反黑先锋
版主
RUNWAY
积分 2901
发帖 2857
注册 2006-6-17
|
#1 利用新技术的prueba trojan
该程序会过很多hips软件 运行该国外程序后 ntoskrnl.exe里完成接口 其他用户的微点版报未知间谍 我这边的微点无任何反应 并且在运行这支程序后 我这边的微点被干扰完全失效
包括 智能防护墙 注册表保护 运行msn蠕虫 微点行为识别无任何反应 不识别已知病毒 系统假死 样本下载 mp6 截图 已上报给support! 此帖地址未来得及附上 其他人的微点都报! 我这边微点没反应 期待更新
prueba病毒的来龙去脉
这帖稍微介绍一下这个 prueba trojan demo,因为这个测试是很有意义的,它不是一般的木马,代表了一种为很多 HIPS /Firewall 开发人员所未见过新的技术。已经上报各大hips,让他们关注解决 prueba 类型的注入提升权限攻击。
先跑个题,楼上有朋友想拿这个做 EQ 的文章,真的不必。
1. prueba 已经发布有段时间了,号称能 100% 拦截的就有 DefenseWall V2 RC2/RC3,不是什么新闻。国外,已经讨论许久咯。
2. 个人觉得EQ 社区很活跃,修正bug或漏洞也很快,比如这个hotfix,这些都很优秀,会员的测试、教程、规则做的都很棒,但是,在宣传上似乎有些偏差,我个人也看到 EQ社区,有很少的人有一点点过于浮躁了,实际上,这种热情可以放到更有利于EQ发展和传播的事情上,而不要让很多喜欢或不了解EQ的人产生反感和逆反心理。
为什么要和AV 产品对立呢? 对于高手的您或许可以不要杀软,但是对于一般用户 (以杀软为主,甚至就认识国内三家,国外卡巴、诺顿),有必要这样宣传吗?难道,不可以告诉他们,HIPS 是他们的AV 软件的最好搭档,可以防御很多AV 漏掉的病毒,是整个防御体系不可缺少的一部分,这比让他们抛弃杀软更容易接受吧。
对于,以 HIPS 为主,杀软为辅的高级用户,让他们转投EQ是很有难度的,人都是有感情的,比如像我的话,对于用了一年多的 Comodo 是不可能轻易放弃的。一个很主观的EQ和其他HIPS的对比,最后争论下来导致不欢而散,致使一批对EQ有好感、准备使用的人,做出相反的选择,得不偿失啊。
pruebla 的前世今生
prueba 据我所知,来源于 Defense Wall 的官方论坛
http://gladiator-antivirus.com/forum/index.php?showtopic=56725
看到了,是6月18号,liam 说他的朋友写了一个测试防火墙的“安全”木马,发布了 一个下载地址 : tp://www.zshare.net/download/prueba-exe.html
透露了一些测试细节是:复制自身到 C:\Program Files\config,并且会有一个隐藏的联网行为。测试的结果是DW V2 RC1 漏了,Rollback无效。他传了三张图:
注:DW的开发者 Ilya 先前并不知道这种方法可以过DW,在27号的时候找到了应对的办法,做了下面的解释:
QUOTE:
OK, the bypass algorithm is absolutely clear now. It is very interesting, I didn't know about this escalation method. Defense against it will be published within DefenseWall HIPS v2.0 RC2 coming really soon.
在往后 prueba 被转到了 SandboxIE 的官方论坛,6月28号:
http://sandboxie.com/phpbb/viewt ... der=asc&start=0
 这里就很奇怪,有两个用户说SandboxIE 被过了,有一个用户说没过。SandboxIE 的开发人员 tzuk 测试是没有漏,不过我估计他也很晕。
后来,很好玩,DW 的 Ilya 跑到 同行和竞争对手 (SandBoxIE) 的论坛了 OOXX ORZ,Ilya 比较搞笑了,他“提示”说一个叫 Onedir(一个目录) 的家伙拼错了他的名字 (Illya),实际上那个家伙的名字叫 Oneder,这叫 以彼之道,还之彼身。Ilya 和 tzuk 互相恶搞了一下,然后 tzuk继续发呆中。。。
QUOTE:
And until anyone can tell me how to get it to work, there is absolutely nothing I can do about it, and all the eyes-rolling (by some people) in the world can't change that.
