contents

software
 
Comodo Announces the Release of Its New Application

Comodo has announced the release of a new application which incorporates five new security and HIPS functionality tests. These tests, especially those that detect rootkit installations, incorporate techniques commonly used by virus authors and provide a very good indication of a security product's ability to block real-world threats. Comodo developed these tests largely so that it can deliver new preventative intelligence to end users on the performance of their PC security solutions before damage is done.

Comodo Malware Labs is constantly identifying techniques that malware authors use to bypass PC security solutions. One particularly damaging threat identified by Comodo engineers occurs when a rootkit is installed, without permission, on a user's system. Rootkits are the "ultimate backdoor" giving hackers ongoing and virtually undetectable access to the systems they exploit. Rootkits are so damaging because they compromise computer systems by subverting the Windows Kernel, the central component of most computer operating systems which manages the system's resources and the communication between hardware and software components. In worse case situations, a PC can be rendered useless once it has been infected with a rootkit, as often this type of virus cannot easily be removed or quarantined. Therefore, it is critical that users have an easy means to test for this type of vulnerability before damage is done. It is Comodo's hope that end users who discover they are vulnerable to rootkit installations after running these new tests will take measures to upgrade or replace their security software.

This set of testing tools was designed to emulate different types of attacks and include the following tests:
-Rootkit Installation 1 - Loads a driver in via ZwSetSystemInformation API. A very old, known and effective way to install a rootkit.
- Rootkit Installation 2 - Loads driver by overwriting a standard driver (beep.sys) and starting it with service control manager (e.g. Trojan.Virantix.B).
- DLL Injection 1 - Injects DLL into trusted process (svchost.exe) by injecting APC on LoadLibraryExA with "dll.dll" as a param. The string "dll.dll" is not written into process memory, it's from the ntdll.dll export table which has the same address in all processes. The APC is injected into second thread of the svchost.exe which is always in alertable state.
- DLL Injection 2 - An old technique but very widespread technique. A DLL is injected via remote thread creation in the trusted process, without using WriteProcessMemory.
- BITS Hijack - Downloads a file from the internet using "Background Intelligent Transfer Service" which acts from the trusted process (svchost.exe).



write your comments about the article :: © 2008 Computing News :: home page