Malware Defender 2.7.0, EQSysSecure 4.1 process privilege control flaw
4 posters
Page 1 of 2
Page 1 of 2 • 1, 2
Malware Defender 2.7.0, EQSysSecure 4.1 process privilege control flaw
Original link:http://bbs.kafan.cn/thread-695301-1-1.html
This test program can bypass Malware Defender 2.7.0/EQSysSecure 4.1 's control of process privilege to kill any process(except HIPS themseflves' )
Malware Defender 2.7.0 may have few more flaws to discover in the future and EQSysSecure 4.1 has more ,even itself could be killed ...
This test program runs successfully on XP sp3 with Admin privilege
This is GUI i commented some so you guys could use it
this is the text program
http://dl.dropbox.com/u/5748985/test.zip
This test program can bypass Malware Defender 2.7.0/EQSysSecure 4.1 's control of process privilege to kill any process(except HIPS themseflves' )
Malware Defender 2.7.0 may have few more flaws to discover in the future and EQSysSecure 4.1 has more ,even itself could be killed ...
This test program runs successfully on XP sp3 with Admin privilege
This is GUI i commented some so you guys could use it
this is the text program
http://dl.dropbox.com/u/5748985/test.zip
Singlemature- Valued Member
- Posts : 31
Join date : 2010-04-22
Re: Malware Defender 2.7.0, EQSysSecure 4.1 process privilege control flaw
Thanks mature!
EDIT: Note all tests are performed with default configurations unless otherwise specified.
Tested with Malware Defender 2.6.0 and there is indeed a bypass if you allow initial execution of the test file. For example, I can terminate an opened notepad.exe or explorer.exe without Malware Defender giving a pop-up (once test.exe is opened). Can't seem to terminate Malware Defender's processes though.
Simple solution is don't allow initial execution of the test file in the first place haha.
But yes, seems like a very clever bypass! I'll test it with Comodo and Online Armor some time soon.
Also, it seems I'll have to test it in an LUA environment, and hopefully I can keep promoting LUA haha (if there is no bypass of Malware Defender in an LUA).
EDIT: just tested with Sandboxie - no bypass! Well done to Sandboxie!
EDIT2: just tested with CIS version 4, Defense+ in Paranoid Mode - same as Malware Defender - bypassed if allow initial execution! But can't seem to terminate CIS's own processes.
EDIT3: tested with Online Armor Premium 4.0.0.44 and it is blocked! Well done OA! Here's the pop-up it gives (meaning it is able to control the POC even after initial execution) when test.exe tries to terminate notepad.exe:
EDIT: Note all tests are performed with default configurations unless otherwise specified.
Tested with Malware Defender 2.6.0 and there is indeed a bypass if you allow initial execution of the test file. For example, I can terminate an opened notepad.exe or explorer.exe without Malware Defender giving a pop-up (once test.exe is opened). Can't seem to terminate Malware Defender's processes though.
Simple solution is don't allow initial execution of the test file in the first place haha.
But yes, seems like a very clever bypass! I'll test it with Comodo and Online Armor some time soon.
Also, it seems I'll have to test it in an LUA environment, and hopefully I can keep promoting LUA haha (if there is no bypass of Malware Defender in an LUA).
EDIT: just tested with Sandboxie - no bypass! Well done to Sandboxie!
EDIT2: just tested with CIS version 4, Defense+ in Paranoid Mode - same as Malware Defender - bypassed if allow initial execution! But can't seem to terminate CIS's own processes.
EDIT3: tested with Online Armor Premium 4.0.0.44 and it is blocked! Well done OA! Here's the pop-up it gives (meaning it is able to control the POC even after initial execution) when test.exe tries to terminate notepad.exe:
Last edited by ssj100 on 4/5/2010, 17:48; edited 4 times in total
Re: Malware Defender 2.7.0, EQSysSecure 4.1 process privilege control flaw
ssj100 wrote:Tested with Malware Defender 2.6.0 and there is indeed a bypass if you allow initial execution of the test file. For example, I can terminate an opened notepad.exe or explorer.exe without Malware Defender giving a pop-up (once test.exe is opened).
Simple solution is don't allow initial execution of the test file in the first place haha.
But yes, seems like a very clever bypass! I'll test it with Comodo and Online Armor some time soon.
Also, it seems I'll have to test it in an LUA environment, and hopefully I can keep promoting LUA haha (if there is no bypass of Malware Defender in an LUA).
