App Review Comodo's killer.

[Andy Ful]

Nice .
Did you tested it on HIPS + Paranoid
And clear the default HIPS configuration .

I tested Comodo on usable settings. Paranoid HIPS could probably show some alerts.

 

[vitao]

can you provide me this file? i would like to do some testings and some videos

 

[Andy Ful]

can you provide me this file? i would like to do some testings and some videos

I do not share this one. The video is already available, so Comodo users and staff are informed.
In the attack, the shortcut does not use scripting (Comodo would alert/contain the attack via Script Analysis). This method is not commonly known (can be dangerous).
I don't want to make any more fuss than necessary.

Here is the attack flow:
Malicious ISO download (contains a shortcut and some hidden files) ----> shortcut to TDSS Killer executed by the user -----> shortcut runs TDSS Killer with CmdLine to kill Comodo ----> No UAC alert because LUA is disabled ----> TDSS Killer installs the driver and restarts Windows ----> the driver kills Comodo

The attack is successful because it uses only Trusted resources.

 

[rashmi]

I'm considering starting a thread discussing Comodo's containment policies, balancing usability and security.

The impact of the policies is something I have yet to investigate. For tests, can you and @vitao run the POCs against these containment policies?

In Proactive Configuration, remove the last or All Applications - Unrecognized policy from Auto-Containment. Place the three policies in the same order at the bottom in Auto-Containment.

Action - Run Virtually, File Group - All Applications, File Origin - Removable Media, File Rating - Trusted, File Age - Less than 1 hour
Action - Run Virtually, File Group - All Applications, File Origin - Internet, File Rating - Trusted, File Age - Less than 1 hour
Action - Run Virtually, File Group - All Applications, File Rating - Unrecognized, File Age - Less than 1 hour

 

[Andy Ful]

In Proactive Configuration, remove the last or All Applications - Unrecognized policy from Auto-Containment. Place the three policies in the same order at the bottom in Auto-Containment.

Action - Run Virtually, File Group - All Applications, File Origin - Removable Media, File Rating - Trusted, File Age - Less than 1 hour
Action - Run Virtually, File Group - All Applications, File Origin - Internet, File Rating - Trusted, File Age - Less than 1 hour
Action - Run Virtually, File Group - All Applications, File Rating - Unrecognized, File Age - Less than 1 hour

My POCs are not blocked.
The reason is that the files contained in the ISO container have the creation time of the original files used when the attacker created the ISO on his computer. For example, TDSSKiller has the original date from the year 2019.
The same applies to all removable media mounted by Windows handler and archives unpacked by Windows built-in unpacker.
So the file age must be unlimited for the first two rules to block the POCs that use removable media or archives.

Edit.
7-Zip unpacks archives while adding the current creation time. So when 7-Zip is configured to open by default archives and disk images, the 1-hour File age rule will work as intended.
However, the 1-hour File age rule will not work for executables stored on flash drives.

 

[rashmi]

My POCs are not blocked.
The reason is that the files contained in the ISO container have the creation time of the original files used when the attacker created the ISO on his computer. For example, TDSSKiller has the original date from the year 2019.
The same applies to all removable media mounted by Windows handler and archives unpacked by Windows built-in unpacker.
So the file age must be unlimited for the first two rules to block the POCs that use removable media or archives.

Edit.
7-Zip unpacks archives while adding the current creation time. So when 7-Zip is configured to open by default archives and disk images, the 1-hour File age rule will work as intended.
However, the 1-hour File age rule will not work for executables stored on flash drives.

For my information, what browser and download manager did you use to get the ISO file?

We just need to remove the "file age" criteria for the policies; Comodo should then block your and @vitao's POCs.

Action - Run Virtually, File Group - All Applications, File Origin - Removable Media, File Rating - Trusted
Action - Run Virtually, File Group - All Applications, File Origin - Internet, File Rating - Trusted
Action - Run Virtually, File Group - All Applications, File Rating - Unrecognized (default policy)

These policies target Comodo's trusted vendor list and cloud whitelist; Comodo should block "trusted" files from removable media or downloaded from the internet.

I haven't verified whether these Comodo policies prevent trusted applications' auto-updates; we can create a "whitelist" policy with an essential vendor list and use the "ignore" option.

Experienced users who don't like Comodo's huge trusted vendor list and cloud whitelist may prefer these policies.

 

[Andy Ful]

For my information, what browser and download manager did you use to get the ISO file?

It is unimportant because the ISO file is not an executable/application. In my tests I used Edge.

We just need to remove the "file age" criteria for the policies; Comodo should then block your and @vitao's POCs.

Action - Run Virtually, File Group - All Applications, File Origin - Removable Media, File Rating - Trusted
Action - Run Virtually, File Group - All Applications, File Origin - Internet, File Rating - Trusted
Action - Run Virtually, File Group - All Applications, File Rating - Unrecognized (default policy)

These rules should work in the same way as:
Action - Run Virtually, File Group - All Applications, File Origin - Removable Media
Action - Run Virtually, File Group - All Applications, File Origin - Internet
Action - Run Virtually, File Group - All Applications, File Rating - Unrecognized (default policy)

Simply, all applications executed from Removable Media and Internet are contained. The Unrecognized applications are contained everywhere. The Proactive setup includes also three Block rules for Malicious Applications, Suspicious Locations, and Containment Folders
These settings will contain most of my POCs and prevent most malware including 0-day ones. It is a very strong setup.
It is possible to bypass such a setup by using shortcuts + abusing the Trusted applications already installed in the system (LOLBins, MS Office, etc.). For example, Comodo's challenge method used in my video is not blocked (shortcut + LOLBin abused) and all my POCs are not blocked when running office macros.
I would also enable Embedded Code Detection for cmd[.]exe (to prevent many attacks via shortcuts), and block macros in office applications.

 

[Andy Ful]

It is possible to use the below setup:

1. Apply Proactive Configuration.
2. Add rule: Action - Run Virtually, File Group - All Applications, File Origin - Removable Media
3. Modify default rule: Action - Run Virtually, File Group - All Applications, File Rating - Unrecognized, File age: 1 day (or 1 hour)
4. Use 7-Zip as the default application to open archives.
5. In Script Analysis, enable Embedded Code Detection for cmd[.]exe.
6. In the office applications, block macros.

The below will be restricted by the File age: 1 day (or 1 hour):

• When downloading applications from the Internet, they have a fresh "creation time".
• When setting 7-Zip as a default application for opening archives, the unpacked files have a fresh "creation time".
• Files copied from the Removable media to the hard disk have a fresh "creation time".

When using Comodo Internet Security (instead of Comodo Firewall + Microsoft Defender), I would propose the file age recommended by Comodo: File age: 3 days.
Comodo's signatures for new malware are rather poor.