Why some tests are done with HIPS disabled

Publié le par kareldjag



For some tests, we consider the HIPS as disabled.
These tests cover scenario where ill-intentioned person wants to install a malware (backdoor, spy tools like keyloggers etc) in a computer directly with a physical access.
We consider that this person:

- have no access to the admin. account (logged as user),

-and we exclude the well known method which permits access to SAM (and then resetting the admin. password) via booting from CDRom or floppy disk.

That could be:

-a person who wants to install spy tools in public computers (internet cafee, public libraries, universities, hotels etc) in order to steal confidential and financial informations (ID banks account, credit card number, paypal/EBay accounT etc);

-a person who wants to spy computer's activities of another person: a jalous husband who wishes to spy his wife's yahoo/MSN conversations;

-a person who wants to install a rootkit, a R.A.T or a backdoor in a computer in order to have a remote access from another machine: a student in an university for instance.
(......)

These scenario are not pure fiction and happens every day in the world.

For that purpose, these persons often needs administrator account in most cases.
If they're logged as user, and can't boot from external drive to have access to the SAM, they can choose:

-privilege escalation  and shatter attack,

-try tools like msgina capture (msgina or the variant Winlogonhijack of our test),

-install the spy tools in DOS/Safe mode: in this case, they may have access to the default administrator account (named "administrator"), and then try to install their softwares.
This software can bne configured to be run at start up and in a hidden mode (no icon in the systray).

At the reboot, the result depends on the kind of HIPS:

-the new process will be automatically killed (case of pure white list HIPS like Anti-Executable, Abtrusion Protector or Zorro pc Protector),

-the user will be prompted that a new process is running, but the malicious spying behaviour will be blocked (message hooks): this is the case of white list HIPS based virtualization and policy restriction  like DefenseWall, BufferZone or GesWall;

-some HIPS will detect the malicious behaviour and warn the user (case of most HIPS based anomaly detection and behavioural analysis like ProcessGuard, AppDefend, NeovaGuard, System Safety Monitor etc).

-some prducts will detect nothing (neither the new process, neither the malicious behaviour): in this case, the ill-intentioned person has reached his aim.

There's HIPS which are more interesting for computers used by several users  (family, public computers), and HIPS more intended for a computer used by only one and only one person.



Publié dans METHODOLOGY

Commenter cet article