EDIT: just tested with Sandboxie - no bypass! Well done to Sandboxie!
haha~good luck to your LUA
Singlemature- Valued Member
- Posts : 31
Join date : 2010-04-22
Re: Malware Defender 2.7.0, EQSysSecure 4.1 process privilege control flaw
Once again, this proves that anti-execution (and containment) is the key to staying "100%" protected. Blocking initial execution is the most important thing for sure, as well as intelligent handling of newly introduced files.
2 out of the 3 classical HIPS so far (in default configurations) are unable to control the behaviour of the above POC! I guess Xiaolin was right after all - if you allow initial execution, there are numerous ways to bypass a classical HIPS.
2 out of the 3 classical HIPS so far (in default configurations) are unable to control the behaviour of the above POC! I guess Xiaolin was right after all - if you allow initial execution, there are numerous ways to bypass a classical HIPS.
Re: Malware Defender 2.7.0, EQSysSecure 4.1 process privilege control flaw
Singlemature wrote:haha~good luck to your LUA
Just tried running test.exe in an LUA (with no security software installed) - it opens the command prompt window, but you can't seem to do anything with it.
Conclusion: LUA is NOT bypassed haha. Well done LUA!
Re: Malware Defender 2.7.0, EQSysSecure 4.1 process privilege control flaw
I thought this test would be better to post on Wilders,but i was banned from posting thread, i don't get it why i got this treat...and same thing happen to ssj100,i don't think they could benefit from this ,on the contrary it's theire loss.
Anyway...congratulations to LUA XD
Anyway...congratulations to LUA XD
Singlemature- Valued Member
- Posts : 31
Join date : 2010-04-22
Re: Malware Defender 2.7.0, EQSysSecure 4.1 process privilege control flaw
Sorry to hear that mature.
Anyway, I'll probably do some testing with DefenseWall and GeSWall, but I'm sure they will pass.
So here are the results so far, based on my testings on Windows XP, 32-bit:
1. LUA: PASS
2. Sandboxie 3.45.09: PASS
3. Online Armor Premium 4.0.0.44: PASS
4. DefenseWall 3.00: PASS
5. GeSWall Pro 2.9: PASS
6. Malware Defender 2.7.1: FAIL
7. Comodo Internet Security 4.0.141842.828: FAIL
8. System Safety Monitor 2.4.0.622: FAIL
Anyway, I'll probably do some testing with DefenseWall and GeSWall, but I'm sure they will pass.
So here are the results so far, based on my testings on Windows XP, 32-bit:
1. LUA: PASS
2. Sandboxie 3.45.09: PASS
3. Online Armor Premium 4.0.0.44: PASS
4. DefenseWall 3.00: PASS
5. GeSWall Pro 2.9: PASS
6. Malware Defender 2.7.1: FAIL
7. Comodo Internet Security 4.0.141842.828: FAIL
8. System Safety Monitor 2.4.0.622: FAIL
Last edited by ssj100 on 5/5/2010, 14:27; edited 1 time in total
Re: Malware Defender 2.7.0, EQSysSecure 4.1 process privilege control flaw
Nice testing job guys!!
The only horse I have in the race is Sandboxie,and he/she ran well,I am glad to see!!
noor
The only horse I have in the race is Sandboxie,and he/she ran well,I am glad to see!!
noor
Guest- Guest
Re: Malware Defender 2.7.0, EQSysSecure 4.1 process privilege control flaw
Updated above list with System Safety Monitor. Any other classical HIPS I can test that you guys can think of?
Re: Malware Defender 2.7.0, EQSysSecure 4.1 process privilege control flaw
By the way, just browsing other forums, and they all seem blissfully unaware about this (rather simple) bypass.
There was an attempt on Wilders to post about this, but the thread was closed without anyone figuring out exactly what was going on - they didn't understand the chinese in the test window. Thanks mature for translating it for us!
I don't think the Comodo forums know about this either - I may post there soon, since I tend to support Comodo, and they'll probably be interested in patching up this bypass.
There was an attempt on Wilders to post about this, but the thread was closed without anyone figuring out exactly what was going on - they didn't understand the chinese in the test window. Thanks mature for translating it for us!
I don't think the Comodo forums know about this either - I may post there soon, since I tend to support Comodo, and they'll probably be interested in patching up this bypass.
