Interesting HIPS leaktests/ malware tests

Discussion in 'other anti-malware software' started by aigle, Jan 18, 2008.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,167
    Location:
    UK / Pakistan
    In a period of the last one year or so we have raed about a couple of leaktests/ malware here on Wilders that put many HIPS in trouble, proving that even the sophisticated HIPS might fail vey well to provide zero day protection.

    The good thing is that many HIPS developers have responded positively and have improved their HIPS accordingly. So it,s a healthy attitude, despite the fact that these developers often don,t get enough revenue from their software and even some of them are free.:thumb:

    I juat wanted to recall most of them that proved the weakness of many HIPS or atleast proved to be a very interesting leaktest/ malware.

    1- KillDisk virus- was the first such malware in my memory, it defeated most HIPS and SandBoxes if allowed to execute. It was more than ayear back.

    2- XP Killer trojan- Defeated many HIPS after execution was allowed.

    3- Most recent Cutwail/Bulknet malware- sadly the thread did not continued long enough

    https://www.wilderssecurity.com/showthread.php?t=195817

    4- System Shutdown Simulator

    https://www.wilderssecurity.com/showthread.php?t=192099&highlight=system shutdown simulator

    5- GetRawInputData keylogger

    https://www.wilderssecurity.com/showthread.php?t=193247

    6- Martin,s Undetectable Keylogger

    7- BufferZone Trojan test- though it was buggy sure, but still interesting

    8- DFK Threat Simulator

    9- Phide.exe rootkit

    https://www.wilderssecurity.com/showthread.php?t=152280&highlight=rootkit

    10- System shutdown protection tests

    https://www.wilderssecurity.com/showthread.php?t=187831&highlight=HIPS

    11- A special termination protection test( by windows messages)

    https://www.wilderssecurity.com/showthread.php?t=172653&highlight=HIPS

    12- SSDT Unhooker tests

    https://www.wilderssecurity.com/showthread.php?t=180969&highlight=HIPS

    13- Advanced Process Terminator( APT) from DCS

    14- Simple Process Termiantion( SPT) from syssafety.

    15- KeyLogger test from SysSafety

    16- AKLT by FireWall tester

    17- An interesting Kill method by spy.exe discussed here.

    https://www.wilderssecurity.com/showthread.php?t=184402&highlight=BufferZone

    https://www.wilderssecurity.com/attachment.php?attachmentid=193130&d=1188689461

    18- Prueba trojan test

    https://www.wilderssecurity.com/showthread.php?t=179003

    19- PassDiskProtect_C- sandbox/virtulization bypass under ring3:

    https://www.wilderssecurity.com/showthread.php?t=195340

    20- Robodog- password stealing trojan- not discussed heer, i just found a post by Solcroft, interseting that it bypassed many ISR solutions.

    https://www.wilderssecurity.com/showpost.php?p=1145780&postcount=30

    I must have forgot some, pls add to the lsit.

    Thanks
     
    Last edited: Jan 21, 2008
  2. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    OK Aigle, but how many of these tests required user input in like - OK -and or - Yes?
    "Was Allowed"

    I can kill my disk by any "Allowed" action if not in Returnil mode?

    Any and all of these tests fail if run Sandboxed!:cool:
     
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,167
    Location:
    UK / Pakistan
    Yes, no execution, no harm is the rule but modern HIPS are expected to defend more than this.
    Not the keyloggers! Also Sandboxie probably failed( not sure though) when first tried against KillDisk, it was fixed later.
    If failed against some termination tests too!
     
  4. dmenace

    dmenace Registered Member

    Joined:
    Nov 29, 2006
    Posts:
    275
    Thats a great list Aigle,
    Very good reference for future use.

    Since there are lots of security enthusiasts here at wilders would be good if:

    Someone made a page similar to Matousec's with a table of popular HIPS and sandboxes such as those on castlecops wiki against the tests you mentioned.

    Now that would be cool! Anyone? All you need is a virtual machine and a free website hosted at like 110mb.com!
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,167
    Location:
    UK / Pakistan
    Thanks!
    And a lot of time n knowledge.
     
  6. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Good work Eagle!

    It's also good to remind us that "Being to comfortable" even with the best technologies on hand can sometimes prove risky...

    It also shows a great deal of support from the developers when new "weakness" are reported. Helps us all sleep at night!
     
  7. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    i disagree with this aigle,

    sure, these threats could disable or harm a HIPS, but these files would still have executed a allow/deny/block or whatever prompt.

    if the correct prompt was used, i very much doubt that any of the files listed would have penetrated past a HIPS.
     
  8. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Only issue I can see with it from my perch, is those prompts require user intelligence to be effective. Unfortunately user intelligence is often on holidays...
     
  9. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    if in doubt, deny/block.

    i really wouldnt label this as being intelligent.

    if a user does not understand those words, forget using a HIPS, infact... forget the internet in general. :rolleyes:
     
  10. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Mmmh... a bit dire a verdict.

