What on earth has happened to viable HIPS software availability?

I definitely think that kernel-mode rootkit development is pushing towards the usage of virtualization to take full control over the software being virtualized (e.g. to bypass PatchGuard to set hooks from kernel-mode to hide files/registry keys/processes and/or protect them for example), but the only problem here is that the malware author would need to either find a bypass for PatchGuard from user-mode entirely to actually get their unsigned device driver loaded on x64 systems, find a weakness in existing software installed where they can patch a device driver already installed on the system so once it loads it executes their own kernel-mode code instead/before the original driver's code, or just get hold of an Extended Validation certificate which is pretty difficult as it's more expensive and you require genuine company registration and the such (you would have to send in the documents which become validated and so forth).

There is however something called Test Mode, if it's enabled then you can load unsigned device drivers on x64 systems regardless of PatchGuard. However, you require administrator privileges to activate it; you can just execute bcdedit.exe (built-in to Windows) and pass some parameters and it'll do all the work to enable it for you. Of course, monitoring API calls from within that process while enabling it intentionally will allow you to identify what API calls it makes to do the work which we cannot see (e.g. how it makes the changes, how the information is stored and so on) and then you might even be able to do it from a standard process but it really depends.

Now in terms of rootkit development, if it's a targeted user specifically which you want to infect then if you wait and watch and observe and can find out any software he is using then I guess you could find a weakness in one of them and abuse that to kick start everything, but generally speaking, malware in the wild typically won't do anything like that usually at least.

Since I was speaking about API hooking earlier I believe I have something to say that is still relevant and triggered after reading this bit I quoted in my mind, maybe it'll be found informatively useful to someone:

On older versions of Windows, like Windows 7 32-bit, before code execution is pushed over to the kernel (system call) but after the execution flow had reached and gone beyond the start of the function stub in NTDLL.DLL, there is a call made to an undocumented function called KiFastSystemCall (present in user-mode however it's not exported by NTDLL.DLL). You can actually hook this function, and every single Native API call will pass through this function; this means that you can hook ONE function and pretty much take control over all NTAPI calls which pass through it (pretty much most, if not all the NTAPI functions), which is much easier than hooking a ton of functions. Why hook 16 when you can hook one and still intercept all the API functions exported by ntdll.dll which you wanted to monitor the usage of?

That function in-particular is pretty neat, and I doubt you will ever find a sample in the wild which will be able to identify if there is a hook on that function. Since the function is not exported, you have to find the address manually (and also bear in mind that the function is undocumented) which makes it much harder to identify if it's hooked or not (since you'd need to know how to find the address first and then scan the function prologue in memory to check the bytes at it's address, etc.). This also means that if you hook that function to intercept a ton of NTAPI functions, not only will you accomplish what you wanted to do without the need to hook more individual APIs, but you'll be pretty much be under the radar to all malware samples out in the wild (e.g. Banking Trojan's like Zeus and Carberp - they won't have a clue that their API calls are being intercepted!).

Now on x64 there is also an undocumented function called X86SwitchTo64BitMode, hooking this has a similar effect to the KiFastSystemCall hook. However, on newer versions of Windows like Windows 10, things have changed so you can't do that sort of stuff anymore for that effect. But most security software is still available on older versions of Windows (like Vista or 7) so can still be interesting and maybe useful.

In fact, now I think about it, I doubt any anti-rootkit scanners on the market which have hook detection capabilities will be able to identify a hook on a function like KiFastSystemCall or X86SwitchTo64BitMode. Don't quote me on that since I haven't tested it, but I just find it highly unlikely that they will since those functions are pretty low in ring 3, lower than the Native API functions exported by ntdll.dll.

It's not the same as hooking system calls, but it's pretty damn similar IMO. Since it supports intercepting dozen API functions with just one hook, but a system call will still bypass it as expected.

 

There is only one method: Hash Checksum (not MD5 but SHA1, 256,512 or better) , they are the DNA of the file, modify one letter in the code, the hash change. Go to the vendor site, find the hash , compare it to the hash of the exe you plan to install.

There was some PoC that an hash (the weakest type) can be falsified but it takes enormous resources and time.

Indeed, in fact with an HIPS as well with an SRP/anti-exe , you can achieve the same goal at the end : lock the system. The difference is the journey.
- HIPS is like taking a nice cruise motorbike and enjoy the travel and landscape until you reach the destination
- SRP/anti-exe is just taking a plane.

I was a big fan of HIPS , but after comodo fiasco with disappearing rules bug unfixed after 10 years, i ditched it because i lost 3 hours makking rules, then looked for a replacement; then Appguard get on my radar, tried it then my immediate thought:
"damn man, i don't have to create rules anymore and waste time answer prompts ! im saved"

Now of course i won't deny HIPS usefulness, but if i can get same result with less hassle , i choose the easy solution. Just a matter of taste. For me, only the result matters.

Maybe because of the syntax of my sentences, i'm not native English speaker.

 

Wonderful information on pages 4 and 5. Thank you mWave for your writeups, and thank you Rasheed and guest for a neat discussion.
Until this writeup by mWave, I was only familiar with the SSM hooks of practically all functions in the SSDP. Great to read about all these other ways especially on the newer windows than XP. Opens your mind

 

Happy Easter!

