App Review Those Nasty RATS Part 4

[hjlbx]

@cruelsister ..you are a class act...are you working for MOZAD or something like that. Well then, Anti-exe class has its own weakness with RAT. That really calls for a multi layered approach (aka an Enterprise class sandbox). I hope to see a test of voodooshield vs RAT at-least a brief one would suffice , if you are in the mood.

Anti-Executables are not generally susceptible to RATs.

That isn't what she demonstrated in her video.

She demonstrated in this particular video that AppGuard is susceptible to a specific type of bypass - a Trusted Publisher "certificate" bypass - when run using AppGuard's default Protected mode. That type of vulnerability has been a "known issue" for a long time now - but she is the only one who has demonstrated it via a video.

To overcome this Protected mode vulnerability, BRN included Lock Down mode.

She could have used the same certificate, added the publisher to the Trusted Publisher list of NVT ERP, NVT SOB, VooDooShield, SecureAPlus and I believe Faronics - and demonstrated the same thing with each of them.

EDIT: Voodooshield does not allow files solely by digital signature alone; there is no Trusted Publisher list in Voodooshield.

Remove that Trusted Publisher from the list, and the security soft behavior changes completely; either the file will be blocked or allowed - but allowed only with limited rights. Which behavior - blocking or allowing - depends upon the anti-executable and settings.

The greater point that she makes is that reliance upon digital certificates as a basis for judging a file as safe or unsafe can get you infected...

 

[Tempnexus]

Say what you will but a security software that does not provide security unless locked down in a specific expert script voodoo hobo magic way in order to actually work is not a security software for the masses.

The user might as well use deep freeze or linux and feel more secured. Too many excuses are being made by fanboys of the software. Take this result as any other when a software fails to protect. It just fails. The software does not work to protect against this threat. Thus, until that is remedied then the software can not be recommeded to protect a customer against this threat unless specific guidelines are stated when purchasing the software.

 

[XhenEd]

Say what you will but a security software that does not provide security unless locked down in a specific expert script voodoo hobo magic way in order to actually work is not a security software for the masses.

The user might as well use deep freeze or linux and feel more secured. Too many excuses are being made by fanboys of the software. Take this result as any other when a software fails to protect. It just fails. The software does not work to protect against this threat. Thus, until that is remedied then the software can not be recommeded to protect a customer against this threat unless specific guidelines are stated when purchasing the software.

Even Deep Freeze and Linux OS are vulnerable. No software is immune to attacks, especially targeted ones.
To be fair to AppGuard, when you watch the video, it protected the OS well, except those two exceptional but possible in real life cases.

 

[hjlbx]

Say what you will but a security software that does not provide security unless locked down in a specific expert script voodoo hobo magic way in order to actually work is not a security software for the masses.

The user might as well use deep freeze or linux and feel more secured. Too many excuses are being made by fanboys of the software. Take this result as any other when a software fails to protect. It just fails. The software does not work to protect against this threat. Thus, until that is remedied then the software can not be recommeded to protect a customer against this threat unless specific guidelines are stated when purchasing the software.

LOL...

 

[jamescv7]

Well Appguard clearly bypass on the standard protection level, since RAT can manipulate easily through legitimate DLL's where may lack some hardening protection considering the legitimate behavior can use like from Microsoft.

Certificates is another problematic concept by Anti-Exe through automation since Appguard wanted to maintain user friendly where may distinguish easily between legitimate or not however the power comes through custom tweaks aside on lock down.

 

[ueda]

It's a quite interesting video.
The signed RAT seems to bypass AppGuard in protected mode and malicious dll file is loaded by Ramote Access Service after reboot.

Is the unsigned dll able to act perfectly without stopping by AppGuard ?

 

[shmu26]

as far as I know, only Faronics monitors dlls in that way, and it slows your system down to the point of being unusable.

EDIT: however, HitmanPro.Alert has a mechanism for giving preference to system dlls. Maybe it would have worked here? I have no idea.

 

[509322]

It's a quite interesting video.
The signed RAT seems to bypass AppGuard in protected mode and malicious dll file is loaded by Ramote Access Service after reboot.

Is the unsigned dll able to act perfectly without stopping by AppGuard ?

The product works as designed.

CS' whole point in the video is that digital certificates can be used to bypass security software. This is true of any software that will allow a file to execute if it has a valid certificate.

The fact is that digital certificates - as a trust mechanism in and of themselves - have inherent risks.

* * * * *

If a file is signed using a valid certificate from a publisher on the Trusted Publisher List, then that file will be permitted to execute in Protected mode. Protected mode is designed this way to permit updates that are signed all the way through the run sequence from User Space. Protected mode was implemented as a balance between usability while still providing high security with only a small potential for malicious code to execute.

If a file is faked-signed it will be blocked in Protected mode.

If a file has a valid certificate, but the publisher is not on the Trusted Publisher List, then the file can execute but it is Guarded. Guarded will prevent creation of an autorun. Technically, if it is allowed to run it can potentially result in a user session infection. However, once the system is rebooted it will not execute and just be dormant on the system - unless the user manually re-executes it.

