App Review Full Bypass DDE Exploit COMODO AV-10.2.0.6526 DB-28788 (UNDETECTED!) - AV and HIPS ON Paranoid Mode

[Emmanuellws]

Not in a position to take your word for it, and I don't know the specifics of Comodo's bounty policy. I know one thing, if it is real as you indicate, they should listen to you and pay you well for the information. You have certainly I am sure gotten the attention here of some individuals who are interested in Comodo products. I don't mean me, but there are some individuals who have invested a large amount of energy explaining the program and why it is "unbreachable". Lots have listened too.

I use Comodo, and in spite of the video, I will continue to do so. However, please find a way to at least attempt to reach Comodo with your findings. I'm sure a number of us here would be ready to support your effort any way possible. For sure, if there was ever a reason to step up with a big bug bounty at Comodo, this seems like the one to me, assuming everything is as you say.

Seriously, you seem like the kind of person they SHOULD be hiring...again all things as you say. Curious if you have a very short description of what could be done following the success shown in the video. You say full control->so this is absolute control of the system?

Yes, thanks for understanding. Yes, that was my intention. My videos are no meant to use for marketing purposes as I also demo my own favorite AV that it has its own weaknesses. So to show to any user from the same product category of users to be aware, take precautions..or lets go to our vendor that we demand improvement. We paid thousands of dollars and we demand improvement and capable of protecting from modern and advanced malware. Stick with COMODO AV, those are at least better than Windows Defender. Just at this moment, to mitigate this, disable macro and ActiveX content in MS Documents while waiting for COMODO to do something about the detections on MS Word with DDE. This is also generally applies to all other AV that is not capable of detecting this payload. Those who do not believe that this is real, it is up to you. Like me i prefer to test my own AV myself, but people saw my videos and asked me to try theirs...honestly I do not know the best settings for their AV bcoz my time is limited and I do not like to spend my time configuring and testing other AVs. Some suggested me to configure this and that, but that is after I posted my videos. It was time consuming to find loopholes with trial and errors, once found I will record and upload it to youtube. So i do not have the intention to redo my videos. Whatever special and custom settings, was supposed to notify me before i start my video demo.

 

[L0ckJaw]

If the AV is password protected you can never disable it.

 

[Emmanuellws]

If the AV is password protected you can never disable it.

COMODO AV sevices/processes is hard to disable even from command line using "taskkill" as "system" as illustrated in the video. So that should be a great news for all COMODO users. The agent UI password is a different thing from what is demonstrated in the video. Again... at this moment will not be able to disarm COMODO AV related processes easily. Also shown my frustration by shutting down the machine because unable to kill COMODO related process at the end of the video LOL.

 

[cruelsister]

Umbra- I am really surprised at you. I understand that you don't like Comodo, which is fine and I respect that. However I KNOW you know enough to dismiss this video drivel from so many standpoints that I will not lower myself to discuss it any further.

Those that have some experience in the field have a MORAL and ETHICAL obligation NOT to pile on to things like this video, the content of which may be confusing to Newbies.

 

[Sunshine-boy]

Comodo will never accept it since they Believe you should blindly sanbox everything. but how can Comodo sandbox tell me that this is a malware and gonna steal my data?ofc it cant

 

[Emmanuellws]

one thing to note about the HIPS = Paranoid mode.... those first few popups are blocking the MS Word to launch...in real world you have to allow it..I have no time to "TRAIN" as this is a bypass video and not how to use video HIPS video. If a user wants to install a software...you gotta hit ALLOW bcoz you want to install unlesss it suddenly pops up. So this video it looks like HAPPY CLICKING USER but its not. I hope you can zoom on the screen and see whats been blocked...its MS Word related processes. In real world..if you want to open a MS Word document, but in hips mode it blocks...then you click unblock...then? Might as well you dont need MS Word installed in the computer at the first place LOL...the pickerhost.exe, browser_broker.exe are all ms edge processes....unless we have to uninstall MS Edge as well. I think viewers need to pay attention to the details of processes blocked in the videos...which not related to the malware attack at all. Its all...open word...unblock..download using edge...unblock....unblock...thats all..of course...right before the BYPASSUAC....there are no popups...keylogger, screenshot all works fine...only when the BYPASSUAC executes...only requires the user to click ALLOW. that is all...other than that..it is all breached.

