Author Topic: Can ExploitShield browser version be used next to avast resident av?  (Read 16341 times)

Offline polonus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 20117
  • Gender: Male
  • malware fighter
    • Personal Message (Offline)
Re: Can ExploitShield browser version be used next to avast resident av?
« Reply #60 on: October 30, 2012, 08:59:23 PM »
Hi bob3160,

And the thorough analysis of the tool also means its downfall before beta testing ended.
Circumvent could consist of an exploit dll payload starting using LoadLibraryA/W to even circumvent ExploitShield blocked APIs...

Dr Fu reports on ROP methods here in his tutorial:
http://fumalwareanalysis.blogspot.nl/2012/02/malware-analysis-tutorial-16-return.html

And by insanitybit: http://insanitybit.wordpress.com/tag/rop/

See also: http://a-twisted-world.blogspot.nl/2008/03/createprocessinternal-function.html

And this from Sebastian Kübeck om when malware started to use ROP in 2010: http://www.jroller.com/sebastianKuebeck/entry/first_exploit_using_return_oriented

Now that the obscured functioning of the ExploitShield is out in the open,
it has lost its usefulness as a protection tool against zero days.

reading the above everyone in the know will understand
what an incredable powerful tool ApiSpy can be in the hands of the savvy malcreant...

There is only one way out. Only patching vulnerabilities in buggy software code will create solutions against zero days.
Security through obscurity only pays as long as obscurity lasts.

Finally again proof of the fact that as a software is presented as "too good to be true", it actually is too good to be true...
ExploitShield browser has scorced feet and seems to have given away its secret..or??????

polonus
« Last Edit: October 30, 2012, 10:54:54 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 20117
  • Gender: Male
  • malware fighter
    • Personal Message (Offline)
Re: Can ExploitShield browser version be used next to avast resident av?
« Reply #61 on: October 31, 2012, 01:27:11 PM »
To say it is early days before we could come with a final verdict on this tool, see ExploitShield's reply here:
http://www.zerovulnerabilitylabs.com/home/the-objective-of-exploitshield-beta/
But with the Vista PatchGuardHack in mind, we just have to wait and see, as always the proof is in the puding
Like you to read FireEye's article: http://blog.fireeye.com/research/2012/06/bypassing-process-monitoring-.html
article authors: Michael Vincent and Abhishek Singh. (reverse-engineering of the implementation of PsSetCreateProcessNotifyRoutine in the Windows ntoskrnl.exe) Conclusion:
Quote
Bottom line: Any enterprise or consumer security suite that uses this technique for monitoring process activity can be easily circumvented—a big win for the malware authors
quote taken from above article...
So question 1. Is ExploitShield browser tool not vulnerable to such an attack?
Something of an answer can be found here: http://www.kernelmode.info/forum/viewtopic.php?f=10&t=1197#p9160  link from poster EP_X0FF* Global Moderator, leading to the conclusion that all protection on this level is being based on anti-malware hacks and security through obscurity measures.
So if protection methods are out in the open and known to malcreants nothing can protect us at kernel level.

Without IDS and file and dll whitelisting through hash and certification/identification any protection fails i.m.h.o.
So any anti malware tool should reject all that cannot be verified against a whitelist as benign beyond any doubt and that is the way to go.
The other procedure is blocking, see the great success of avast shields recently in additionally protecting our users...

pol

P.S. * EP_X0FF & others was banned later from various forums for being active in controversial activities (website attacks and malcious reverse engineering)
(-> http://greatis.com/security/Warning_Rootkit_Unhooker.htm )

D
« Last Edit: October 31, 2012, 02:18:42 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline bob3160

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 23939
  • Gender: Male
  • 53 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
    • Personal Message (Offline)
Re: Can ExploitShield browser version be used next to avast resident av?
« Reply #62 on: October 31, 2012, 01:42:02 PM »
So now we have an excellent analysis and a just as well written explanation as to the flaw in the initial analysis.
I'd like to hear what Vlk has to say. :)

 
Free avast! Security Seminar: http://www.authorstream.com/Presentation/bob3160-1425909-protecting-yourself/    -  Important: http://www.organdonor.gov/
My Blog: http://bob3160.blogspot.com/ - Win 8.1 Pro 64bit, 4 Gig Ram, avast!2014.9.0.2015 Free, MBAM, WinPatrol -- How to Successfully Install avast! http://goo.gl/VLXde
                     - It's nice to be Important. - It's more important to be Nice. -

Offline mchain

  • avast! Evangelist
  • Super Poster
  • ***
  • Posts: 2163
  • Gender: Male
  • Spartan Warriors
    • Personal Message (Offline)
Re: Can ExploitShield browser version be used next to avast resident av?
« Reply #63 on: November 01, 2012, 03:52:28 AM »
I was running ExploitShield, but now, no more.  The reality is, mitigations built into Windows 7 and 8 natively provide some of the protection offered by ES, but sadly, XP's time has passed, and it never can, or will be, be brought up to the level of security provided by the newer OS's.

