Comodo 5.8 VS Black Day Trojan

Status
Not open for further replies.

Hungry Man

New Member
Thread author
Jul 21, 2011
669
I tested Comodo 5.8's HIPS sandbox against the Black-Day trojan. THIS IS PURELY A TEST OF THE SANDBOX. All other features have been disabled, when testing against default settings the results will go much much much more in favor of Comodo.

This is also a test of the automatic sandbox. The manual sandbox will give better results.

Black-Day bypassed the sandbox, even with Untrusted settings.

Screenies below of the infection.

attachment.php

attachment.php

attachment.php

attachment.php

attachment.php


As you can see the blackday Trojan when sandboxed as Restricted was able to infect those files. I ran it as Untrusted in a new clean VM and the results were the same.

It's very VERY important to note that the Defense+ settings are all turned off except for teh sandboxing. The behavioral analysis and cloud scanner both revealed it to be a malicious file.
 

Hungry Man

New Member
Thread author
Jul 21, 2011
669
Virtualbox, yes. I don't think it changes anything as this is what happened last time it was tested with black-day.

Automatic.
 

HeffeD

Level 1
Feb 28, 2011
1,690
Since it is known that VirtualBox doesn't allow CIS to function properly, any tests done in this virtual environment are suspect.

If you really want to test it, download VMWare player (It's free...) and try it again. If you still feel there is an issue, please post your results on the Comodo forum with all the specific details. (Configuration, operating environment, etc...) Screenshots aren't enough information to make any sort of definitive assessment.

And out of curiosity, what was the result after a reboot? I would also be curious what the results of running it in the manual sandbox are.
 

Hungry Man

New Member
Thread author
Jul 21, 2011
669
Manual sandbox isn't what I was testing. It's not practical to set every program to run int he manual sandbox.

I can try it in VMWare but I doubt it'll be any different.

Black-Day has been reported to Comodo.

I can't imagine there would be any difference after a reboot, can you? An infection is an infection. Black-Day took hold of my files, rebooting really would not have made any difference.

I also had a screenshot of my system's information. I neglected to post it here, as I was copying/ pasting from Wilders.
http://www.wilderssecurity.com/attachment.php?attachmentid=228411&stc=1&d=1312499198
 

HeffeD

Level 1
Feb 28, 2011
1,690
Hungry Man said:
Manual sandbox isn't what I was testing. It's not practical to set every program to run int he manual sandbox.

Like I said, just curious...

Hungry Man said:
I can't imagine there would be any difference after a reboot, can you? An infection is an infection. Black-Day took hold of my files, rebooting really would not have made any difference.

I have no idea what difference it would make, that's why I asked if you had rebooted. That's the thing with the automatic sandbox, yes, processes are allowed to run in memory. However, on reboot, they are gone. It's difficult to tell from your screenshots what is possibly running in memory, and what is not.
 

Hungry Man

New Member
Thread author
Jul 21, 2011
669
With Black-Day it doesn't matter if you kill the process. I killed it myself. The files still remain patched. That's the issue.

I'll rerun the test though, I'm no expert on it. I'll use VMWare this time but it'll have to wait until Monday as I won't have access to Windows.
 

Hungry Man

New Member
Thread author
Jul 21, 2011
669
Same test done with VMPlayer. Same results. Autosandboxing as Restricted and Untrusted leads to an infected system in which all .txt/zip/whatevers become blackday.exe's.

Upon restart they are still infected.
 

HeffeD

Level 1
Feb 28, 2011
1,690
Thanks for testing that. :)

I guess we'll just have to wait and see what full virtualization of the auto-sandbox brings us.

You mention that this has already been reported. I must have missed that post. If that is the case though, I strongly suspect the issue still exists due to the fact that the auto-sandbox was never intended to be run as a standalone product as you have tested. It's likely not a bypass in the developers eyes because it would in fact be caught by D+.
 

Hungry Man

New Member
Thread author
Jul 21, 2011
669
auto-sandbox was never intended to be run as a standalone product as you have tested.
Absolutely.

I've run the black-day on my own machine and it was blocked by the behavioral heuristics and the blacklist.

I just don't like relying on heuristics and a blacklist.
 

HeffeD

Level 1
Feb 28, 2011
1,690
Hungry Man said:
I just don't like relying on heuristics and a blacklist.

That's why you have D+. ;)

But I agree, in a perfect world, you should only need one layer of protection. However, the world isn't perfect and no application can guarantee 100% success, so a layered product is your best bet.
 

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
How do other software(s) perform against the Black Day Trojan?
 

Hungry Man

New Member
Thread author
Jul 21, 2011
669
http://www.wilderssecurity.com/showthread.php?t=298118

That's how it used to be.
 

Hungry Man

New Member
Thread author
Jul 21, 2011
669
You'll be happy to know that I've just manually sandboxed black-day as Untrusted and it is no longer able to function. My test.txt remains untouched.

edit: And yes, this is PURELY A TEST OF THE SANDBOX. I'll add this to the first post right at the top. Default settings of Comodo WILL block this. I have severely SEVERELY crippled it.

EDIT2: It seems that manually sandboxing (with full virtualization) breaks it at every level... including partially limited. Thanks for the idea Heffe. Clearly this is the more secure method of sandboxing and we'll be seeing a huge improvement in V6 when automatic sandboxing is virtualized fully.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top