what a hell APPdefend is INSECURE

download bifrost from ~Snip. No links to possible malware on the forums. see how it restores the service discriptor table to ntoskrnl.exe lol it kicks Process guard and various firewall like zonealarm etc...
P.S. bypassing is limited to xp systems.

 

Hey gangABang, feel free to PM me a link to 'bifrost' and I will test and post results

 

Hi guys,

you mean bifrost like this?

http://research.sunbelt-software.com/threatdisplay.aspx?name=Bifrost&threatid=29428

 

Well, there are also cases of "rogue" security software kicking out others too. Since drivers need to be installed (to obtain ring 0 access) you should get a few warnings from AD on the path this test/malware takes. Once you've gone ring 0 however, anything is possible.

GSS will be updated in the future to tell users if such kernel modifications are made and what you want to do (ie repair), but there is no easy way to stop it as such (besides not running and allowing rootkits.. ).

 

no not at all it dont need any driver to install so ad is silent all over the test lol it just goes to ring 0 unhooks all the discriptor table that's why i post here and it is very dangerous although it's for xp systems (most people are on xp).
it bypasses popular kaspersky antivirus proactive defense i dont know why they not reacted on it still zonealarm too lol it bypasses appdefend easily too.
http://img514.imageshack.us/img514/2969/kuhookkc4.jpg

 

Unless there is a new method I'm unaware of , you either need physical memory access or ring 0 access, both of which AD cover. Which version of AD did you try?

 

since i am not computer reverser i dunno how the programmer done it could be other version of physical memory lol i sent you a PM for download.

 

Hello,

From the information you posted, that really sounds like access to \Device\PhysicalMemory (requires admin account) to unhook all kernel hooks without loading any driver. However AD should prevent that.

Will be intesresting to heard news from Jason about that.

Regards,
gkweb.

 

See these threads:
A comparative : 10 HIPS against 'brutal unhooking' malwares
Process Guard Rootkit prevention - in need of an update?
Another undocumented Windows backdoor

 

This looks like part of the problem. AD will have to be updated to address the system debugger control, as it doesn't seem to cover all important areas.

http://bink.nu/news/win-xp-kernel-n...ge-execute-arbitrary-code-in-kernel-mode.aspx

 

Well at least you found out the solution Crazy how AppDefend did not already cover that though ;|

 

Yes it is a bit crazy that I missed it. I shocked myself even.

It possibly could have been a bit more hidden until the malware started to use it recently, since pretty much every product was vulnerable.

 

So Jason, what are your thoughts on the possibility of even more hidden leaks and the possibility of covering them all?

 

Hasn't this thread degenerated into a comparison of different HIPS?

I thought that was not permitted on this forum. I see the mods killing threads often when comparisons are done with Anti Virus products.

 

That will be a lot better.

 

We should open a new topic: Bifrost the last dinosaur of a dying quality species.