最后 prueba 辗转到了 Wilders,是7月1号
http://www.wilderssecurity.com/showthread.php?t=179003
这里讨论了一下 SSM、EQ、SandboxIE、DefenseWall、PS等等是通过了、被过了,还是被部分过了。我不大关心这个。
比较有感觉的是 LinkScanner 的表现,看样子,即使突破 HIPS 和 防火墙,LinkScanner也会拦截 prueba的对外连接,确实是防 0day的极品啊。
Ilya 的回帖:
QUOTE:
Yes, this piece of code is using very interesting technique I didn't know. DefenseWall is already hardened against it. Will be published with v2.0 RC2 build.
It is using interesting provileges escalation technique.
DefenseWall v2.0 RC2 (last one before release) is out. 100% defense against prueba-based injection technique.
最棒的当然是 herbalist 的回复,像他这种使用 SSM的方式,才是一个 SSM 支持者,或者说用户该有的态度。这种有技术、有分量的回复,不经意间,就吸引很多人,愿意去尝试 SSM,效果远远胜过某些口水帖子。随便 帖一段:
QUOTE:
While SSM doesn't detect this demo's method of using explorer.exe, a properly designed layered package still defeats it. The fact that the user allows this demo to run has to figure into this test. The HIPS did their initial job, intercepting an unknown process. By your choosing to allow it, you changed the role of the HIPS from blocking malicious processes to one of damage control. From this point forward, your ruleset, system configuration, and the rest of your security package come into play.
This demo shows the weakness in rulesets that allow explorer.exe to parent any process, which ends up including the trojans executable and the browser. Take the time to specify the child processes and get rid of that "allow any" setting for all processes. This is an example of how a well designed security package can defend a system by preventing collateral damage, even when an initial exploit succeeds. Any security app can and will be defeated. It's how well your package does as a whole that matters.
In this instance, the demo's author made some basic mistakes, probably because it is a demo. Even with the real thing, if the writer doesn't think the process all the way thru, he can make similar basic mistakes and often does. It's often such mistakes that lead to the discovery of his trojan and his new method.
1, He assumed the browser has a direct connection out. In my case, I connected thru Proxomitron. Caught by the firewall.
2, He assumed that the browser is an allowed child process of explorer.exe. Usually it is, but not always. I use batch files to lauch the browsers, Proxomitron, and other items I won't name here all at once. Break that direct connection between common system executables like explorer and the web applications like your browser and mail handler.
nicM :It is the most important, because, how to say, these HIPS do not work "as good" after the test than they did before.
大概是指如果不能拦截调试内核的话,比如 SSM的防御能力比 prueba 运行之前会下降。
hwwgo : 我只想说prueba那个毒,只有pros能真正拦截到(eq,sns挂),无驱动恢复ssdt,够很的...
