Discussione: Prevenire è meglio che curare :) Software HIPS
View Single Post
Old 02-08-2010, 14:18   #2713
nV 25
Bannato
 
L'Avatar di nV 25
 
Iscritto dal: Jan 2003
Città: Lucca
Messaggi: 9119
ok, in un ritaglio di tempo ho avuto modo di confrontarmi con 2 rogue e 1 sample della famigerata famiglia di rootkit TDL3.

Uno dei rogue, peraltro, è quello che "buca" CIS 4, vedi link! :
RST Antivirus 2010



DefenseWall, ovviamente, facendolo girare "untrusted", ne contiene qualsiasi interferenza...



Codice:
08.02.2010  14:38:37, module C:\Windows\System32\msiexec.exe, Attempt to post message 44B into the window of the process C:\Windows\explorer.exe. (Shatter)

08.02.2010  14:38:01, module C:\Windows\System32\msiexec.exe, Attempt to open handle in process C:\Windows\System32\msiexec.exe, source=, handle name=(null) (Process)

08.02.2010  14:37:58, module C:\Windows\System32\msiexec.exe, Attempt to set value C:\Users\test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\RST Antivirus 2010\ within the key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\ (Registry)

08.02.2010  14:37:58, module C:\Windows\System32\msiexec.exe, Attempt to set value C:\Users\test\AppData\Roaming\Microsoft\Installer\{0933F968-51E5-4780-B485-CE2DCE47E8F6}\ within the key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\ (Registry)

08.02.2010  14:37:58, module C:\Windows\System32\msiexec.exe, Attempt to set value C:\Users\test\AppData\Roaming\Microsoft\Installer\ within the key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\ (Registry)

08.02.2010  14:37:57, module C:\Windows\System32\msiexec.exe, Attempt to set value C:\Users\test\AppData\Roaming\RST Antivirus 2010\ within the key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\ (Registry)

08.02.2010  14:37:57, module C:\Windows\System32\msiexec.exe, Attempt to set value C:\Users\test\AppData\Roaming\RST Antivirus 2010\db\ within the key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\ (Registry)

08.02.2010  14:37:57, module C:\Windows\System32\msiexec.exe, Attempt to set value C:\Program Files\RST Antivirus 2010\ within the key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\ (Registry)

08.02.2010  14:37:56, module C:\Windows\System32\msiexec.exe, Attempt to set value C:\Config.Msi\ within the key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\ (Registry)

08.02.2010  14:37:34, module C:\Windows\System32\msiexec.exe, Attempt to post message 44B into the window of the process C:\Windows\explorer.exe. (Shatter)


L'intevento manuale nella scheda di rollback consente altresi' di avere ragione di tutto riportando il sistema allo stato esistente prima dell'esecuzione del rogue stesso...



I ragionamenti sono identici per il 2° rogue e per il rootkit,
Security Tool...




Codice:

08.02.2010  14:08:49, module C:\Users\test\AppData\Local\0931435743.exe, Attempt to open process C:\Windows\System32\dllhost.exe (Process)

08.02.2010  14:08:48, module C:\Users\test\AppData\Local\0931435743.exe, Attempt to open process C:\Windows\System32\SearchProtocolHost.exe (Process)

08.02.2010  14:08:48, module C:\Users\test\AppData\Local\0931435743.exe, Attempt to open process C:\Windows\System32\SearchFilterHost.exe (Process)

08.02.2010  14:08:31, module C:\Users\test\AppData\Local\0931435743.exe, Attempt to open process C:\Windows\System32\dllhost.exe (Process)

08.02.2010  14:05:44, module C:\Users\test\AppData\Local\0931435743.exe, Internet connections are blocked (Network)

08.02.2010  14:05:43, module C:\Users\test\AppData\Local\0931435743.exe, Attempt to set value ProxyEnable within the key HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ (Registry)

08.02.2010  14:05:41, module C:\Users\test\AppData\Local\0931435743.exe, 8:Attempt to open protected file C:\Users\test\AppData\Roaming\Microsoft\Windows\Cookies\ (Resource isolation)

08.02.2010  14:05:29, module C:\Users\test\AppData\Local\0931435743.exe, Attempt to open handle in process C:\Users\test\AppData\Local\0931435743.exe, source=, handle name=(null) (Process)

08.02.2010  14:05:26, module C:\Users\test\AppData\Local\0931435743.exe, Attempt to set value 0931435743 within the key HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\ (Registry)

08.02.2010  14:05:25, module C:\Windows\System32\cmd.exe, 2:Close handle TOCTTOU (TOCTTOU)

08.02.2010  14:05:24, module C:\Users\test\Desktop\Security Tool\pzeclawski_gsdhrthigw.exe, Attempt to set value pzeclawski_gsdhrthigw within the key HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\ (Registry)

08.02.2010  14:05:22, module C:\Users\test\Desktop\Security Tool\pzeclawski_gsdhrthigw.exe, Attempt to set value pzeclawski_gsdhrthigw within the key HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\ (Registry)



...e il TDL3


Codice:
08.02.2010  14:12:11, module C:\Users\test\Desktop\setup\setup.exe, Attempt to add new printer provider (Spooler)

08.02.2010  14:12:10, module C:\Users\test\Desktop\setup\setup.exe, Attempt to create new file C:\Windows\Tasks\MSWD-f6ab9a8a.job (File )

08.02.2010  14:12:09, module C:\Users\test\Desktop\setup\setup.exe, Attempt to create new file C:\Windows\Tasks\MSWD-f6ab9a8a.job (File )

08.02.2010  14:12:09, module C:\Users\test\Desktop\setup\setup.exe, Attempt to create new file C:\Windows\Tasks\MSWD-f6ab9a8a.job (File )

08.02.2010  14:12:08, module C:\Users\test\Desktop\setup\setup.exe, 1:Attempt to open system service (Service)

o, osservando il log in forma grafica,


A proposito del TDL3 esaminato sopra è interessante notare che, a differenza del sample provato in questo! link, cambia parzialmente la "tecnica di impianto":
"sparisce" l' "Attempt to add new printer processor" rimpiazzato stavolta dall' "Attempt to add new printer provider"...
nV 25 è offline   Rispondi citando il messaggio o parte di esso