I did have a spot of trouble uninstalling ES.  There was a hang in TMP folders used at the end of the uninstall process that could not be terminated any other way than by Task Manager. 

(See attached .jpg below)

Two separate processes stopped running, _ui14D2N.tmp and unins000.exe.  This happened even though I granted permission for both to run through Online Armor.  Killing _ui14D2N.tmp did close the other process normally.  I also used CCleaner to remove registry keys obviously related to ES, but no other keys were deleted. 

So, no system damage was done as far as I can tell atm.

Disappointed a little bit here, but, thanks to Polonus, it may be that ES is not all that, and never will be.  Only the passage of time will tell, but I am sure this type of thing has happened many times before, as many start-up vendors will have to fail before one actually succeeds.

An additional note:  It was very easy to kill the ExploitShield.exe process just by exiting the Z icon in the system tray.  Whether this was by design or not, it would seem that some hardening of the running process would need to be made to ensure that it would continue to run in case a system was attacked by malware designed to stop this process.

XP Pro SP3 P4 3.2 HT 2GB RAM AIS v 2014.9.0.2011 Secunia PSI version 2.0.0.3003 TREND Micro RUBotted Beta Javacool SpywareBlaster version 5.0 Sandboxie v. 4.09 32-bit WOT (Web Of Trust) Browser reputation-based add-on http://www.mywot.com/   New: avast! listing of vendor uninstall tools:  http://www.avast.com/faq.php?article=AVKB11#artTitle
W7 Home Premium 64-bit SP1, 2.8 Pentium D, 3 GB RAM AIS v 2014.9.0.2016 (running same programs as above) Sandboxie 4.09 64-bit

Offline polonus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 20117
  • Gender: Male
  • malware fighter
    • Personal Message (Offline)
Re: Can ExploitShield browser version be used next to avast resident av?
« Reply #64 on: November 01, 2012, 04:50:01 PM »
Discovering more in the executable of ExploitShield : fp_opendev kernel service can be called from the process environment only
Return value: 0    Indicates a successful operation.
Specifies the major and minor device number of device driver to open...
More to come on kernel extensions there.
It is too early as I said to give a final verdict, we have to wait what comes after ist beta.

First I will go on with the "infosquitoing" on this tool
Mchain "_ui14d2N.tmp has encountered a problem" is an error one gets also from Gen Variant. Tdss.14 malcode..

Errors also with cXX Framehandler3 in dynamic link library & crt_debugger_hook throwing exeption.....

I have reason to believe the developers used some form of kernel level trap handler performing kernel level diagnostics....

polonus
« Last Edit: November 01, 2012, 09:47:29 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline schmidthouse

  • VIRUS FREE A Long Time
  • avast! Evangelist
  • Massive Poster
  • ***
  • Posts: 2573
  • Gender: Male
    • Personal Message (Offline)
Re: Can ExploitShield browser version be used next to avast resident av?
« Reply #65 on: November 01, 2012, 09:04:29 PM »
Thanks for the PM Polonus.
I'm not sure yet what to think about these analysis, but I am interested in testing next beta version before I conclude anything. ;) :)
W8.1.1PRO 64Bit
xpSP3 PRO 32 Bit
Do not confuse kindness for weakness

Offline bob3160

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 23939
  • Gender: Male
  • 53 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
    • Personal Message (Offline)
Re: Can ExploitShield browser version be used next to avast resident av?
« Reply #66 on: November 01, 2012, 10:40:18 PM »
Thanks for the PM Polonus.
I'm not sure yet what to think about these analysis, but I am interested in testing next beta version before I conclude anything. ;) :)
I'd appreciate a link to the download of the next beta when it's released. :)
Free avast! Security Seminar: http://www.authorstream.com/Presentation/bob3160-1425909-protecting-yourself/    -  Important: http://www.organdonor.gov/
My Blog: http://bob3160.blogspot.com/ - Win 8.1 Pro 64bit, 4 Gig Ram, avast!2014.9.0.2015 Free, MBAM, WinPatrol -- How to Successfully Install avast! http://goo.gl/VLXde
                     - It's nice to be Important. - It's more important to be Nice. -

Offline polonus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 20117
  • Gender: Male
  • malware fighter
    • Personal Message (Offline)
Re: Can ExploitShield browser version be used next to avast resident av?
« Reply #67 on: November 02, 2012, 01:39:45 PM »
Hi bob3160 and schmidthouse, mchain and others,

I did some further inspection of the exploitshield executable and exploitshield.dll and my findings I have attached to this posting.
There seems indeed some new examples of secure bypass code and particular safer registry settings implemented by this tool and dll.
They come from new recent coding practices.
From the code I analyzed  it can be deducted that the developers had a background in coding Minecraft and borrowed from that experience.
They also could have studied the so-called BundesPolizei trojan intensively as we find identical code snippets.
Those interested in my evaluation should look at the attached file...