 

[AlanOstaszewski]

Umbra- I am really surprised at you. I understand that you don't like Comodo, which is fine and I respect that. However I KNOW you know enough to dismiss this video drivel from so many standpoints that I will not lower myself to discuss it any further.

Those that have some experience in the field have a MORAL and ETHICAL obligation NOT to pile on to things like this video, the content of which may be confusing to Newbies.

Instead of writing three posts without justification, I would like to see one now. Please tell us what's wrong with this video. Thank you very much!
But please, without attacking me.

 

[Deleted member 178]

Umbra- I am really surprised at you. I understand that you don't like Comodo, which is fine and I respect that. However I KNOW you know enough to dismiss this video drivel from so many standpoints that I will not lower myself to discuss it any further.

Those that have some experience in the field have a MORAL and ETHICAL obligation NOT to pile on to things like this video, the content of which may be confusing to Newbies.

My post was made with humor, more to tease you than anything else, but i can understand you missed this hehe

 

[MeltdownEnemy]

Instead of writing three posts without justification, I would like to see one now. Please tell us what's wrong with this video. Thank you very much!
But please, without attacking me.

there is no written a clear description of the failed attack, and the video takes 15 minutes to see the results. it is normal to found anger feelings if it's the product with which she work daily creating harden config tips it being beaten by unknown person who could lie., besides she feels disappointed and offended because the title of the video is very confusing, Full Bypass DDE Exploit COMODO AV-10.2.0.6526 DB-28788 (UNDETECTED!) - AV and HIPS ON Paranoid Mode
instead of, for example: Full Bypass DDE Exploit COMODO (UNDETECTED!) - AV and HIPS ON Paranoid Mode BUT ATTACK DIDN'T WORK INTO GAINING FULL ACCESS.
Nevertheless, Bravo! apparently the young from videotest, he was doing very well until he collided with the last barrier of comodo that is his self-protection at the end of video.
It also the youngman was based himself on a victim who accepts and opens any suspicious file as a victim of the common standard, "people without security experience", so that the attack to be successful.. I do not think that an attack would have an opportunity against someone who is a well trained person, who checks what things are trying to launch on the screen without request, as you can see the hips and office it's allowing everything.. It is obvious that the exploit would not have gone very far. although screencapture did achieve its purpose, the keylogger didn't //Shift\//Shift\\//Shift\. No user&password have been revealed, only the pages visited, the payload injected it was suscessfull revealing and elevating rights without comodo noticing, only remote shutdown and some weak services not protected from windows were neutralized but without collateral damage, but i've noticed that comodo doesn't have a behavior alert against charge lines for exploit.

 

[Deleted member 65228]

Comodo will never accept it since they Believe you should blindly sanbox everything. but how can Comodo sandbox tell me that this is a malware and gonna steal my data?ofc it cant

They will never accept it because it will not be in scope.

The video is not demonstrating exploitation of a vulnerability caused by COMODO.

 

[illumination]

Those that have some experience in the field have a MORAL and ETHICAL obligation NOT to pile on to things like this video, the content of which may be confusing to Newbies.

As if i did not respect you tons already, this post ^ directly confronts what i have been trying to say and confront in these forums for some years.

 

[cruelsister]

Thank you for that comment, Pathfinder. You have no idea how much it means to me.

 

[Emmanuellws]

Actually this video is an exploit caused by Microsoft DDE feature. Which most Antivirus had to cover (but most did not) when Microsoft Windows Defender fail to cover...well, I heard about Windows Defender ATP can protect from such exploit..but yeay...its Microsoft Fault...not the AV.

