Malware Defender 2.7.0, EQSysSecure 4.1 process privilege control flaw

Original link:http://bbs.kafan.cn/thread-695301-1-1.html

This test program can bypass Malware Defender 2.7.0/EQSysSecure 4.1 's control of process privilege to kill any process(except HIPS themseflves' )

Malware Defender 2.7.0 may have few more flaws to discover in the future and EQSysSecure 4.1 has more ,even itself could be killed ...


This test program runs successfully on XP sp3 with Admin privilege

This is GUI i commented some so you guys could use it


this is the text program
http://dl.dropbox.com/u/5748985/test.zip

Thanks mature!

EDIT: Note all tests are performed with default configurations unless otherwise specified.

Tested with Malware Defender 2.6.0 and there is indeed a bypass if you allow initial execution of the test file. For example, I can terminate an opened notepad.exe or explorer.exe without Malware Defender giving a pop-up (once test.exe is opened). Can't seem to terminate Malware Defender's processes though.

Simple solution is don't allow initial execution of the test file in the first place haha.

But yes, seems like a very clever bypass! I'll test it with Comodo and Online Armor some time soon.

Also, it seems I'll have to test it in an LUA environment, and hopefully I can keep promoting LUA haha (if there is no bypass of Malware Defender in an LUA).

EDIT: just tested with Sandboxie - no bypass! Well done to Sandboxie!

EDIT2: just tested with CIS version 4, Defense+ in Paranoid Mode - same as Malware Defender - bypassed if allow initial execution! But can't seem to terminate CIS's own processes.

EDIT3: tested with Online Armor Premium 4.0.0.44 and it is blocked! Well done OA! Here's the pop-up it gives (meaning it is able to control the POC even after initial execution) when test.exe tries to terminate notepad.exe:

ssj100 wrote:Tested with Malware Defender 2.6.0 and there is indeed a bypass if you allow initial execution of the test file. For example, I can terminate an opened notepad.exe or explorer.exe without Malware Defender giving a pop-up (once test.exe is opened).

Simple solution is don't allow initial execution of the test file in the first place haha.

But yes, seems like a very clever bypass! I'll test it with Comodo and Online Armor some time soon.

Also, it seems I'll have to test it in an LUA environment, and hopefully I can keep promoting LUA haha (if there is no bypass of Malware Defender in an LUA).

EDIT: just tested with Sandboxie - no bypass! Well done to Sandboxie!

haha~good luck to your LUA

Once again, this proves that anti-execution (and containment) is the key to staying "100%" protected. Blocking initial execution is the most important thing for sure, as well as intelligent handling of newly introduced files.

2 out of the 3 classical HIPS so far (in default configurations) are unable to control the behaviour of the above POC! I guess Xiaolin was right after all - if you allow initial execution, there are numerous ways to bypass a classical HIPS.

Singlemature wrote:haha~good luck to your LUA

Just tried running test.exe in an LUA (with no security software installed) - it opens the command prompt window, but you can't seem to do anything with it.

Conclusion: LUA is NOT bypassed haha. Well done LUA!

I thought this test would be better to post on Wilders,but i was banned from posting thread, i don't get it why i got this treat...and same thing happen to ssj100,i don't think they could benefit from this ,on the contrary it's theire loss.

Anyway...congratulations to LUA XD

Sorry to hear that mature.

Anyway, I'll probably do some testing with DefenseWall and GeSWall, but I'm sure they will pass.

So here are the results so far, based on my testings on Windows XP, 32-bit:
1. LUA: PASS
2. Sandboxie 3.45.09: PASS
3. Online Armor Premium 4.0.0.44: PASS
4. DefenseWall 3.00: PASS
5. GeSWall Pro 2.9: PASS
6. Malware Defender 2.7.1: FAIL
7. Comodo Internet Security 4.0.141842.828: FAIL
8. System Safety Monitor 2.4.0.622: FAIL

Nice testing job guys!!
The only horse I have in the race is Sandboxie,and he/she ran well,I am glad to see!!

noor

Updated above list with System Safety Monitor. Any other classical HIPS I can test that you guys can think of?

By the way, just browsing other forums, and they all seem blissfully unaware about this (rather simple) bypass.

There was an attempt on Wilders to post about this, but the thread was closed without anyone figuring out exactly what was going on - they didn't understand the chinese in the test window. Thanks mature for translating it for us!

I don't think the Comodo forums know about this either - I may post there soon, since I tend to support Comodo, and they'll probably be interested in patching up this bypass.

