QUOTE:
OK, the bypass algorithm is absolutely clear now. It is very interesting, I didn't know about this escalation method. Defense against it will be published within DefenseWall HIPS v2.0 RC2 coming really soon.
QUOTE:
And until anyone can tell me how to get it to work, there is absolutely nothing I can do about it, and all the eyes-rolling (by some people) in the world can't change that.
QUOTE:
Yes, this piece of code is using very interesting technique I didn't know. DefenseWall is already hardened against it. Will be published with v2.0 RC2 build.
It is using interesting provileges escalation technique.
DefenseWall v2.0 RC2 (last one before release) is out. 100% defense against prueba-based injection technique.
QUOTE:
While SSM doesn't detect this demo's method of using explorer.exe, a properly designed layered package still defeats it. The fact that the user allows this demo to run has to figure into this test. The HIPS did their initial job, intercepting an unknown process. By your choosing to allow it, you changed the role of the HIPS from blocking malicious processes to one of damage control. From this point forward, your ruleset, system configuration, and the rest of your security package come into play.
This demo shows the weakness in rulesets that allow explorer.exe to parent any process, which ends up including the trojans executable and the browser. Take the time to specify the child processes and get rid of that "allow any" setting for all processes. This is an example of how a well designed security package can defend a system by preventing collateral damage, even when an initial exploit succeeds. Any security app can and will be defeated. It's how well your package does as a whole that matters.
In this instance, the demo's author made some basic mistakes, probably because it is a demo. Even with the real thing, if the writer doesn't think the process all the way thru, he can make similar basic mistakes and often does. It's often such mistakes that lead to the discovery of his trojan and his new method.
1, He assumed the browser has a direct connection out. In my case, I connected thru Proxomitron. Caught by the firewall.
2, He assumed that the browser is an allowed child process of explorer.exe. Usually it is, but not always. I use batch files to lauch the browsers, Proxomitron, and other items I won't name here all at once. Break that direct connection between common system executables like explorer and the web applications like your browser and mail handler.
nicM :It is the most important, because, how to say, these HIPS do not work "as good" after the test than they did before.
大概是指如果不能拦截调试内核的话,比如 SSM的防御能力比 prueba 运行之前会下降。
prueba.exe创建文件
C:\Documents and Settings\nie\Application Data\addon.dat
[ Last edited by 反黑先锋 on 2007-7-6 at 17:28 ]作者: 反黑先锋 时间: 2007-7-3 21:20 更新
[ Last edited by 反黑先锋 on 2007-7-6 at 17:24 ]作者: 408983504 时间: 2007-7-3 22:36 WOW~
要注意下先得作者: Legend 时间: 2007-7-3 22:40 谢谢楼主的建议,我们会认真考虑的,欢迎您做深入的测试使用!作者: Legend 时间: 2007-7-4 09:26 反黑先锋版主,请将您的该病毒样本文件和您的微点安装文件夹下的MP6文件夹一起压缩后发送到support@micropoint.com.cn我们具体分析一下
请在来信中附上这个帖子的地址,方便我们跟踪处理
谢谢您的支持
[ Last edited by Legend on 2007-7-4 at 09:29 ]作者: 反黑先锋 时间: 2007-7-4 12:24
Quote:
Originally posted by Legend at 2007-7-4 09:26:
反黑先锋版主,请将您的该病毒样本文件和您的微点安装文件夹下的MP6文件夹一起压缩后发送到support@micropoint.com.cn我们具体分析一下
请在来信中附上这个帖子的地址,方便我们跟踪处理
谢谢您 ...
QUOTE:
OK, the bypass algorithm is absolutely clear now. It is very interesting, I didn't know about this escalation method. Defense against it will be published within DefenseWall HIPS v2.0 RC2 coming really soon.
QUOTE:
And until anyone can tell me how to get it to work, there is absolutely nothing I can do about it, and all the eyes-rolling (by some people) in the world can't change that.
QUOTE:
Yes, this piece of code is using very interesting technique I didn't know. DefenseWall is already hardened against it. Will be published with v2.0 RC2 build.
It is using interesting provileges escalation technique.
DefenseWall v2.0 RC2 (last one before release) is out. 100% defense against prueba-based injection technique.
QUOTE:
While SSM doesn't detect this demo's method of using explorer.exe, a properly designed layered package still defeats it. The fact that the user allows this demo to run has to figure into this test. The HIPS did their initial job, intercepting an unknown process. By your choosing to allow it, you changed the role of the HIPS from blocking malicious processes to one of damage control. From this point forward, your ruleset, system configuration, and the rest of your security package come into play.
This demo shows the weakness in rulesets that allow explorer.exe to parent any process, which ends up including the trojans executable and the browser. Take the time to specify the child processes and get rid of that "allow any" setting for all processes. This is an example of how a well designed security package can defend a system by preventing collateral damage, even when an initial exploit succeeds. Any security app can and will be defeated. It's how well your package does as a whole that matters.
In this instance, the demo's author made some basic mistakes, probably because it is a demo. Even with the real thing, if the writer doesn't think the process all the way thru, he can make similar basic mistakes and often does. It's often such mistakes that lead to the discovery of his trojan and his new method.
1, He assumed the browser has a direct connection out. In my case, I connected thru Proxomitron. Caught by the firewall.
2, He assumed that the browser is an allowed child process of explorer.exe. Usually it is, but not always. I use batch files to lauch the browsers, Proxomitron, and other items I won't name here all at once. Break that direct connection between common system executables like explorer and the web applications like your browser and mail handler.
nicM :It is the most important, because, how to say, these HIPS do not work "as good" after the test than they did before.
大概是指如果不能拦截调试内核的话,比如 SSM的防御能力比 prueba 运行之前会下降。