Talking about ETHICAL, I did not wish to post videos on this, but when one COMODO user curiously asked me to try bypass, and I did, I did not expect to get bashed. So its my fault ? LOL. I better advice these users, to test it for themselves rather than depending on videos alone. Sometimes it proves nothing to download samples and just double click which means nothing to me. To really test the limit of an antivirus is to penetrate and go against the will of the Antivirus in any WORST situation and configurations. I did that to my own Antivirus and it failed miserably. Notified my AV vendor and they improve the detection. Few months later, tested again, found another loopholes. I need to do this because I must make sure that my AV are up to date and ready to take on the modern and advanced malware. So if you guys need my help to test, I will but if I know you are going to bash me, I'd better tell you to do it yourself. I dont do videos to get bashed. That COMODO user might have already notified COMODO which is good. Else, he will always believe that COMODO AV is the best and will never get breached due to the HIPS and Containment technology (FALSE SENSE OF SECURITY). I myself IMPRESSED with the technology exist in COMODO AV, but again, we must not underestimate how hackers, malware and ransomware authors are updating themselves with state of the art bypassing and maintaining persistence techniques. Just look at the latest ESCAPE TECHNIQUE from sandboxing technology. Now is even worst, escaping VMs and attack the physical host in which I am exploring that right now. I realized I need to make videos to raise the awareness you have the right to demand from your AV vendors especially for the paid services and subscriptions. My videos might not have the best example of "phishing" to trick users to click, because I am not focusing on that. But the tricks that I know might be used by threat actors to send "powerful" and "convincing" email or through websites to trick users to download and click and eventually bypassed your AV. In real world, you might have HIPS and ANTI-EXE configured to PARANOID mode, but you will also still need to allow MS Word to run. Yep, it might catches the executables download from VBA scriptings, powershell, JS...but how does it handles scripts that contains only COPY-PASTE instructions that copies all your saved credentials from Chrome, Opera, MS Edge, Firefox - copied to a pendrive silently? Bet you have never though of this...so I did get a working scripts just to do that...and none of the AV can detect it..bcoz it does not contain malicious codes...just COPY and PASTE. i tried it on my own favorite AV...faile...Kaspersky - FAIL. Whatever paranoid mode, it is invisible. paranoid mode does not prompts a user when someone right click - copy and paste.

 

[Andy Ful]

Emmanuellws, your video will be confusing for most watchers. If you wanted to show DDE based vulnerability, why did not you just open the malicious document in VM to show Comodo AV bypass?
No Metasploit, no remote access etc., and the video would last one minute.

 

[ForgottenSeer 58943]

In real world, you might have HIPS and ANTI-EXE configured to PARANOID mode, but you will also still need to allow MS Word to run. Yep, it might catches the executables download from VBA scriptings, powershell, JS...but how does it handles scripts that contains only COPY-PASTE instructions that copies all your saved credentials from Chrome, Opera, MS Edge, Firefox - copied to a pendrive silently? Bet you have never though of this...so I did get a working scripts just to do that...and none of the AV can detect it..bcoz it does not contain malicious codes...just COPY and PASTE. i tried it on my own favorite AV...faile...Kaspersky - FAIL. Whatever paranoid mode, it is invisible. paranoid mode does not prompts a user when someone right click - copy and paste.

Often, the most simple way to bypass something is the most obvious but the obvious is overlooked when people try to over complicate everything. For example someone may have great locks on their doors, but leave their windows open. It's virtually impossible to fully secure Windows without breaking it. ChromeOS it's much more simple to secure since those scripts, powershells and other commands simply won't work, or won't execute in the first place.

AV products generally focus on malicious activity and files. But what if the exfiltration of data is entirely benign? Therein is the failure of these products, and the backdoor into your system. But what's the answer? You can't 'break' a system, about the closest you can get might be Voodooshield in Always-On mode perhaps since it functions as a computer lock.

I worked 'at a location' (looks around nervously), where we had HARDWARE computer locks. We had to push a button next to the computer every 30 minutes. If the button wasn't pushed it would disable much (if not all) functionality of the system including the internet. Dead Man Switch basically. These machines were never turned off, but every 30 minutes they'd lock themselves up in total isolation.

