- Aug 31, 2016
- 578
Who knows! The only person I'd trust to tell me now would be @cruelsister.
Comodo FW bypass malware the sandbox (sandbox hips off + on) and voodooshield (autopilot)
- Thread starter Davidov
- Start date
It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
After @askmark asked his previous question on this thread I decided to return by downloading the sample and reversing it to understand how it works - just as I went to reverse it I was distracted by some information which made my eyes bleed... The sample is based on the .NET framework, I don't know how I am controlling my laughter right now... But without further adieu:
Very short story:
This sample is hardly "damaging" at all compared to some real threats out there, it's made in the .NET framework and there is absolutely no code which will be able to "escape" from the Comodo Sandbox itself (or Sandboxie for that matter) and if it ever did bypass a sandbox then I would be seriously concerned for the safety of anyone using it, simply due to how basic this sample really is. Just basic Win32 calls, basic things being done... Whatever the purpose for it not being blocked (which I didn't even investigate as I have seen people talk about it already on this thread, about Valkyrie and Trusted Lists and so on), it definitely does not escape/bypass the actual Comodo sandbox...
Now that this analysis is done I will recover my eyes from the suffering I had at the start when I saw the sample was just nothing more than a .NET program (since there was such hassle over this thread, over a very basic sample)....
Honestly I cannot believe there was as much hassle as there has been over this sample...
Hope this helped, stay safe.
On-execution:
1. It checks if the program has been executed with arguments
2. Depending on #1 results, the program will create a sub key under HKEY_LOCAL_MACHINE ("Software\Id523\Thingthing") - this is a static identifier for the sample which can be used in dynamic analysis systems. It then performs some more registry operations (e.g. obtaining values, setting values).
3. Depending on #2 results it will display a message box with the main text value as "Just be patient!".
4. If the arguments to the program is "/info" then it will get the location of the UserProfile folder add another string to the end of it, so the path will be: "UserProfile\info.txt". It will then attempt to write data to this file.
5. After #4 it will start-up a new process (which will always be notepad.exe and it will give in a parameter to the info.txt is loaded within it.
The above are main things that happen within the main start-up function of the sample, however depending on other paths from the if statements on the arguments given to the program:
- The sample will have a program called "thingthing.exe" located at your UserProfile folder.
- The sample will execute schtasks.exe with parameters (for the commands) to make a program called thingthing.exe start-up with elevated privileges (bypassing the UAC prompt).
- The sample will modify values at the registry key HKEY_CURRENT_USER\Control Panel\International (values which will be manipulated: "sBkpShortDate", "sBkpLongDate", "sBkpShortTime", "sBkpTimeFormat")
- The sample will at some point shutdown the system by running CMD with the "shutdown /r /t" command.
- The sample actually has a GUI for some sort of "pacman" game, believe it or not.
- The sample
Other programs are exclusively used by this sample (such as the "thingthing.exe") also (e.g. "hog.exe").
If you want further analysis just disassemble it if you know how too... The explanations can go on forever, to put it short here: it utilises the registry a lot and can do things like shut down the system and create new tasks... It has a function responsible for choosing it's "payload". Check the short story note left outside of this spoiler at the bottom of the post for a final verdict.
1. It checks if the program has been executed with arguments
2. Depending on #1 results, the program will create a sub key under HKEY_LOCAL_MACHINE ("Software\Id523\Thingthing") - this is a static identifier for the sample which can be used in dynamic analysis systems. It then performs some more registry operations (e.g. obtaining values, setting values).
3. Depending on #2 results it will display a message box with the main text value as "Just be patient!".
4. If the arguments to the program is "/info" then it will get the location of the UserProfile folder add another string to the end of it, so the path will be: "UserProfile\info.txt". It will then attempt to write data to this file.
5. After #4 it will start-up a new process (which will always be notepad.exe and it will give in a parameter to the info.txt is loaded within it.
The above are main things that happen within the main start-up function of the sample, however depending on other paths from the if statements on the arguments given to the program:
- The sample will have a program called "thingthing.exe" located at your UserProfile folder.
- The sample will execute schtasks.exe with parameters (for the commands) to make a program called thingthing.exe start-up with elevated privileges (bypassing the UAC prompt).
- The sample will modify values at the registry key HKEY_CURRENT_USER\Control Panel\International (values which will be manipulated: "sBkpShortDate", "sBkpLongDate", "sBkpShortTime", "sBkpTimeFormat")
- The sample will at some point shutdown the system by running CMD with the "shutdown /r /t" command.