    I would throw that ball back at the developers. It is in the communications between the user and the utility that the issue is sourced. Not the user so much. I think most would make the "Right" choice if given clear governance and the right information... in clear contextual and simple fashion.
     
  11. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Have a look at your sig: It is a good idea to provide a test centre central page (ON YOUR WEBSITE MAYBE :eek: ) where you can download test progrs, with the correct warning off course (don't try this at home when you have not got VM or Image backup in place).

    AIGLE :thumb: :thumb: :thumb:

    Regards Kees
     
  12. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,167
    Location:
    UK / Pakistan
    Thanks Kees!
     
  13. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,167
    Location:
    UK / Pakistan
    Just added two more:

    No. 19 and 20.
     
  14. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    In considering a user standpoint with these tests, while I haven't tested all of them, the testing I've done required disabling F-Prot which I had on the vm machine to test. It shut them all done.

    I know someone in the security business, and his approach when given anything new is to wait 30 days. Then scan and install it. Hmmm


    Pete
     
  15. LUSHER

    LUSHER Registered Member

    Joined:
    Feb 28, 2007
    Posts:
    440
    You can of course just do it on the castlecops wiki. The wiki is free for editing to anyone..... you dont have to be cc staff...
     
  16. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Can somebody send me this "Robodog" malware sample with a short description of it and its job- I haven't tested it?
     
  17. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    Peter may be able to.
     
  18. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,167
    Location:
    UK / Pakistan
    I also want it also. I PMed solcroft but he does not have it ATM. Coldmoon might have a copy of it. I PMed him but so far no reply!
     
  19. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,992
    Location:
    The Netherlands
    I have finally tested it and Neoava passes the test. And what´s so special about the EICAR file creation? If it can´t execute it´s no problem, right?

    It was nice to see that SSM´s protection against "low level keyboard access" stops this.

    What´s so special about this one? I can´t remember.

    I know SSM failed (older versions) but what about NG?

    If I´m correct, tzuk claimed that SBIE failed because of a conflict with SSM.

    I´ve checked out this test but it behaves weirdly on my VM, it won´t make my machine unbootable for some reason. But SSM could stop it anyway.

    I would also like to know if it uses some kind of special technique to bypass HIPS/ISR´s.
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,992
    Location:
    The Netherlands
    I still don´t know if PS can stop this or not? And if not, has it been fixed? Strangely enough I couldn´t find any info on the PS forum. If it failed it was really quite a big flaw.

    When I run this malware I don´t get any alerts form SSM/NG and I still don´t know if it actually tries to perform any malicious behavior. As you can see in the thread, PS and TF also didn´t make a sound.

    https://www.wilderssecurity.com/showthread.php?t=184520&highlight=threatfire

    Most HIPS don´t protect against this, both NG and TF can´t completely stop the damage.
     

    Attached Files:

  21. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,167
    Location:
    UK / Pakistan
    Rasheed! u want me to go through all the threads and bring out the cooked meal for u? Have u read all these threads in detail?

    File infectors - I agree will bypass many HIPS but any HIPS with full bloen file protection will stop them
     
  22. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,167
    Location:
    UK / Pakistan
    This is file protection test!
    There was a thread here. It bypassed many ARK tools.

    https://www.wilderssecurity.com/showthread.php?t=152280&highlight=rootkit

    Then u must also know that nicM did not test NG. Did u read the tests?
    Did i say that SBIE failed here?
    I don,t know.
     
  23. alfa1

    alfa1 Registered Member

    Joined:
    May 3, 2006
    Posts:
    61
    From PS board,
    "I have analysed this rootkit again today, now i know why this occured.
    It inject into kernel with two steps:
    1. Modify or replace ip6fw.sys and then start it(PS don't block a existing driver from starting). Then the new ip6fw.sys remove all SSDT hooks of PS.
    2. Load its driver runtime.sys from ZwLoadDriver.

    So if we block it from modifying ip6fw.sys, then PS can detect any action of this malware well. But if not...

    I will change the default file/folder rules from v1.42 to block all writing/deleting *.sys *.exe *.dll... actions to windows folder and files...
    "

    http://www.proactive-hips.com/yabb/yabb2/YaBB.pl?num=1199083771

    Snap2.jpg

    However, we are waiting for 1.43 which should be a significant step forward (IMO) compared to what is possible today* (which is already considerable ;) )...
    Jie is working very WELL to improve its product and he listens really to its customers...



    *at least, in the fight against Rootkit malicious behaviour...
     
    Last edited: Jan 21, 2008
  24. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,167
    Location:
    UK / Pakistan
    That,s great!
     
  25. MikeNAS

    MikeNAS Registered Member

    Joined:
    Sep 28, 2006
    Posts:
    697
    Location:
    FiNLAND
    Are you saying that F-PROT (or any AV) blocks all of these?
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.