原帖地址:http://www.eqsecure.com/bbs/read.php?tid=4448&page=e&#a
这帖稍微介绍一下这个 prueba trojan demo,因为这个测试是很有意义的,它不是一般的木马,代表了一种为很多 HIPS /Firewall 开发人员所未见过新的技术。我前些时候,已经上报 Comodo,让他们关注解决 prueba 类型的注入提升权限攻击。
先跑个题,楼上有朋友想拿这个做 EQ 的文章,真的不必。
1. prueba 已经发布有段时间了,号称能 100% 拦截的就有 DefenseWall V2 RC2/RC3,不是什么新闻。国外,已经讨论许久咯。
2. 个人觉得EQ 社区很活跃,修正bug或漏洞也很快,比如这个hotfix,这些都很优秀,会员的测试、教程、规则做的都很棒,但是,在宣传上似乎有些偏差,我个人也看到 EQ社区,有很少的人有一点点过于浮躁了,实际上,这种热情可以放到更有利于EQ发展和传播的事情上,而不要让很多喜欢或不了解EQ的人产生反感和逆反心理。
为什么要和AV 产品对立呢? 对于高手的您或许可以不要杀软,但是对于一般用户 (以杀软为主,甚至就认识国内三家,国外卡巴、诺顿),有必要这样宣传吗?难道,不可以告诉他们,HIPS 是他们的AV 软件的最好搭档,可以防御很多AV 漏掉的病毒,是整个防御体系不可缺少的一部分,这比让他们抛弃杀软更容易接受吧。
对于,以 HIPS 为主,杀软为辅的高级用户,让他们转投EQ是很有难度的,人都是有感情的,比如像我的话,对于用了一年多的 Comodo 是不可能轻易放弃的。一个很主观的EQ和其他HIPS的对比,最后争论下来导致不欢而散,致使一批对EQ有好感、准备使用的人,做出相反的选择,得不偿失啊。
pruebla 的前世今生
prueba 据我所知,来源于 Defense Wall 的官方论坛
http://gladiator-antivirus.com/forum/index.php?showtopic=56725
看到了,是6月18号,liam 说他的朋友写了一个测试防火墙的“安全”木马,发布了 一个下载地址 : http://www.zshare.net/download/prueba-exe.html
透露了一些测试细节是:复制自身到 C:\Program Files\config,并且会有一个隐藏的联网行为。测试的结果是DW V2 RC1 漏了,Rollback无效。他传了三张图:
注:只要 有 Comodo Firewall 的地方,我都会留意一下,恰好,这三张图里安装的是 Comodo V3 Alpha1.
DW的开发者 Ilya 先前并不知道这种方法可以过DW,在27号的时候找到了应对的办法,做了下面的解释:
QUOTE:
OK, the bypass algorithm is absolutely clear now. It is very interesting, I didn't know about this escalation method. Defense against it will be published within DefenseWall HIPS v2.0 RC2 coming really soon.
在往后 prueba 被转到了 SandboxIE 的官方论坛,6月28号:
http://sandboxie.com/phpbb/viewtopic.php?t=1655&postdays=0&postorder=asc&start=0
这里就很奇怪,有两个用户说SandboxIE 被过了,有一个用户说没过。SandboxIE 的开发人员 tzuk 测试是没有漏,不过我估计他也很晕。
后来,很好玩,DW 的 Ilya 跑到 同行和竞争对手 (SandBoxIE) 的论坛了 OOXX ORZ,Ilya 比较搞笑了,他“提示”说一个叫 Onedir(一个目录) 的家伙拼错了他的名字 (Illya),实际上那个家伙的名字叫 Oneder,这叫 以彼之道,还之彼身。Ilya 和 tzuk 互相恶搞了一下,然后 tzuk继续发呆中。。。
QUOTE:
And until anyone can tell me how to get it to work, there is absolutely nothing I can do about it, and all the eyes-rolling (by some people) in the world can't change that.
最后 prueba 辗转到了 Wilders,是7月1号
http://www.wilderssecurity.com/showthread.php?t=179003
这里讨论了一下 SSM、EQ、SandboxIE、DefenseWall、PS等等是通过了、被过了,还是被部分过了。我不大关心这个。
比较有感觉的是 LinkScanner 的表现,看样子,即使突破 HIPS 和 防火墙,LinkScanner也会拦截 prueba的对外连接,确实是防 0day的极品啊。
Ilya 的回帖:
QUOTE:
Yes, this piece of code is using very interesting technique I didn't know. DefenseWall is already hardened against it. Will be published with v2.0 RC2 build.
It is using interesting provileges escalation technique.
DefenseWall v2.0 RC2 (last one before release) is out. 100% defense against prueba-based injection technique.
最棒的当然是 herbalist 的回复,像他这种使用 SSM的方式,才是一个 SSM 支持者,或者说用户该有的态度。这种有技术、有分量的回复,不经意间,就吸引很多人,愿意去尝试 SSM,效果远远胜过某些口水帖子。随便 帖一段:
QUOTE:
While SSM doesn't detect this demo's method of using explorer.exe, a properly designed layered package still defeats it. The fact that the user allows this demo to run has to figure into this test. The HIPS did their initial job, intercepting an unknown process. By your choosing to allow it, you changed the role of the HIPS from blocking malicious processes to one of damage control. From this point forward, your ruleset, system configuration, and the rest of your security package come into play.
This demo shows the weakness in rulesets that allow explorer.exe to parent any process, which ends up including the trojans executable and the browser. Take the time to specify the child processes and get rid of that "allow any" setting for all processes. This is an example of how a well designed security package can defend a system by preventing collateral damage, even when an initial exploit succeeds. Any security app can and will be defeated. It's how well your package does as a whole that matters.
In this instance, the demo's author made some basic mistakes, probably because it is a demo. Even with the real thing, if the writer doesn't think the process all the way thru, he can make similar basic mistakes and often does. It's often such mistakes that lead to the discovery of his trojan and his new method.
1, He assumed the browser has a direct connection out. In my case, I connected thru Proxomitron. Caught by the firewall.
2, He assumed that the browser is an allowed child process of explorer.exe. Usually it is, but not always. I use batch files to lauch the browsers, Proxomitron, and other items I won't name here all at once. Break that direct connection between common system executables like explorer and the web applications like your browser and mail handler.
nicM :It is the most important, because, how to say, these HIPS do not work "as good" after the test than they did before.
大概是指如果不能拦截调试内核的话,比如 SSM的防御能力比 prueba 运行之前会下降。
aigle : KAV 的主动防御拦住了。
最近,prueba 出现在中国的一些论坛,比如 EQ、kafan、晟地。。。,导致了EQ的一次很有意义的升级 (直接操作系统内核)。
http://www.eqsecure.com/bbs/read.php?tid=4448
QUOTE:
流氓兔:
原来这个病毒要xp才会有直接操作系统内核的动作.
以前的版本有个bug,新版本已经把直接操作系统内核这个动作单独出来.
可以正常拦截.这个病毒会过很多hips软件.呵
http://www.eqsecure.com/download/V3.4.rar
http://www.kpfans.com/bbs/viewthread.php?tid=104373&extra=page%3D1
http://bbs.pcvista.cn/read.php?tid=11671&fpage=0&toread=&page=2
QUOTE:
hwwgo : 我只想说prueba那个毒,只有pros能真正拦截到(eq,sns挂),无驱动恢复ssdt,够很的... |
发表于 2007-7-6 11:04:42
发表于 2007-7-6 11:18:07