In short, in Protected mode AppGuard is working as intended.

While it is possible that a valid certificate can be stolen and re-purposed for malicious means, the risk is low.

For those that are paranoid about such things, AppGuard has Locked Down mode.

The dll block alert occurs as a result of the way rundll32 searches for dlls in the file system. It could have been regsvr32 as well.

 

[cruelsister]

That's the nightmare scenario- where some organization either through bribes or Sleepers can distribute highly signed malware to millions in order to take an economy (society) down. Fortunately I don't have to think about that any more- I just influence which Startups get cash.

 

[509322]

That's the nightmare scenario- where some organization either through bribes or Sleepers can distribute highly signed malware to millions in order to take an economy (society) down.

Even worse can happen - malicious firmware installed during mfr.

Anyhow...

It is just a matter of time before someone or some group pwns part of the global financial system and causes nuclear meltdown-grade fear, panic and crisis.

 

[ueda]

In short, in Protected mode AppGuard is working as intended.

...

The dll block alert occurs as a result of the way rundll32 searches for dlls in the file system. It could have been regsvr32 as well.

Thanks for your explanation.
I understand the behaviour of AppGuard in Protected mode.
In the video dll lauching was blocked before reboot. However it seems not to be blocked by AppGuard after reboot.
Is there any difference, for example, the parent process of the injected dll ?

 

[509322]

Thanks for your explanation.
I understand the behaviour of AppGuard in Protected mode.
In the video dll lauching was blocked before reboot. However it seems not to be blocked by AppGuard after reboot.
Is there any difference, for example, the parent process of the injected dll ?

After the reboot, if the RAT attempted to reload update.dll using rundll32, then it would be blocked.

Just because you do not see an AppGuard block alert after reboot does it mean that the dll was loaded. If the RAT does not attempt to load update.dll, then there will be no block alert.

If the RAT is early launch, and attempts to load update.dll before the AppGuard GUI is actively running, then there will be no AppGuard block alert. However, the block event can be found in Event Viewer > Applications.

I suspect that AppGuard blocked regsvr32 from registering update.dll on the system during installation of the signed RAT. In the video you see that AppGuard blocks update.dll when the RAT installer is executed.

 

[ForgottenSeer 55474]

You never stop to amaze me,thank you for that awesome video Cruelsister

 

[509322]

Does anyone understand the point that @cruelsister makes in this video ?

The point is that valid digital certificates as a trust mechanism suck.

The point is that this trust mechanism can be craftily abused to wreak worldwide havoc. (It's not specifically stated in the video, but it is apparent if you extrapolate what is shown to its furthest possibilities.)

The point is that a user should not blindly trust any and all digitally signed files.

The point is that if your security soft "whitelists" digitally signed files - which just about every single one does in one way or another - you really should pay attention.

* * * * *

We are aware that use of the Trusted Publisher List is an inherent risk, but the risk score - in the current environment - is very low. The likelihood that a user would come across malware with a proper, valid digital certificate from one of the default publishers on the Trusted Publisher List is quite small. For those of you that like numbers, it is < 1 % - statistically, less than a fraction of a percent.

Whitelisting of digitally signed files is widely used for increased usability and to prevent performance issues by excluding certain digitally signed files from monitoring. We don't have to worry about performance issues with AppGuard because it doesn't do the typical, system-impacting AV type process checks.

In short, the Trusted Publisher List is there for usability while providing a high level of protection.

The typical AppGuard user has developed an understanding of Win internals and knows what is installed on their system. They also tend to be way more security conscious than the average Joe.

The user can significantly increase Protected mode by customizing the Trusted Publisher List.

The user can run AppGuard in Locked Down mode.

Used properly, there is no problem.

If I can teach my 92 year old grandmother - who never made it past the 6th grade - to use AppGuard, then anyone can use it.

 

[Duotone]

-Deleted

 

[509322]

Have added a .bat in startup folder, AppGuardGUI hasn't yet actively run upon start up but AG still blocked it. Had different result:

• It opened up CMD but access was denied;
• If AG took longer than expected the .bat will run CMD to do its work, but further attempt of it adding file in TEMP is blocked this one generated an alert.

I had added that .bat to USER SPACE set to "No", still appguard did it's thing.

What does the *.bat file do ?

cmd.exe is a Guarded App. cmd.exe host process executes the *.bat. If the *.bat file attempts to violate AppGuard policy, then its actions will be blocked.

If the *.bat is attempting to write to C:\Windows\Temp - that will be blocked because cmd.exe as a Guarded App is prevented from writing to System Space. C:\Windows\Temp is in System Space.

To allow the *.bat to write to C:\Windows\Temp - if that is what it does - you have to disable Guarded protections for cmd.exe by unticking it in the Guarded Apps list.