prueba.exe创建文件
C:\Documents and Settings\nie\Application Data\addon.dat
[ Last edited by 反黑先锋 on 2007-7-6 at 17:28 ]
| |
※ ※ ※ 本文纯属【反黑先锋】个人意见,与【 微点交流论坛 】立场无关※ ※ ※
|
荣先祥藏头诗《赞东方微点》
东风欣传好消息
方策独步世所稀
微妙玄机嵌主动
点睛灭毒堪神笔
 |
|
|
2007-7-3 21:05 |
|
反黑先锋
版主
RUNWAY
积分 2901
发帖 2857
注册 2006-6-17
|
|
|
2007-7-3 21:20 |
|
408983504
银牌会员
此用户已被禁言
积分 1271
发帖 1238
注册 2007-1-6
来自 广东
|
#3
WOW~
要注意下先得
| |
※ ※ ※ 本文纯属【408983504】个人意见,与【 微点交流论坛 】立场无关※ ※ ※
|
三用户版续费真TM的便宜啊! |
|
|
|
2007-7-3 22:36 |
|
Legend
超级版主
超级版主
积分 77171
发帖 70170
注册 2005-10-29
|
|
|
2007-7-3 22:40 |
|
Legend
超级版主
超级版主
积分 77171
发帖 70170
注册 2005-10-29
|
|
|
2007-7-4 09:26 |
|
反黑先锋
版主
RUNWAY
积分 2901
发帖 2857
注册 2006-6-17
|
|
|
2007-7-4 12:24 |
|
反黑先锋
版主
RUNWAY
积分 2901
发帖 2857
注册 2006-6-17
|
|
|
2007-7-4 20:54 |
|
Legend
超级版主
超级版主
积分 77171
发帖 70170
注册 2005-10-29
|
|
|
2007-7-4 21:00 |
|
100000
版主
灌水区华南水务使
积分 3285
发帖 3250
注册 2007-2-26
来自 深圳
|
|
|
2007-7-6 09:37 |
|
反黑先锋
版主
RUNWAY
积分 2901
发帖 2857
注册 2006-6-17
|
#10 利用新技术的prueba trojan
| Quote: | Originally posted by Legend at 2007-7-4 21:00:
反黑先锋版主,谢谢您的详细反馈,该问题已经解决,请等待升级。 |
|
好的 该程序会过很多hips软件 其他人的微点都报! 我这边微点没反应 期待更新
prueba病毒的来龙去脉
这帖稍微介绍一下这个 prueba trojan demo,因为这个测试是很有意义的,它不是一般的木马,代表了一种为很多 HIPS /Firewall 开发人员所未见过新的技术。已经上报各大hips,让他们关注解决 prueba 类型的注入提升权限攻击。
先跑个题,楼上有朋友想拿这个做 EQ 的文章,真的不必。
1. prueba 已经发布有段时间了,号称能 100% 拦截的就有 DefenseWall V2 RC2/RC3,不是什么新闻。国外,已经讨论许久咯。
2. 个人觉得EQ 社区很活跃,修正bug或漏洞也很快,比如这个hotfix,这些都很优秀,会员的测试、教程、规则做的都很棒,但是,在宣传上似乎有些偏差,我个人也看到 EQ社区,有很少的人有一点点过于浮躁了,实际上,这种热情可以放到更有利于EQ发展和传播的事情上,而不要让很多喜欢或不了解EQ的人产生反感和逆反心理。
为什么要和AV 产品对立呢? 对于高手的您或许可以不要杀软,但是对于一般用户 (以杀软为主,甚至就认识国内三家,国外卡巴、诺顿),有必要这样宣传吗?难道,不可以告诉他们,HIPS 是他们的AV 软件的最好搭档,可以防御很多AV 漏掉的病毒,是整个防御体系不可缺少的一部分,这比让他们抛弃杀软更容易接受吧。
对于,以 HIPS 为主,杀软为辅的高级用户,让他们转投EQ是很有难度的,人都是有感情的,比如像我的话,对于用了一年多的 Comodo 是不可能轻易放弃的。一个很主观的EQ和其他HIPS的对比,最后争论下来导致不欢而散,致使一批对EQ有好感、准备使用的人,做出相反的选择,得不偿失啊。
pruebla 的前世今生
prueba 据我所知,来源于 Defense Wall 的官方论坛
http://gladiator-antivirus.com/forum/index.php?showtopic=56725
看到了,是6月18号,liam 说他的朋友写了一个测试防火墙的“安全”木马,发布了 一个下载地址 : tp://www.zshare.net/download/prueba-exe.html
透露了一些测试细节是:复制自身到 C:\Program Files\config,并且会有一个隐藏的联网行为。测试的结果是DW V2 RC1 漏了,Rollback无效。他传了三张图:
注:DW的开发者 Ilya 先前并不知道这种方法可以过DW,在27号的时候找到了应对的办法,做了下面的解释:
QUOTE:
OK, the bypass algorithm is absolutely clear now. It is very interesting, I didn't know about this escalation method. Defense against it will be published within DefenseWall HIPS v2.0 RC2 coming really soon.
