what a hell APPdefend is INSECURE

Discussion in 'Ghost Security Suite (GSS)' started by gangABang, Oct 16, 2007.

Thread Status:
Not open for further replies.
  1. gangABang

    gangABang Registered Member

    Joined:
    Oct 12, 2007
    Posts:
    19
    download bifrost from ~Snip. No links to possible malware on the forums. see how it restores the service discriptor table to ntoskrnl.exe lol it kicks Process guard and various firewall like zonealarm etc...
    P.S. bypassing is limited to xp systems.
     
    Last edited by a moderator: Oct 16, 2007
  2. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    Hey gangABang, feel free to PM me a link to 'bifrost' and I will test and post results :D
     
  3. xtree

    xtree Registered Member

    Joined:
    Dec 4, 2006
    Posts:
    96
  4. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Well, there are also cases of "rogue" security software kicking out others too. Since drivers need to be installed (to obtain ring 0 access) you should get a few warnings from AD on the path this test/malware takes. Once you've gone ring 0 however, anything is possible.

    GSS will be updated in the future to tell users if such kernel modifications are made and what you want to do (ie repair), but there is no easy way to stop it as such (besides not running and allowing rootkits.. ;) ).
     
  5. gangABang

    gangABang Registered Member

    Joined:
    Oct 12, 2007
    Posts:
    19
    no not at all it dont need any driver to install so ad is silent all over the test lol it just goes to ring 0 unhooks all the discriptor table that's why i post here and it is very dangerous although it's for xp systems (most people are on xp).
    it bypasses popular kaspersky antivirus proactive defense i dont know why they not reacted on it still zonealarm too lol it bypasses appdefend easily too.
    http://img514.imageshack.us/img514/2969/kuhookkc4.jpg
     
    Last edited: Oct 17, 2007
  6. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Unless there is a new method I'm unaware of , you either need physical memory access or ring 0 access, both of which AD cover. Which version of AD did you try?
     
  7. gangABang

    gangABang Registered Member

    Joined:
    Oct 12, 2007
    Posts:
    19
    since i am not computer reverser i dunno how the programmer done it could be other version of physical memory lol i sent you a PM for download. :D
     
  8. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hello,

    From the information you posted, that really sounds like access to \Device\PhysicalMemory (requires admin account) to unhook all kernel hooks without loading any driver. However AD should prevent that.

    Will be intesresting to heard news from Jason about that.

    Regards,
    gkweb.
     
  9. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
  10. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
  11. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    Well at least you found out the solution :D Crazy how AppDefend did not already cover that though ;|
     
  12. Jason_R0

    Jason_R0 Developer

    Joined:
    Feb 16, 2005
    Posts:
    1,038
    Location:
    Australia
    Yes it is a bit crazy that I missed it. I shocked myself even. :)

    It possibly could have been a bit more hidden until the malware started to use it recently, since pretty much every product was vulnerable.
     
  13. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    So Jason, what are your thoughts on the possibility of even more hidden leaks and the possibility of covering them all?
     
  14. berng

    berng Registered Member

    Joined:
    Sep 11, 2005
    Posts:
    246
    Location:
    NJ, USA
    Hasn't this thread degenerated into a comparison of different HIPS?

    I thought that was not permitted on this forum. I see the mods killing threads often when comparisons are done with Anti Virus products.
     
  15. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,874
    Location:
    New England
    Actually, a much more basic rule applies here - that being going off-topic and discussing other products in a dedicated product forum.

    This is the Ghost Security AppDefend forum section, and all topics here should be solely about AppDefend. (Oh, there can be the passing note that a feature like some other product would be nice, or similiar, but not a total change to discussing other products capabilities against a certain threat.) This thread was started appropriately with an observation that bifrost was able to get around some AppDefend protections. In post #10, Jason confirmed the issue and stated an update will address this issue.

    Post #14 asked about bifrost being tested on other HIPS/sandboxes, and from that point forward, no one even mentioned AppDefend again. So, what needs to be done is a post split, taking all posts from 14 on down, and making them a thread in, let's say "other anti-malware software" under a title like "testing bifrost against various HIPS/sandboxes".

    I'll do that a little later...

    ====================

    This has been done - new thread is here:

    https://www.wilderssecurity.com/showthread.php?t=188878
     
    Last edited: Oct 21, 2007
  16. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    That will be a lot better.
     
  17. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    We should open a new topic: Bifrost the last dinosaur of a dying quality species.
     
Thread Status:
Not open for further replies.