The above is most definitely not recommended. Just be aware that if you do this, and a Guarded App is exploited or you run a digitally signed malicious program in Protected mode or use "Allow User Space Launches - Guarded", then those programs can use cmd.exe to modify the system in unwanted\malicious ways.

@Duotone - please move this to PM since it is off-topic for this thread.

 

[Duotone]

What does the *.bat file do ?

A very old trialreset...

If the RAT is early launch, and attempts to load update.dll before the AppGuard GUI is actively running, then there will be no AppGuard block alert. However, the block event can be found in Event Viewer > Applications.

Sorry misread this part was thinking of AG(icon) delay upon startup but still having active protection.

@Duotone - please move this to PM since it is off-topic for this thread.

...DELETED

 

[AtlBo]

In short, the Trusted Publisher List is there for usability while providing a high level of protection.

Combined with a top tier a-v/IS program, the odds go down a significant amount further, right? So I feel it's important to state that getting the most from the security programs on your system that do use resources is very important, even though they may not have to do the bulk of the work. What I mean is...get as much top tier behavior monitoring, HIPS, sandbox, and recognition as possible in a single app for the low resource protection options to do the bulk of the work . I feel like the 99% from the low resource looks pretty good then.

 

[509322]

Combined with a top tier a-v/IS program, the odds go down a significant amount further, right?

As long as a user adheres to AppGuard's blocks, then the risk goes way down. AppGuard works in a simple way - what is not allowed is blocked. If the user is constantly lowering AppGuard's protections to "Allow Installs" or "OFF" and executing unknown files, then AppGuard's protections are pointless.

So I feel it's important to state that getting the most from the security programs on your system that do use resources is very important, even though they may not have to do the bulk of the work.

A user that understands can configure their HIPS policies to mimic AppGuard. For a partial, single example, they would have to add all commonly exploited programs to High Restricted in Kaspersky. The same can be done in SpyShelter, COMODO, ESET, Avast, and others to the extent that their features permit it. However, most users don't understand what to do and so they are better off just using AppGuard. Besides, AppGuard offers protections that AV\IS do not provide. Plus, compared to the bugs, configuration hassles, and other issues in some IS, AppGuard is "Easy as cake" to use.

What I mean is...get as much top tier behavior monitoring, HIPS, sandbox, and recognition as possible in a single app for the low resource protection options to do the bulk of the work . I feel like the 99% from the low resource looks pretty good then.

Yes, I agree. However, if a user simply relies upon "What is not allowed is blocked," and are a disciplined user that does not execute unknown files on their system, then there is no need to add 15 layers of protection. For example, the BRN VP of Engineering placed AppGuard on her father's system with Windows Defender and Windows Firewall. A few years later she checked on that system and it had not been infected. He did download and execute files like videos, movies, documents, but he never modified the base install of the system.

If one is paranoid - and that is what it really amounts to, ultra-paranoia - then one can combo security softs. And I'm not talking about using second-opinion scanners. Their use makes sense to a point. Ultra-paranoia is like a disease on the security forums - where you can find ridiculous security configurations with 6, 7, 8, 9, or more security or related softs installed. Based upon typical use, such configurations are absolute ludicrous overkill. There is irrational thinking amongst ultra-paranoid users that every single file on the system needs to be under continuous monitoring. That somehow a hidden file infector will takeover all Window processes and turn them into zombies and steal everything from them. That every single program installed on the system is about to be exploited. That the risk of infection is a big number. Well... that just isn't anything near reality nor a sane approach to security.

You have to consider the protection level to system impact ratio for a security soft. Ones with high ratios - like AppGuard and others - give the biggest "bang for the buck." You also have to consider bugs. I simply stay away from security softs with problematic bugs. Just about every single IS or related security soft that I have inspected has serious bugs that affect usability and\or security. It's a huge problem.

 

[AtlBo]

You have to consider the protection level to system impact ratio for a security soft. Ones with high ratios - like AppGuard and others - give the biggest "bang for the buck." You also have to consider bugs. I simply stay away from security softs with problematic bugs. Just about every single IS or related security soft that I have inspected has serious bugs that affect usability and\or security. It's a huge problem

Thanks for the comments. Extremely helpful.

I didn't do very good job of saying it, but I honestly was attempting to reiterate what you said and just add that the 99+% success from blockers really looks extremely good to even experienced if not knowledgeable users like myself. How much more are they great for those with limited experience? Further, if you're in the group of those, like myself, who are more comfortable with two or three or even four applications, I don't see how a blocker can be beaten. All your points make sense even to that type of user imo. Sure add Comodo or something else 100% hands off and with high protection value, but definitely add the blocker. Great conversation, so I thought I would try to bring it down a notch for anyone who might be looking into a blocker like AppGuard, etc. but doesn't know much about them or hasn't tried one. Definitely, yes try one. So light on resources and powerful.

VoodooShield was great for the short time I looked it over. Ended up with NVT ERP due to some script support that isn't in VS (run a script from a script isn't whitelistable in free as far as I can tell). I'm sure AppGuard is amazing.