在往后 prueba 被转到了 SandboxIE 的官方论坛,6月28号:
http://sandboxie.com/phpbb/viewt ... der=asc&start=0
这里就很奇怪,有两个用户说SandboxIE 被过了,有一个用户说没过。SandboxIE 的开发人员 tzuk 测试是没有漏,不过我估计他也很晕。
后来,很好玩,DW 的 Ilya 跑到 同行和竞争对手 (SandBoxIE) 的论坛了 OOXX ORZ,Ilya 比较搞笑了,他“提示”说一个叫 Onedir(一个目录) 的家伙拼错了他的名字 (Illya),实际上那个家伙的名字叫 Oneder,这叫 以彼之道,还之彼身。Ilya 和 tzuk 互相恶搞了一下,然后 tzuk继续发呆中。。。
QUOTE:
And until anyone can tell me how to get it to work, there is absolutely nothing I can do about it, and all the eyes-rolling (by some people) in the world can't change that.
最后 prueba 辗转到了 Wilders,是7月1号
http://www.wilderssecurity.com/showthread.php?t=179003
这里讨论了一下 SSM、EQ、SandboxIE、DefenseWall、PS等等是通过了、被过了,还是被部分过了。我不大关心这个。
比较有感觉的是 LinkScanner 的表现,看样子,即使突破 HIPS 和 防火墙,LinkScanner也会拦截 prueba的对外连接,确实是防 0day的极品啊。
Ilya 的回帖:
QUOTE:
Yes, this piece of code is using very interesting technique I didn't know. DefenseWall is already hardened against it. Will be published with v2.0 RC2 build.
It is using interesting provileges escalation technique.
DefenseWall v2.0 RC2 (last one before release) is out. 100% defense against prueba-based injection technique.
最棒的当然是 herbalist 的回复,像他这种使用 SSM的方式,才是一个 SSM 支持者,或者说用户该有的态度。这种有技术、有分量的回复,不经意间,就吸引很多人,愿意去尝试 SSM,效果远远胜过某些口水帖子。随便 帖一段:
QUOTE:
While SSM doesn't detect this demo's method of using explorer.exe, a properly designed layered package still defeats it. The fact that the user allows this demo to run has to figure into this test. The HIPS did their initial job, intercepting an unknown process. By your choosing to allow it, you changed the role of the HIPS from blocking malicious processes to one of damage control. From this point forward, your ruleset, system configuration, and the rest of your security package come into play.
This demo shows the weakness in rulesets that allow explorer.exe to parent any process, which ends up including the trojans executable and the browser. Take the time to specify the child processes and get rid of that "allow any" setting for all processes. This is an example of how a well designed security package can defend a system by preventing collateral damage, even when an initial exploit succeeds. Any security app can and will be defeated. It's how well your package does as a whole that matters.
In this instance, the demo's author made some basic mistakes, probably because it is a demo. Even with the real thing, if the writer doesn't think the process all the way thru, he can make similar basic mistakes and often does. It's often such mistakes that lead to the discovery of his trojan and his new method.
1, He assumed the browser has a direct connection out. In my case, I connected thru Proxomitron. Caught by the firewall.
2, He assumed that the browser is an allowed child process of explorer.exe. Usually it is, but not always. I use batch files to lauch the browsers, Proxomitron, and other items I won't name here all at once. Break that direct connection between common system executables like explorer and the web applications like your browser and mail handler.
nicM :It is the most important, because, how to say, these HIPS do not work "as good" after the test than they did before.
大概是指如果不能拦截调试内核的话,比如 SSM的防御能力比 prueba 运行之前会下降。
hwwgo : 我只想说prueba那个毒,只有pros能真正拦截到(eq,sns挂),无驱动恢复ssdt,够很的...
prueba.exe创建文件
C:\Documents and Settings\nie\Application Data\addon.dat
[ Last edited by 反黑先锋 on 2007-7-6 at 17:20 ]
| |
※ ※ ※ 本文纯属【反黑先锋】个人意见,与【 微点交流论坛 】立场无关※ ※ ※
|
荣先祥藏头诗《赞东方微点》
东风欣传好消息
方策独步世所稀
微妙玄机嵌主动
点睛灭毒堪神笔
|
|
|
|
2007-7-6 17:00 |
|
|