- The sample actually has a GUI for some sort of "pacman" game, believe it or not.
- The sample
Other programs are exclusively used by this sample (such as the "thingthing.exe") also (e.g. "hog.exe").
If you want further analysis just disassemble it if you know how too... The explanations can go on forever, to put it short here: it utilises the registry a lot and can do things like shut down the system and create new tasks... It has a function responsible for choosing it's "payload". Check the short story note left outside of this spoiler at the bottom of the post for a final verdict.
Very short story:
This sample is hardly "damaging" at all compared to some real threats out there, it's made in the .NET framework and there is absolutely no code which will be able to "escape" from the Comodo Sandbox itself (or Sandboxie for that matter) and if it ever did bypass a sandbox then I would be seriously concerned for the safety of anyone using it, simply due to how basic this sample really is. Just basic Win32 calls, basic things being done... Whatever the purpose for it not being blocked (which I didn't even investigate as I have seen people talk about it already on this thread, about Valkyrie and Trusted Lists and so on), it definitely does not escape/bypass the actual Comodo sandbox...
Now that this analysis is done I will recover my eyes from the suffering I had at the start when I saw the sample was just nothing more than a .NET program (since there was such hassle over this thread, over a very basic sample)....
Honestly I cannot believe there was as much hassle as there has been over this sample...
Hope this helped, stay safe.
Thanks @Wave
You know here is MT and everyone love to spread rumors about bypasses
So thread can go on about "Ohhh..Comodo bypassed" even after your valuable post and final verdict. I remembered the cruelsister also showed but it is lying on the first pages and people on the last pages with first comment didn't see it... People saw the title "Bypass Comodo.." and the same things again and again.
I never trust a bypass video from anyone but cruelsister and Tavis
You know here is MT and everyone love to spread rumors about bypasses
So thread can go on about "Ohhh..Comodo bypassed
" even after your valuable post and final verdict. I remembered the cruelsister also showed but it is lying on the first pages and people on the last pages with first comment didn't see it... People saw the title "Bypass Comodo.." and the same things again and again.I never trust a bypass video from anyone but cruelsister and Tavis
- Nov 19, 2014
- 2,350
Whatever happened with trust list and if the malware run outside of sandbox the only sure thing is that this is not a Comodo sandbox bypass. You can call it a Comodo bypass if you wish but not a sandbox bypass. For a sandbox bypass to happen the application needs to start in the sandbox and find a way to escape.
Now about VS bypass that was not a bypass either. You can call it a flaw in default settings because it allows by parent process but still the setting has it's purpose and anyone with the paid option can change it. Also the tester selected protection level(not default) is weak on certain occasion like the one that was shown here.
Now about VS bypass that was not a bypass either. You can call it a flaw in default settings because it allows by parent process but still the setting has it's purpose and anyone with the paid option can change it. Also the tester selected protection level(not default) is weak on certain occasion like the one that was shown here.
Last edited:
Hopefully no one will need to read through another thread where someone hasn't done proper research but is claiming X, A and B products were bypassed. It ruins product credibility/reliability and causes problems if the research wasn't correct, causes stress levels to heighten, people to become worried if they are vulnerable, vendors become overflown with news about their products failing when it's not how people make it seem, etc.Thanks @Wave
You know here is MT and everyone love to spread rumors about bypasses
So thread can go on about "Ohhh..Comodo bypassed
I never trust a bypass video from anyone but cruelsister and Tavis
I'm not having a go at anyone, but people should really do their research properly and check their facts before causing big drama. Comodo is a big company and VoodoShield are very well-known, so what did anyone expect to happen if they claim both products were "bypassed"?
Damn some people need to drop the security researching plans and get a job as a blog writer so they can manipulate peoples quotes and make them look bad or cause up drama for no reason, they'd make a mint off successful promotions!
I wonder how many people would have still believed in it if I hadn't posted the above details to clear things up. This isn't the first time it's happened and I assure you it won't be the last...
In fact, this explains all
- Apr 13, 2013
- 3,224
I unfortunately have been still considering this one and and think the real issue is if the file can actually be considered malware or not and how Comodo will handle stuff like this. The file in question is actually quite cool, making registry changes causing subsequent changes to the environment (the icons in the taskbar clock), using the old vb script to make the computer talk (the Witches Chant from Macbeth as well as Sonnet 18), and throwing off the bat file "shutdown /r /t/ 03". A task scheduler is also called up but this is trite.