Re: Malware Defender 2.7.0, EQSysSecure 4.1 process privilege control flaw
I think I've seen a similar POC in the past...possibly when I was using ProSecurity. I believe the method used is one of the methods discussed here: 12 ways to terminate a process.
"CreateJobObject, AssignProcessToJobObject, TerminateJobObject (and their Native API equivalents)
Create a job object using CreateJobObject, assign the target process to it using AssignProcessToJobObject, and terminate it using TerminateJobObject. This only works if the process is not already associated with a job object. This technique works well if NtAssignProcessToJobObject and NtTerminateJobObject are not hooked because NtTerminateJobObject calls PsTerminateProcess directly."
Last edited by nick s on 6/5/2010, 08:58; edited 1 time in total
nick s- Valued Member
- Posts : 14
Join date : 2010-04-18
Re: Malware Defender 2.7.0, EQSysSecure 4.1 process privilege control flaw
BTW, the POC also works against MD 2.7.1 beta on Windows 7.
nick s- Valued Member
- Posts : 14
Join date : 2010-04-18
Re: Malware Defender 2.7.0, EQSysSecure 4.1 process privilege control flaw
Thanks nick. I was curious as to whether it would work on Windows 7 - recently clean re-installed VirtualBox, and my Windows 7 VM hasn't been loaded yet haha.
Re: Malware Defender 2.7.0, EQSysSecure 4.1 process privilege control flaw
Updated list after testing ProcessGuard - poorly done I must say by this well loved program! The POC is able to terminate ProcessGuard's own processes!
1. LUA: PASS
2. Sandboxie 3.45.09: PASS
3. Online Armor Premium 4.0.0.44: PASS
4. DefenseWall 3.00: PASS
5. GeSWall Pro 2.9: PASS
6. Online Solutions Security Suite 1.5: PASS
7. Malware Defender 2.7.1: FAIL
8. Comodo Internet Security 4.0.141842.828: FAIL
9. System Safety Monitor 2.4.0.622: FAIL
10. ProcessGuard 3.500: FAIL
1. LUA: PASS
2. Sandboxie 3.45.09: PASS
3. Online Armor Premium 4.0.0.44: PASS
4. DefenseWall 3.00: PASS
5. GeSWall Pro 2.9: PASS
6. Online Solutions Security Suite 1.5: PASS
7. Malware Defender 2.7.1: FAIL
8. Comodo Internet Security 4.0.141842.828: FAIL
9. System Safety Monitor 2.4.0.622: FAIL
10. ProcessGuard 3.500: FAIL
Re: Malware Defender 2.7.0, EQSysSecure 4.1 process privilege control flaw
Online Solutions Security Suite 1.5 successfully blocks this POC!
Re: Malware Defender 2.7.0, EQSysSecure 4.1 process privilege control flaw
Ouch! ...ProcessGuard.
Guest- Guest
Re: Malware Defender 2.7.0, EQSysSecure 4.1 process privilege control flaw
To be fair though, ProcessGuard isn't really a Classical HIPS, and you wouldn't expect it to be able to control the behaviour of a process. ProcessGuard is an Anti-executable...but a rather out-dated one to be honest. And I'd recommend SRP over ProcessGuard any day.
By the way, just described further how to reproduce the bypass at Comodo forums:
http://forums.comodo.com/news-announcements-feedback-cis/cis-bypassed-t56166.0.html;msg395332#msg395332
EDIT: you can see that CIS can be used/configured to block this POC by simply not using "fewer options" mode. Good to see that CIS beats Malware Defender with this particular POC! Remember that Malware Defender must have been vulnerable to this POC for years. And the fact is, I'm not even sure if the Malware Defender developer will fix this, period, as he's working for another company now.
By the way, just described further how to reproduce the bypass at Comodo forums:
http://forums.comodo.com/news-announcements-feedback-cis/cis-bypassed-t56166.0.html;msg395332#msg395332
EDIT: you can see that CIS can be used/configured to block this POC by simply not using "fewer options" mode. Good to see that CIS beats Malware Defender with this particular POC! Remember that Malware Defender must have been vulnerable to this POC for years. And the fact is, I'm not even sure if the Malware Defender developer will fix this, period, as he's working for another company now.
Re: Malware Defender 2.7.0, EQSysSecure 4.1 process privilege control flaw
"By the way, just described further how to reproduce the bypass at Comodo forums:
http://forums.comodo.com/news-announcements-feedback-cis/cis-bypassed-t56166.0.html;msg395332#msg395332"
Yes I read that that. Good to know you can deal with that crew.