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69198
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: Can ExploitShield browser version be used next to avast resident av?
« Reply #68 on: November 02, 2012, 01:45:10 PM »
I have to admit I'm always very wary of products like this that purport to effectively end all exploits.

Easy to be wise after the fact also, but I have been following this with interest, but I didn't download or install it.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2016/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline Asyn

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 24887
    • >>>  avast! Forum - Deutschsprachiger Bereich  <<<
    • Personal Message (Offline)
Re: Can ExploitShield browser version be used next to avast resident av?
« Reply #69 on: November 02, 2012, 07:44:56 PM »
Those interested in my evaluation should look at the attached file...

polonus

Thanks pol. :)
XP SP3 - avast! 9.0.2017 - CIS 3.14 [FW/D+] - MBAM 1.75 [On Demand] - Firefox ESR 24.4 [NS/ABP/EHH/BP] - Thunderbird 24.4 [EM/CH]
Deutschsprachiger Bereich -> avast! Wissenswertes (Downloads, Anleitungen und Infos): http://forum.avast.com/index.php?topic=60523.0

Offline polonus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 20117
  • Gender: Male
  • malware fighter
    • Personal Message (Offline)
Re: Can ExploitShield browser version be used next to avast resident av?
« Reply #70 on: November 02, 2012, 09:02:26 PM »
Hi DavidR,

This convicted me at least of keeping it on for time of the beta testing period and to be able to analyze it thoroughly: http://www.backgroundtask.eu/Systeemtaken/Taakinfo/166992/ExploitShield.exe/B220FA4722A44827BD4FFBB6756AC074/

Have to also discuss this analysis: http://www.threatexpert.com/report.aspx?md5=3b60d306de299716f17eeb748b5c9886
The tool has CRYPTO/RSA  files. These files contain data for the MS Crypto Service Provider. Mostly public/private key information.
The part of the path after RSA is the user SID the keys were generated for. Only that user (or an Admin) have access to the files.
This has been recently  moved out of registry to the file system - private key data presented as a crypto blob etc.
LEGACY_PROTECTORDRIVER, the Plug and Play ID for this device is ROOT\LEGACY_PROTECTORDRIVER\0000 has not been made available due to issues.

Mutex a hack like mchMixCache$1001eed8$114 and with mchMixCache$1001eed8$114 these mutexes are used to mark the presence thereof in the program,
some of the mutexes the tool shares with trojanfakealert mutexes (compare with http://www.threatexpert.com/report.aspx?md5=e756229b82ac683d1e9e5bc05b217910  and mutexes given there)

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline schmidthouse

  • VIRUS FREE A Long Time
  • avast! Evangelist
  • Massive Poster
  • ***
  • Posts: 2573
  • Gender: Male
    • Personal Message (Offline)
Re: Can ExploitShield browser version be used next to avast resident av?
« Reply #71 on: November 02, 2012, 09:10:49 PM »
Thanks for the PM Polonus.
I'm not sure yet what to think about these analysis, but I am interested in testing next beta version before I conclude anything. ;) :)
I'd appreciate a link to the download of the next beta when it's released. :)

Absolutely Bob. I know as Polonus has mentioned he also is continuing to use this software as I am and will certainly provide the relevant link when it appears (or someone else who has been testing it may also post it).  ;) :)
W8.1.1PRO 64Bit
xpSP3 PRO 32 Bit
Do not confuse kindness for weakness

Offline schmidthouse

  • VIRUS FREE A Long Time
  • avast! Evangelist
  • Massive Poster
  • ***
  • Posts: 2573
  • Gender: Male
    • Personal Message (Offline)
Re: Can ExploitShield browser version be used next to avast resident av?
« Reply #72 on: November 02, 2012, 09:15:13 PM »
@ Polonus
Do you have any direction for the safe/effective 'uninstalling'  of ES for when one wishes to do so, given some problems mentioned earlier in this thread??
Thank you 8)
W8.1.1PRO 64Bit
xpSP3 PRO 32 Bit
Do not confuse kindness for weakness

Offline polonus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 20117
  • Gender: Male
  • malware fighter
    • Personal Message (Offline)
Re: Can ExploitShield browser version be used next to avast resident av?
« Reply #73 on: November 02, 2012, 10:02:17 PM »
Hi schmidthouse,

I would stop the process in task manager and then uninstall it via the windows configuration for delete programs.
In my opinion that seems the best option. Then you could run freefixer to see whether there are remnants left.
Download freefixer from here: http://www.freefixer.com/static/freefixersetup.exe

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline schmidthouse

  • VIRUS FREE A Long Time
  • avast! Evangelist
  • Massive Poster
  • ***
  • Posts: 2573
  • Gender: Male
    • Personal Message (Offline)
Re: Can ExploitShield browser version be used next to avast resident av?
« Reply #74 on: November 02, 2012, 10:12:21 PM »
Thanks Polonus.  :)
W8.1.1PRO 64Bit
xpSP3 PRO 32 Bit
Do not confuse kindness for weakness

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now