I think I've seen a similar POC in the past...possibly when I was using ProSecurity. I believe the method used is one of the methods discussed here: 12 ways to terminate a process.

"CreateJobObject, AssignProcessToJobObject, TerminateJobObject (and their Native API equivalents)

Create a job object using CreateJobObject, assign the target process to it using AssignProcessToJobObject, and terminate it using TerminateJobObject. This only works if the process is not already associated with a job object. This technique works well if NtAssignProcessToJobObject and NtTerminateJobObject are not hooked because NtTerminateJobObject calls PsTerminateProcess directly."

BTW, the POC also works against MD 2.7.1 beta on Windows 7.

Thanks nick. I was curious as to whether it would work on Windows 7 - recently clean re-installed VirtualBox, and my Windows 7 VM hasn't been loaded yet haha.

Updated list after testing ProcessGuard - poorly done I must say by this well loved program! The POC is able to terminate ProcessGuard's own processes!

1. LUA: PASS
2. Sandboxie 3.45.09: PASS
3. Online Armor Premium 4.0.0.44: PASS
4. DefenseWall 3.00: PASS
5. GeSWall Pro 2.9: PASS
6. Online Solutions Security Suite 1.5: PASS
7. Malware Defender 2.7.1: FAIL
8. Comodo Internet Security 4.0.141842.828: FAIL
9. System Safety Monitor 2.4.0.622: FAIL
10. ProcessGuard 3.500: FAIL

Online Solutions Security Suite 1.5 successfully blocks this POC!

Ouch! ...ProcessGuard.

To be fair though, ProcessGuard isn't really a Classical HIPS, and you wouldn't expect it to be able to control the behaviour of a process. ProcessGuard is an Anti-executable...but a rather out-dated one to be honest. And I'd recommend SRP over ProcessGuard any day.

By the way, just described further how to reproduce the bypass at Comodo forums:
http://forums.comodo.com/news-announcements-feedback-cis/cis-bypassed-t56166.0.html;msg395332#msg395332

EDIT: you can see that CIS can be used/configured to block this POC by simply not using "fewer options" mode. Good to see that CIS beats Malware Defender with this particular POC! Remember that Malware Defender must have been vulnerable to this POC for years. And the fact is, I'm not even sure if the Malware Defender developer will fix this, period, as he's working for another company now.

"By the way, just described further how to reproduce the bypass at Comodo forums:
http://forums.comodo.com/news-announcements-feedback-cis/cis-bypassed-t56166.0.html;msg395332#msg395332"

Yes I read that that. Good to know you can deal with that crew.
There is a limit to my tolerance for arrogance and word play.
Ten seconds with Comodoites,and I am past my limit.

noor

Hey noor, gosh, I think I'm going to stay out of there (Comodo forums) for at least a while haha. Too much heat came out from no where...maybe I'll just keep news like this confined to our forums and Sandboxie's forums (Tzuk is great!).

SSJ I only have XP home so I not have LUA and SRP and I was wondering if you can say if this Test.exe POC is able to terminate other processors with

LUA, ?

SRP ?

Surun?

Hi arran:
https://ssj100.forumotion.com/other-f6/malware-defender-270-eqsyssecure-41-process-privilege-control-flaw-t55.htm#295

This POC isn't even able to run in a limited user account! It requires admin privileges to run properly (like a lot of malware out there).

SRP/AppLocker aren't HIPS, and so don't control the behaviour of programs once you let them run. Denying initial execution is the key though, and that's what SRP/AppLocker does extremely well.

SuRun is just a program for convenience and doesn't apply here.

when I was trying out NOD32 I decided to see if this test.exe POC can terminate NOD32 and interestingly it couldn't NOD32 PASS

more interestingly MD can't terminate NOD32 either. NOD32 seems to have a powerful self defense.

arran wrote:when I was trying out NOD32 I decided to see if this test.exe POC can terminate NOD32 and interestingly it couldn't NOD32 PASS

more interestingly MD can't terminate NOD32 either. NOD32 seems to have a powerful self defense.

Yes I have heard from reliable Chinese sources that most AV software have very good self defense and aren't prone to these types of attacks. Malware Defender itself is also resistant to this POC.

ssj100 wrote: Malware Defender itself is also resistant to this POC.

Actually it isn't. MD can only protect app's from being terminated it cannot protect system app's from being terminated.

arran wrote:

ssj100 wrote: Malware Defender itself is also resistant to this POC.

Actually it isn't. MD can only protect app's from being terminated it cannot protect system app's from being terminated.

Indeed. I was just saying that MD itself is resistant to this POC = the POC can't terminate MD.