There is a limit to my tolerance for arrogance and word play.
Ten seconds with Comodoites,and I am past my limit.
noor
http://forums.comodo.com/news-announcements-feedback-cis/cis-bypassed-t56166.0.html;msg395332#msg395332"
Yes I read that that. Good to know you can deal with that crew.
There is a limit to my tolerance for arrogance and word play.
Ten seconds with Comodoites,and I am past my limit.
noor
Guest- Guest
Re: Malware Defender 2.7.0, EQSysSecure 4.1 process privilege control flaw
Hey noor, gosh, I think I'm going to stay out of there (Comodo forums) for at least a while haha. Too much heat came out from no where...maybe I'll just keep news like this confined to our forums and Sandboxie's forums (Tzuk is great!).
Re: Malware Defender 2.7.0, EQSysSecure 4.1 process privilege control flaw
SSJ I only have XP home so I not have LUA and SRP and I was wondering if you can say if this Test.exe POC is able to terminate other processors with
LUA, ?
SRP ?
Surun?
LUA, ?
SRP ?
Surun?
arran- Member
- Posts : 41
Join date : 2010-05-09
Re: Malware Defender 2.7.0, EQSysSecure 4.1 process privilege control flaw
Hi arran:
https://ssj100.forumotion.com/other-f6/malware-defender-270-eqsyssecure-41-process-privilege-control-flaw-t55.htm#295
This POC isn't even able to run in a limited user account! It requires admin privileges to run properly (like a lot of malware out there).
SRP/AppLocker aren't HIPS, and so don't control the behaviour of programs once you let them run. Denying initial execution is the key though, and that's what SRP/AppLocker does extremely well.
SuRun is just a program for convenience and doesn't apply here.
https://ssj100.forumotion.com/other-f6/malware-defender-270-eqsyssecure-41-process-privilege-control-flaw-t55.htm#295
This POC isn't even able to run in a limited user account! It requires admin privileges to run properly (like a lot of malware out there).
SRP/AppLocker aren't HIPS, and so don't control the behaviour of programs once you let them run. Denying initial execution is the key though, and that's what SRP/AppLocker does extremely well.
SuRun is just a program for convenience and doesn't apply here.
Re: Malware Defender 2.7.0, EQSysSecure 4.1 process privilege control flaw
when I was trying out NOD32 I decided to see if this test.exe POC can terminate NOD32 and interestingly it couldn't NOD32 PASS
more interestingly MD can't terminate NOD32 either. NOD32 seems to have a powerful self defense.
more interestingly MD can't terminate NOD32 either. NOD32 seems to have a powerful self defense.
arran- Member
- Posts : 41
Join date : 2010-05-09
Re: Malware Defender 2.7.0, EQSysSecure 4.1 process privilege control flaw
arran wrote:when I was trying out NOD32 I decided to see if this test.exe POC can terminate NOD32 and interestingly it couldn't NOD32 PASS
more interestingly MD can't terminate NOD32 either. NOD32 seems to have a powerful self defense.
Yes I have heard from reliable Chinese sources that most AV software have very good self defense and aren't prone to these types of attacks. Malware Defender itself is also resistant to this POC.
Re: Malware Defender 2.7.0, EQSysSecure 4.1 process privilege control flaw
ssj100 wrote: Malware Defender itself is also resistant to this POC.
Actually it isn't. MD can only protect app's from being terminated it cannot protect system app's from being terminated.
arran- Member
- Posts : 41
Join date : 2010-05-09
Re: Malware Defender 2.7.0, EQSysSecure 4.1 process privilege control flaw
arran wrote:ssj100 wrote: Malware Defender itself is also resistant to this POC.
Actually it isn't. MD can only protect app's from being terminated it cannot protect system app's from being terminated.
Indeed. I was just saying that MD itself is resistant to this POC = the POC can't terminate MD.
Page 1 of 2 • 1, 2
Similar topics
» Malware Defender
» Malware Defender as a Firewall
» Malware Defender download
» Shadow Defender mods abandon Shadow Defender forum
» Sandboxie security flaw???
» Malware Defender as a Firewall
» Malware Defender download
» Shadow Defender mods abandon Shadow Defender forum
» Sandboxie security flaw???
Page 1 of 2
Permissions in this forum:
You cannot reply to topics in this forum
|
|