I agree but not all vendors provide the hash checksum on their sites. So if we accept that most of the files are dangerous and I shouldn't download and run anything on my system (from what you said)

("In my case , if i'm not 100% sure, i just don't install it. There is no such thing than i unknown file allowed to run in my system.")

then I don't need an anti-exe since I will simple not download and run anything and if I run a file by accident I can't block it with the SmartScreen or UAC.

But I am curious and often want to see what a file or malware do. I can easily use Vbox or VMware but some files don't work well there (VM-aware).
I can use Shadow Defender but I rarely restart my system and what if I forget to disable it? I will lose all changes made after enabling it.
For me the most reliable method is to run it in the Sandbox (to see the dropped files/changes) and then to install it using the Safe Mode of the HIPS (or the Installer mode if the file is harmless).

I like the anti-exes (better make a whitelist and block everything else instead of adding blacklist or new defs. every single day). Set and forget, but this is not applicable for everyone. However I still like the way they work (and can add a few Applocker rules along with the SRP) in the near future if I need to do so.

Both type of programs provide very good level of protection, so everyone is free to choose their own protection method.

 

you too Thx

You can use anti-exe to block other attack vectors (external devices, powershell execution , etc...)

yes in that case, it is useful to have an HIPS.

I always agreed with that. I just point that for me HIPS are more an hassle in the way i set my security. .
you monitor and then block , i just block first then check.

if i can use an analogy :

1- HIPS are like the security guy in front of a public club, he checks everyone, and based on some criteria, he let people enter or not then he keeps watching inside the club for bad/suspicious behaving people.
2- SRP (like appguard) are the same guy but the club is private, he just check if the person is accredited, if not he kicks them.
3- AVs are the security guy too but he let every people enter except the one recognized as criminals and keep watching inside the club if some criminals managed to enter.

 

McAfee Stinger comes with Real Protect (former Raptor), which is a BB
http://www.softpedia.com/get/Antivirus/Real-Protect.shtml

They said they have integrated it on other products too

 

Last classical HIPS still extant is Comodo Firewall.

Its HIPS component is pretty robust and protection is solid.

 

No not really, SpyShelter does the same. You also have Dr.Web Katana, but last time I checked it was pretty bad.

https://www.wilderssecurity.com/threads/dr-web-katana-a-non-signature-anti-virus.381749/

It's crap.

That would be a bit scary indeed. But in terms of anti-rootkit some have already tried it, think of McAfee DeepSafe, but it didn't become a success. BTW, I believe that Invincea X is also using a hypervisor for isolation.

http://theinvisiblethings.blogspot.nl/2012/01/thoughts-on-deepsafe.html

 

Maybe. If you gain access to it or know someone who does, if the product works fine without virtualization enabled (e.g. via BIOS) then that's a clear indicator that it doesn't use the hyper-visor for isolation.

 

Hmm i used Outpost and swaped to OA later i back from OA to Outpost casue Online Armor closed after few months Outpost was also dead...
Now i stay with SpyShelterFW with Appguard... i dont use Behavior blockers from AV in real time i gave up it.
More effective is Isolation + Virtualization than AV and other scanners which together cant figure all 100% virus on time.
Shadow Defender + Sandboxie on main and VMware Worksation Pro for other System where i have to do risky operations.

Tested ReHIPS is rly nice but lack of few important friendly setting for me that why i stay with SSFW and Sandboxie.but its also nice software.

 

SRP (Appguard) or Anti-exe (ERP, VS,etc...) + Isolation (Sandboxie, ReHIPS) or/and Virtualization (Shadow Defender) is the best combo in term of security.

 

You can say that again.

I D/L it on the desktop for a look over and guess what?

It doesn't even budge or even flicker. A dead inert file

 

Yea exacly "light and pure secure" at last you can add VPN and Adguard with setting privacy to mask your PC "referrer and user agent" and connection "IP adress"

 

It's no hassle, especially if you can fine tune HIPS to alert only about important stuff. To clarify, when you install some app, you don't need to be alerted about ALL child processes, because this will generate a huge amount of alerts. But you should be alerted about system processes that are used in attacks, this is what ERP does with the "vulnerable process" feature. However, I still need HIPS for other stuff like:

- Service/driver installation
- Registry modification (network settings, auto-start)
- Low level keyboard and disk access
- Incoming/outgoing connections
- Code injection (standard methods)
- File/folder reading and writing

 

does a hips prevent inbound and outbound connections?

 

If it's monitoring network connection also, than yes. Malware Defender did have that option.

 

I miss Malware Defender. Outstanding HIPS even compared to my fav EQSecure

 

SpyShelter is a combined firewall + HIPS.

 

Yes, I miss it also. I never tried EQSecure so can't compare them, but I've heard many good things about it here on Wilders, when it was developed.

 

There was a short but enthusiastic season for HIPS: System Safety Monitor, Malware Defender, EqSecure, Online Security Solution..... and, NOT an HIPS but very fine, GesWall.

 

I feel than a BB would fit you better , unfortunately there is no more standalone granular BB, Emsisoft Mamutu was the best one. So with the requirement you mentioned above, only HIPS can do what you need. That is considering you need monitoring obviously.

 

The best of times for HIPS and yes GesWall as well as a few others.

RootkitUnhooker tool was a powerhouse zapper for SDT malware removal too.

 

ReHIPS is the closest thing to GesWall, it is why i really like it.

 

I couldn't remember this morning: RealTime defender and ProSecurity too.

 

Yep. Those were the good days!

Now I have fun with AppGuard and ReHips.