That's probably the only safe way to roll with Windows.

 

[Emmanuellws]

Emmanuellws, your video will be confusing for most watchers. If you wanted to show DDE based vulnerability, why did not you just open the malicious document in VM to show Comodo AV bypass?
No Metasploit, no remote access etc., and the video would last one minute.

COMODO AV is capable of capturing and stop malware from DDE if it include downloads of executable onto the disk. So, not this one...Not File-less. Also COMODO AV did not capture malicious DLL files for use to escalate attacker as SYSTEM. The HIPS paranoid mode and containment settings was deemed helpless.

 

[Emmanuellws]

Often, the most simple way to bypass something is the most obvious but the obvious is overlooked when people try to over complicate everything. For example someone may have great locks on their doors, but leave their windows open. It's virtually impossible to fully secure Windows without breaking it. ChromeOS it's much more simple to secure since those scripts, powershells and other commands simply won't work, or won't execute in the first place.

AV products generally focus on malicious activity and files. But what if the exfiltration of data is entirely benign? Therein is the failure of these products, and the backdoor into your system. But what's the answer? You can't 'break' a system, about the closest you can get might be Voodooshield in Always-On mode perhaps since it functions as a computer lock.

I worked 'at a location' (looks around nervously), where we had HARDWARE computer locks. We had to push a button next to the computer every 30 minutes. If the button wasn't pushed it would disable much (if not all) functionality of the system including the internet. Dead Man Switch basically. These machines were never turned off, but every 30 minutes they'd lock themselves up in total isolation.

That's probably the only safe way to roll with Windows.

Well yes, Voodooshield is the closest...but then again...the Voodooshield developer really appreciate my videos and also I did an easy "taskkill" video on VodooShield video and failed to prevent stolen data from web browsers through a word document. I guessed they watched my videos, and guess what...they added and FOLLOWED me in Youtube hopefully I can show them something to improve their protection level. Oh and, yes I am one of their customer Really love the Voodooshield team's positive attitude.

 

[MeltdownEnemy]

Well yes, Voodooshield is the closest...but then again...the Voodooshield developer really appreciate my videos and also I did an easy "taskkill" video on VodooShield video and failed to prevent stolen data from web browsers through a word document. I guessed they watched my videos, and guess what...they added and FOLLOWED me in Youtube hopefully I can show them something to improve their protection level. Oh and, yes I am one of their customer Really love the Voodooshield team's positive attitude.

Deal with Hmpa or Spyshelter firewall. are my favorites I would like know how much they protect us.

 

[ForgottenSeer 58943]

Well yes, Voodooshield is the closest...but then again...the Voodooshield developer really appreciate my videos and also I did an easy "taskkill" video on VodooShield video and failed to prevent stolen data from web browsers through a word document. I guessed they watched my videos, and guess what...they added and FOLLOWED me in Youtube hopefully I can show them something to improve their protection level. Oh and, yes I am one of their customer Really love the Voodooshield team's positive attitude.

Nice.. I enjoy VS, largely because it reminds me of the days when we 'locked' our computers. Hardware, but still a lock...

I see you use Panda, is this still the case? Interesting story.. Panda Engineers helped me isolate what could have been one of the first harddrive firmware malware back in - if I recall - 2006 (long before Snowden revealed HD firmware was compromised with multiple vendors). Panda Engineers concluded that evidence suggested it originated with the CIA. Some good folks work over there.. I haven't used the product in years though, but wondering how their DOME re-engineering of it is working out. Not to go off on a tangent..

 

[Andy Ful]

COMODO AV is capable of capturing and stop malware from DDE if it include downloads of executable onto the disk. So, not this one...Not File-less. Also COMODO AV did not capture malicious DLL files for use to escalate attacker as SYSTEM. The HIPS paranoid mode and containment settings was deemed helpless.

I understand you well. So in fact, the Windows 10 system (what UAC settings?) had to be first exploited and the payload dropped to the target system and additionally, the user had to open the malicious document with DDE command directed to this payload. Am I right?