Jump to content


Photo

DefenseWall HIPS Defeats MS .WMF Exploit


  • Please log in to reply
3 replies to this topic

#1 Ilya Rabinovich

Ilya Rabinovich

    - DefenseWall -

  • SoftSphere Technologies
  • 4,954 posts

Posted 22 January 2006 - 11:27 AM

When I heard about .wmf 0-day Internet Explorer exploit, I decided to test DefenseWall Host-based Intrusion Prevention System under real conditions with the real malware threat.

Using WinXP SP2 and DefenseWall HIPS, I typed the URL with the .wmf exploit file into my Internet Explorer bar (IE was running as untrusted) and pressed "Enter". The exploit began - I saw "Windows Pictures and Fax viewer" window and the DefenseWall icon became red. Many malware modules were running, some of them generated errors during their work because of the DefenseWall restrictions. Next I opened the "Trusted and Untrusted Processes Details" window and saw untrusted processes which I did not recognize. I closed all of them with the "big red button" and restarted my computer. After the reboot I found none of the malware processes running within my computer, So I started to search my hard disk for the new malware files. This is the list of malware modules:
C:\winstall.exe
C:\secure32.html
C:\boot.inx
F:\windows\soft.exe F:\WINDOWS\system32\z12.exe
F:\WINDOWS\system32\paytime.exe F:\WINDOWS\system32\z11.exe
F:\WINDOWS\system32\z13.exe F:\WINDOWS\system32\z14.exe
F:\WINDOWS\system32\z15.exe F:\WINDOWS\system32\z16.exe
F:\WINDOWS\system32\exeha2.exe F:\WINDOWS\system32\exeha3.exe
F:\WINDOWS\system32\efsdfgxg.exe F:\WINDOWS\system32\cmd32.exe
F:\WINDOWS\system32\paradise.raw.exe
F:\WINDOWS\system32\dial32.exe
F:\WINDOWS\system32\sywsvcs.exe
F:\WINDOWS\inet20099\services.exe
F:\WINDOWS\inet20099\winlogon.exe
F:\Documents and Settings\Ilya\Local Settings\Temp\a.exe

Naturally, all of them have been erased from my hard disk. According the log, malware modules tried to change my wallpaper, IE start and search pages, default URL's, WinXP Firewall settings, BHO, make themselves autostart and so on, which is typical of malware. All of these attempts failed. The only thing the exploit was able to do was to put nonsense onto my Desktop which I simply deleted.

The 'In-The-Wild' intrusion test passed - 100%!


#2 redwolfe_98

redwolfe_98

    New Member

  • Member
  • 6 posts

Posted 28 January 2006 - 07:04 AM

what program did you use to find the malware files on your harddrive?

#3 Ilya Rabinovich

Ilya Rabinovich

    - DefenseWall -

  • SoftSphere Technologies
  • 4,954 posts

Posted 28 January 2006 - 08:48 AM

I was finding new modules by the createtion time. Later, I'll add some tool to make it easyer. Also, you can use AV scan engine to do it.

#4 Heco

Heco

    Active Member

  • Active Members
  • 50 posts

Posted 28 January 2006 - 04:58 PM

QUOTE (Ilya Rabinovich @ Jan 28 2006, 09:48 AM)
I was finding new modules by the createtion time. Later, I'll add some tool to make it easyer. Also, you can use AV scan engine to do it.

Very good idea Ilya! :cake:


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users