App Review Comodo Firewall and the E-File Data Stealer

[cruelsister]

Content source

https://youtu.be/hrzVL-jOQpQ

Note that the website was subsequently un-hacked and the malicious C&C servers (initially in Tokyo, then in Singapore) were taken down.

 

[RmG152]

The problem is that it depends on the user's decision, which reduces the real effectiveness.

 

[franz]

I love your videos, but could you show us where Comodo firewall stands in relation to e.g. Norton 360 deluxe when it comes to E-File Data Stealer? This will give a broader picture of how good CF really is.

By comparing CF with Norton/f-secure or other good programs, perhaps more people will realize that CF is what you say it is. I don't have your knowledge and skills to do this myself, (but I wish I did ) and I expect there are more like me in here

 

[cruelsister]

Norton 360 deluxe when it comes to E-File Data Stealer? This will give a broader picture of how good CF really is

The malware was totally undetected by any vendor for the first week, then Crowdstrike picked it up. From there, as publicity about it hit the wires, everyone and their cat started to detect the malware.

Unlike other data stealers where one would be suspicious of it with just an Outbound alerting firewall in place, this one had a valid digital signature so in many cases those that received the firewall alert may have just blown it off as a false positive.

The combination of the Comodo Containment with the additional FW prompt provided protection others did not.

 

[cartaphilus]

The problem is that it depends on the user's decision, which reduces the real effectiveness.

Yeap my parents would keep chosing yes in order to make it work. Without knowing that making it work causes an infection

 

[russ0408]

I love Cruel Sister and her videos, I follow her on YouTube, but it's easy when you know what you are blocking is malware. The average user would see the warning and just click yes. The scammers make the websites so legit now, that the average person would think that Comodo is just blowing smoke and click yes to continue and get infected.

 

[cruelsister]

Thank you! An you make an excellent point. But note that when the malware was initially run the Default action was to contain it. Not doing so is essentially equivalent to disregarding the typical AV alert.

Also, for those that you feel will disregard alerts (know-it-all IT folk, oblivious Grandpa's and nasty disgusting children), a simple setting will allow one to suppress alerts, so all unknown would be Contained and any Outbound transmission from it blocked. Therefore in this case Ignorance really can be Bliss.

 

[ErzCrz]

Great video as always! @cruelsister

Adding question to a new thread

 

[ebocious]

Thank you! An you make an excellent point. But note that when the malware was initially run the Default action was to contain it. Not doing so is essentially equivalent to disregarding the typical AV alert.

Also, for those that you feel will disregard alerts (know-it-all IT folk, oblivious Grandpa's and nasty disgusting children), a simple setting will allow one to suppress alerts, so all unknown would be Contained and any Outbound transmission from it blocked. Therefore in this case Ignorance really can be Bliss.

That’s awesome. I personally keep CF on silent mode, with WV being just a hair more talkative. I also have AppCheck Free for the vault feature, in case anything ever manages to break through all defenses.

Edit: I’ve been away awhile, and see that WV is no longer maintained. I see the suggestion to use Kaspersky, though I’m wondering what other options there are. I’m currently using CIS with CS settings (and silent mode), and AppCheck Free in case of a breakthrough ransomware infection. Don’t need another dumb AV engine, trying to think what else there is in terms of AI-type sentinel apps that are lightweight.

 

[franz]

ChatGPTs answer to keep your computer clean:

Yes, it is possible to take steps to prevent your computer from being infected by malware. Here are some tips:

• Keep security software updated: Make sure you have up-to-date antivirus software and a firewall installed on your computer, and be sure to keep them updated with the latest definitions and security updates.
• Avoid downloading suspicious files: Avoid downloading files or software from suspicious or unknown sources. If you download software, be sure to download it from a trusted source.
• Be careful with email attachments: Do not open email attachments from unknown senders or that look suspicious. If you receive an attachment from a known sender, be sure to verify that the attachment is legitimate before opening it.
• Be careful with links: Do not click on links from suspicious emails or websites. Be sure to verify that the link is legitimate before clicking on it.
• Keep your operating system and other software up to date: Be sure to keep your operating system and other software up to date with the latest security updates.
• Use a backup solution: Regularly back up important data and store it on another device or in the cloud so you can recover the data if your computer becomes infected.
• Use multiple security technologies: Use multiple security technologies such as antivirus software, firewalls, and security software to provide multiple layers of protection against threats.
• Be aware of your computer's behavior: Keep an eye on your computer's behavior and be sure to investigate any unusual activities or messages. If you suspect your computer is infected, run a scan with your antivirus software and take necessary steps to remove the threat.

 

[oldschool]

@cruelsister - my dear cruel one, I'm curious how Hard_Configurator or VS would compare to CF against this. I suppose H_C wouldn't protect the initial browser popper, and VS wouldn't hinder the download but block the final payload.

 

[cruelsister]

@cruelsister - my dear cruel one, I'm curious how Hard_Configurator or VS would compare to CF against this. I suppose H_C wouldn't protect the initial browser popper, and VS wouldn't hinder the download but block the final payload.

Sadly those tools would have been inadequate as this was a truly zero-day file and had a legitimate certificate as well (the latter is what could really cause detection issues for some).

This particular attack is troubling as it mimics in many ways how Nation State malicious attacks are created. Those responsible had to code the malware, acquire a certificate, code the popper, setup a Server, and somehow gain Admin control of the website to insert the popper. These things are not done either cheaply or without great organization.

Any person (or cat) can code a stealer, but not many can do this.

