthread
    ntsystemdebugcontrol
    ntterminatejobobject
    ntterminateprocess
    ntterminatethread
    ntwritefile
    ntwritevirtualmemory <-- unhooked
    ====================================

    so what was the alarm up there agile posted was it blocked ? naaa if the server was configured to unhook ntsystemdebugcontrol
    all will be Silent lol :D
    so EQsecure is too INSECURE
     
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Re: what a hell APPdefend is INSECURE

    Hi gangABang, thanks for ur testing. It,s interesting. Sorry if I have posted wrong results.

    1- I did not check for all SSDT hooks( it was my fault). I just had a glance on SSDT table in IceSword and saw most of hooks there, so I thought EQS passed.

    2- If I remember well, NicM has tested Bifrost recently and according to him, EQS (but it was version 3.4 not 3.41 ) passed the test- SSDT unhooking tests.

    I am not sure at the moment. I will repeat the test today or tomorrow by God,s will and post my results here. Will also see how GW and NG beahve.

    Please let me know which toll you used to see SSDT table hooks.

    Thanks
     
    Last edited: Oct 19, 2007
  8. gangABang

    gangABang Registered Member

    Joined:
    Oct 12, 2007
    Posts:
    19
    Re: what a hell APPdefend is INSECURE

    i used rkunhooker btw i tested it only xp sp2. i duuno how sp1 behave so test it there too.
     
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Re: what a hell APPdefend is INSECURE

    I tried on XP SP2.

    Give me some time and I will report back, may be tomorrow!
     
  10. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Re: what a hell APPdefend is INSECURE

    You talk about version 1.21?
    I thought it is pretty buggy... imho bifrost does not represent such a great danger nowadays.. as far as I remember, but maybe you are talking about a newer version..
     
  11. gangABang

    gangABang Registered Member

    Joined:
    Oct 12, 2007
    Posts:
    19
    Re: what a hell APPdefend is INSECURE

    it is not bifrost that makes it dangerous the theqniques used to bypass are what make it dangerous since every other virus or tr0jan could take advantage of it.
     
  12. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Re: what a hell APPdefend is INSECURE

    You mean this little checkbox that allegedly should unhook everything? Beside Bifrost isn´t open source so why do you think other trojans will use this too? Bifrost was the only sophisticated Rat as far as I remember there is no serious opponent, but Bifrost is still very limited and imho not to take seriously. Since Bifrost nothing really new has happened except these exploit kits I guess, so where are all those so called super dangerous tools? Rootkit.com does not publish anything new... actually the defenders are much more productive then the aggressors in my opinion.. at least related to public productions.
     
  13. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    Re: what a hell APPdefend is INSECURE

    Bifrost is to be taken seriously and the team developing it surely has friends as they are a group who seem to mostly have their own individual releases besides Bifrost.

    Edit: Interesting information on the origins of Bifrost's chosen name: http://en.wikipedia.org/wiki/Bifröst
     
  14. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Re: what a hell APPdefend is INSECURE

    Then I suggest you investigate your testing measures, because EQSecure passed with no problems on my end, as did ThreatFire.
     
  15. gangABang

    gangABang Registered Member

    Joined:
    Oct 12, 2007
    Posts:
    19
    Re: what a hell APPdefend is INSECURE

    i am very sure it is insecure the same for neoavaguard beta2. :D
    on xp sp2 system
     
  16. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Re: what a hell APPdefend is INSECURE

    Nice try. EQSecure blocks the unhooking attempt, does not get unhooked, and then proceeds to monitor the trojan's subsequnt behavior. AntiBot/PRSC and ThreatFire block and quarantine this trojan as well.
     

    Attached Files:

    • 1.PNG
      1.PNG
      File size:
      14.5 KB
      Views:
      595
    • 3.PNG
      3.PNG
      File size:
      14.5 KB
      Views:
      608
    • 4.PNG
      4.PNG
      File size:
      17.6 KB
      Views:
      607
    • 2.PNG
      2.PNG
      File size:
      14.2 KB
      Views:
      598
    • 5.PNG
      5.PNG
      File size:
      21.5 KB
      Views:
      614
  17. gangABang

    gangABang Registered Member

    Joined:
    Oct 12, 2007
    Posts:
    19
    Re: what a hell APPdefend is INSECURE

    which version of eQsecure did you try?? i ttested eqsecure 3.41.
     