The Comodo sandbox at the default level will actually allow the environment changes (I'll be presenting a video on CF and ransomware in 2 weeks that will highlight this), but this sort of thing is why I suggest the sandbox be set at a more appropriate (and restrictive) level- at these levels the process spawning will not occur.
The Comodo sandbox at the default level will actually allow the environment changes (I'll be presenting a video on CF and ransomware in 2 weeks that will highlight this), but this sort of thing is why I suggest the sandbox be set at a more appropriate (and restrictive) level- at these levels the process spawning will not occur.
- Jul 3, 2015
- 8,153
I have seen several people say that if you combo Voodooshield with Comodo, then you need to disable parent/child permissions in VS, because otherwise, anything running in Comodo sandbox will not be blocked by Voodooshield -- since Comodo is seen as the parent process.
Maybe someone could enlighten me, I don't understand this point.
If Comodo has sandboxed a process, then your system is protected. If Comodo lets it out of sandbox, then Voodooshield will block it. So why the need to disable parent/child permissions in VS?
Maybe someone could enlighten me, I don't understand this point.
If Comodo has sandboxed a process, then your system is protected. If Comodo lets it out of sandbox, then Voodooshield will block it. So why the need to disable parent/child permissions in VS?
Using anything else alongside comodo is just nonsense. If you do, it means you don't have the knowledge to use it properly.
- Jul 3, 2015
- 8,153
Well now, @Umbra, most normal human beings will go crazy running Comodo HIPS in paranoid mode, which is your recommendation.
Even just disabling cloud lookup can produce an unacceptable amount of prompts.
So, a paranoid/perfectionist user, who doesn't want to go totally crazy, might consider CFW+VS as an option. I would not rule it out...
I don't sat use my settings, but just with the HIPS enabled in safe mode, you have more control with comodo than adding VS. learn to use comodo, how to tweak the settings,etc...
CS settings are good for beginners, but it doesn't mean the beginner just have to copy-paste it and stop learning Comodo and discard the fact they can tighten it a bit more.
what does VS :
1- anti-exe: comodo have an hips , so more monitoring and you can customize it to reduce alerts.
2- File rating : comodo has too and you can tweak it also.
So what the point of installing something than Comodo does already.
I amazed that people just install redundant softs instaed of learning the main one.
Last edited by a moderator:
- Jul 3, 2015
- 8,153
How can a CFW user protect himself from malware that Comodo mistakenly whitelisted, without running HIPS in paranoid mode, or disabling cloud lookup?
Is the user is condemned to stay ignorant about the software he uses? what about learning?
i used Comodo FW, since v3 , around maybe 10 years , it mans lot of time spent on training and testing, it is why i can use paranoid mode so easily without much hassle. It is why i can pinpoint the flaw in AV guru test in less than a minute.
Select one soft, learn it to the core, then , if you are not satisfied enough, leave it or add something else that will fill the hole.
Also, what about safe habits? do you execute every unknown softwares without researching a bit about it? if yes, you are the flaw , not the product.
Last edited by a moderator:
- Aug 19, 2016
- 200
tweak CFW with Cruelsister's setting is enough. I think if you need additional protection then it's just scanner. adding VS with CFW is like adding fried chicken with roasted chicken in your plate. in case of hot news (CFW bypass) I add Avira free as a combo. new Avira is light and the cloud is good. I installed Avira with its Firewall module disabled.
- Apr 9, 2017
- 186
- Aug 19, 2016
- 200
me too, I dont understand what I say because I'm hungryi dont understand the analogy but it made me very hungry
Because comodo does (via its HIPS & cloud ) what VS does, so basically you eat chicken twice but in a different cooking style.i dont understand the analogy but it made me very hungry
- Jul 3, 2015
- 8,153
1 There are a lot of very cool Comodo tweaks that can be learned and implemented, for sure.
2 We want our security software to provide a safety net for us, in case there is a user mistake, which will can and will happen, especially if there is more than one user with access to the computer.
3 I agree with @novocaine that CFW at CS settings, combined with a good AV, is really plenty of protection.
But for paranoids/perfectionists, I would not rule out adding Voodooshield, for the following two reasons: protection against Comodo mistakes in whitelisting, and the added anti-exploit protection that VS provides.
if you don't trust your product, don't use it, if VS is your safeguard , just use VS and ditch comodo.
sure.
Paranoids have all they want with Comodo like my settings. There is no need to add more; if you add more , it means you don't have enough knowledge of Comodo.
I can just run CIS alone on a machine, i will have the same level of protection as Appguard.