 

[danb]

Sadly those tools would have been inadequate as this was a truly zero-day file and had a legitimate certificate as well (the latter is what could really cause detection issues for some).

This particular attack is troubling as it mimics in many ways how Nation State malicious attacks are created. Those responsible had to code the malware, acquire a certificate, code the popper, setup a Server, and somehow gain Admin control of the website to insert the popper. These things are not done either cheaply or without great organization.

Any person (or cat) can code a stealer, but not many can do this.

Hey CS! VS should have absolutely no problem blocking this file, whether it is ON or OFF (like in Smart Mode). I could not find the sample or the signer in the database, so it looks like it has not been tested against VS. If you get a chance, please test the file with VS. VS will block the file, although I would be curious what the WhitelistCloud and VoodooAi results are (just out of pure curiosity... it is still going to be blocked). Please remember, VS does not auto allow on signature alone, whether it is verified or not. If VS does not block this file for some odd reason, please let me know because that would mean there is a bug I need to fix. Thank you!

Edit: I forgot the mention, the VS prompt will be very similar to the CF, in that it will say "There is an issue with the digital signature that is signed by Sichuan Niurui Science and Technology Co., Ltd. The digital signature cannot be verified by CyberLock."

BTW, when VS is ON, it is going to block this file either way.

When VS is OFF, it is a little different story, but VS should block this file as well.

The only way this file is going to be auto allowed when VS is OFF is if...

1) The digital signature is verified
2) The digital signature is verified by VoodooShield
3) The file has a Safe WhitelistCloud verdict
4) The file has a Safe VoodooAi verdict
5) I think there are a couple of other checks, I can look them up if interested.

 

[trujax]

I assume Kaspersky application control, properly tweaked for default deny, would also prevent this. That feature of Kaspersky is most similar to Comodo containment of any solution (imo), in that it will auto place unknowns in Untrusted, denying them to even run.

Am I wrong in that assessment?

 

[cruelsister]

If you get a chance, please test the file with VS

Unfortunately there was (emphasis on "was") a secondary payload in the infection routine. Previously hosted in Japan and Singapore it was wiped by the actors involved, so no meaningful test can now be done. However if VS would whitelist a legitimately signed app (even in the absence of dumb detections by AV vendors) prior to allowing it then all would be good,

An obvious (to me, at least) issue with this malware was the absence of a countersignature. On the other hand, The lady doth protest too much, methinks as a recent IceID file seems to be honky-dory:

 

[oldschool]

This particular attack is troubling as it mimics in many ways how Nation State malicious attacks are created. Those responsible had to code the malware, acquire a certificate, code the popper, setup a Server, and somehow gain Admin control of the website to insert the popper. These things are not done either cheaply or without great organization.

It would have been nice to put this bit in the video.

 

[danb]

Unfortunately there was (emphasis on "was") a secondary payload in the infection routine. Previously hosted in Japan and Singapore it was wiped by the actors involved, so no meaningful test can now be done. However if VS would whitelist a legitimately signed app (even in the absence of dumb detections by AV vendors) prior to allowing it then all would be good,

An obvious (to me, at least) issue with this malware was the absence of a countersignature. On the other hand, The lady doth protest too much, methinks as a recent IceID file seems to be honky-dory:

View attachment 274614

Hey CS, I found both samples and VS blocked both as expected, both while ON and OFF. The files are on MalwareBazaar if anyone wants to play with them.

You mentioned in the video that that these samples went completely undetected for 7 days until it was discovered by CrowdStrike. So obviously this files was missed by ALL ML/Ai / NextGen AV's initially, so I cannot be too hard on myself for WhitelistCloud or VoodooAi not detecting the file . We have security mechanisms, checks and layer for a reason. BTW, it is extremely uncommon to see a false negative for both WhitelistCloud and VoodooAi.

But you bring up a great point, which I can sum up in a few words. Any cybersecurity product that auto allows by digital signatures alone is doomed to fail. This is a huge reason there are SO many breaches these days. In an effort to reduce false positives, most cybersecurity vendors take this shortcut and auto allow by digital signature. I have said for over a decade this is extremely dangerous, which is why VS will never take this shortcut.

VirusTotal

VirusTotal

www.virustotal.com

VirusTotal

VirusTotal

www.virustotal.com

 

[cruelsister]

It would have been nice to put this bit in the video.

That was initially my intention, but pretty much right after I finished up the analysis and verification process the nasty buggers took the Singapore server down and I couldn't access the secondary payload (something.php.vbs). Also that original compromised website had been returned to the un-malicious original by the bad guys before the site owners wee aware (can't confirm this myself, but a friend assures me that this is so). To fill the resultant void in the video I tacked on at the beginning the signed malware drivel (originally from a video that I trashed as uninteresting). So if things seemed a tad disjointed, this is the reason why.

(ps- Forgot to mention that the signed malware that I noted in Post 15 above was detected by VoodooSield and murdered without mercy. Apologies for the omission!)

 

[oldschool]

(ps- Forgot to mention that the signed malware that I noted in Post 15 above was detected by VoodooSield and murdered without mercy.

As I suspected.

Apologies for the omission!

None needed. We are human. We are not Devo. At least not yet!

 

[ForgottenSeer 100397]

@cruelsister "How can Comodo cope with things like this?"
Comodo can, but users can't.

Comodo or cruel or any configuration:
Comodo is not for users who don't want to know how it works.
Comodo is not for "default-allow" security software users.
Comodo is not for the majority.