  18. gangABang

    gangABang Registered Member

    Joined:
    Oct 12, 2007
    Posts:
    19
    Re: what a hell APPdefend is INSECURE

    ok i have test this again on a different machine xp sp2 still eqsecure only warns "Debug at system level" repeatidly then i block it checking "remember this action" and all become silent and the server connected back to me i looked the ssdt the same result unhooked and has kicked eqsecure ass lol :D
    i am 101% sure it bypasses eqsecure 3.41, appdefend alpha version and neoavaguard beta2 :)
    i donno about theatfire since i dont have the software.
    if you dont believe ask someone to prove this for you. :D

    //edit : are you sure you are on admin account(it needs admin account).
     
  19. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Re: what a hell APPdefend is INSECURE

    I don't need someone else to prove it for me. EQSecure is working perfectly as advertised on aigle's and my system as well as another member on another forum who just tested this sample as well, so it's up to you to investigate your own test methods and find out why they're giving erroneous results.
     
  20. gangABang

    gangABang Registered Member

    Joined:
    Oct 12, 2007
    Posts:
    19
    Re: what a hell APPdefend is INSECURE

    no they are proven and twice tried so i will not accept this.
    maybe i have to disagree with you :D
     
  21. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Re: what a hell APPdefend is INSECURE

    Hi here is my testing.

    I used XP SP2. Used RKU( RootKit Unhooker) to examine SSDT. Loaded a fresh image of my working system. Uninstalled NeoavaGuard. Uninstalled older EQS v4. Installed latest EQS version 4.1.
    Other software on system are ShadowSurfer and Antivir. I did testing under SS as I have no VM. Remember on my system due to overlap between security softwarre, RKU doesn,t show all hooks of EQS. Also when I am in ShadowMode, EQS hooks are even reduced and there are unknown hooks on SSDT which are probably sue to ShadowMode.

    I tried GW and let Bifrost to run inside GW and to do whatever it wanted until it launched IE. I then killed IE and also killed isolated untrusted instance of explorer.exe launched by server.exe. Then I examined SSDT via RKU.

    I then deleted an isolated9 GesWalled) copy of server.exe from program files> Bifrost.

    Now I tried server.exe outside of GW.
    EQS gave popup that server.exe is being executed-- I allowed.
    2nd EQS popup -- Debug at system level -- I denied( with option to remember temporarily).
    3rd popup -- explorer.exe memory modification -- I denied( with option to remember temporarily).

    No more popups. Examined SSDT with RKU.

    I am posting results as text files, so u can examine. These are 5 text files.

    1- Base-line SSDT shwon by RKU without Shadow mode
    2- Base-line SSDT in ShadowMode
    3- SSDT after running server.exe inside GW
    4- SSDT after running server.exe against EQS
    5- GW log of server.exe isolation

    Please tel me ur opinions and analysis of results.

    Thanks

    I did not try NG yet as it,s not yet installed on my new image and also as far as I know NG is still not supposed to protect against SSDT unhookers. I hope Arman will add this protection in future. I have already suggested this feature to him on their forums.
     

    Attached Files:

  22. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Re: what a hell APPdefend is INSECURE

    Personally, it's none of my concern.
     
  23. gangABang

    gangABang Registered Member

    Joined:
    Oct 12, 2007
    Posts:
    19
    Re: what a hell APPdefend is INSECURE

    OMG this is really wierd from the log it seems everything is okay.
    i dont understand how come it bypasses unhookes eqsecure it not once not twice three times lol in my systems.

    maybe i could be believe if some one more expreinced maybe Jason ofcourse if he is interested test this and find out with eqsecure. :)
     
  24. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Re: what a hell APPdefend is INSECURE

    I think by mistake u have tested an older version of NG.
    Latest version is beta 3 build 302.

    http://www.smokey-services.eu/forum/viewtopic.php?t=6157
     
  25. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Re: what a hell APPdefend is INSECURE

    If they use browser injection it is very easy to detect so I don´t take it serious. It´s stealthiness leaves a lot of traces.

    Sure it is the only non-commercial remote tool that can be taken serious related to features and functions but nevertheless easy to detect. But I still think this trojan/rat scene is very weak, because since bifrost nothing better ever appeared, 3 years and people only talk about bifrost because nothing else is really good. So in reason there is nothing really scary out there, except this purple pill, shadow walker and rustock.c myth that even isn´t proven and only poc.. so hackers outthere where is your munition I don´t see anything really scary! Show us something scary and proven... not just proof of concept. The last strike from the scene was bifrost and hxdef, since then nothing real. So we come to the conclusion that 2004 was the last productive year with non-poc and non-beta results of the black hats.
     
    Last edited: Oct 20, 2007
Loading...
Thread Status:
Not open for further replies.