Worm bypassing GesWall, CFP, MD ?

Discussion in 'other anti-malware software' started by aigle, Feb 9, 2010.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Ok, I found this interesting worm on a friends heavily infected PC.

    It creates autorun.inf files to infect all partitions, drives and USB sticks and makes its copies here n there and acts as a file infector too. Connects out as well.

    A very interesting feature is that this worm minimizes or hides working windows/ GUI of many security software and system analysis tools like MBAM, CFP configuration windows, Process Explorer, Gmer and many others. On the infected system I was unable to run any system analysis tools or antimalware except HitmaPro, SAS Portable and Panda Cloud AV. It stopped me from using MBAM, Gmer, Process Explorer, ThreatFire and some other tools.

    Ok, what is the bypass:

    1- For CFP and MD, it,s a partial bypass. Once allowed to execute and make its copies CPF and MD can,t intercept and stop the worm from hiding the windows/ GUI of Process Explorer and some other toools/ software. It,s very interesting as I remember not long ago, there was a POC discussed here which was able to hide GUI of any application and almost all HIPS at that time failed to intercept this behavior. It,s very interesting to see such behavior in a malware that is infact in the wild.

    2- More interesting, I run the worm as untrusted inside GesWall. Still it was able to hide/ minimize the GUI of ProcesssExplorer running as trusted. :eek: :eek:
    SBIE handled this well. I was not able to test DW though.
     
  2. 1000db

    1000db Registered Member

    Joined:
    Jan 9, 2009
    Posts:
    718
    Location:
    Missouri
    What was the worm identified as by the tools that you were able to run? Were you successful in cleaning the pc? How?

    Very interesting find.:(
     
  3. metalforlife

    metalforlife Registered Member

    Joined:
    Mar 29, 2009
    Posts:
    96
    Aigle, can you give me the link?
     
  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I tested it on XP SP2 under Returnil. Worm name is Mabezat. PC is now formatted with a fresh install of Ubuntu as a cure for repeated life threatening infections. My friends kids are incurable :) I think and they have a Vista laptop already so I put Ubuntu on desktop. I am going to encourage them to get this desktop infected now. :D
     

    Attached Files:

  5. kasperking

    kasperking Registered Member

    Joined:
    Nov 21, 2008
    Posts:
    406
  6. 1000db

    1000db Registered Member

    Joined:
    Jan 9, 2009
    Posts:
    718
    Location:
    Missouri
    Impressive worm. It will also copy itself to a cd when a disc is burned. This worm could wreak havoc on most commercial lans I've been on.
     
  7. icr

    icr Registered Member

    Joined:
    Sep 6, 2008
    Posts:
    1,588
    Location:
    Mumbai
    Yeah really impressive one man hope there would have been portable of MBAM:)
     
  8. acuariano

    acuariano Registered Member

    Joined:
    Nov 4, 2005
    Posts:
    786
    so only sbie can handle this at the moment?..
     
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    No, many can. It,s detected by almost all of AVs on VT. HIPS will stop it. GesWall has partial bypass otherwise worm is contained and will not survive a reboot, also GW gives a lot of Attack notifications with the worm that will warn the user.

    It,s just a very interesting partial bypass for many HIPS n GesWall. Once we saw it in a POC, now in a real malware.
     

    Attached Files:

    • 1.JPG
      1.JPG
      File size:
      138.4 KB
      Views:
      6
    • 2.JPG
      2.JPG
      File size:
      40.8 KB
      Views:
      570
    Last edited: Feb 9, 2010
  10. Ed_H

    Ed_H Registered Member

    Joined:
    Nov 10, 2004
    Posts:
    662
    Location:
    Chicago, IL
    Just wondering if anyone tried this worm with OA or DW?
     
  11. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Yes, I did.
     
  12. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    And were you happy with the result? (simple Yes or No will do)
     
  13. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Yes, I was happy.
     
  14. Ed_H

    Ed_H Registered Member

    Joined:
    Nov 10, 2004
    Posts:
    662
    Location:
    Chicago, IL
    Thanks Ilya. :thumb:
     
  15. Antarctica

    Antarctica Registered Member

    Joined:
    Feb 25, 2003
    Posts:
    1,617
    Location:
    Canada
    Yeah thanks Ilya, this is good news.
     
  16. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    I'd like to see the results against ThreatFire + Windows Defender - in those two I trust. :D
     
  17. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    DW 3 0r DW 2.56 or both?
     
  18. dcrowe0050

    dcrowe0050 Registered Member

    Joined:
    Sep 1, 2009
    Posts:
    378
    Location:
    NC
    Threatfire I do not know but Windows Defender will not stop it.
     
  19. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    I've tested it against 3.0 version as, anyway, the RC is very close.
     
  20. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    Yeah, I meant those two at the same time - Windows Defender can sometimes detect things with its HIPS that are useful. ;)
     
  21. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
Loading...
Thread Status:
Not open for further replies.