Archive for October, 2014

There are 4 results found

Metasploit port scanning target for Cerberus

Metasploit test setups in the early development stages of Cerberus (The best part is the last by the way).

Metasploit is a tool used for network penetration testing. Penetration testing is done to discover a network’s vulnerabilities. For the basics of penetration testing, take a look at this Wikipedia article. For a bit more including a short mention of Metasploit, take a look at this InfoWorld article, “Penetration testing on the cheap and not so cheap”.

Within the Metasploit framework, Nmap was used as the port scanning solution. Nmap stands for network mapping. It has multiple capabilities but at the core, it probes to discover what other hosts and resources are available on a network.

We’ll show the results of tests using three of the Nmap scan modes. These were insane, polite and sneaky scan speeds.

In each test, you’ll also see that the process “Ruby Interpreter” is contained at the end. In Metasploit, Ruby can be used to write the commands to be issued to manage the target object. In each case, the Nmap scenario runs its course of port scanning as a worm infection may do. Afterwards, Cerberus then detects the Ruby Interpreter trying to send some illegitimate messages. This was added to the command sequence as a curiosity on our part and supports the conclusion that Cerberus is doing its job as was intended. In each case, it detected both worm-type scans as well as illegitimate messages. These were suspicious but none of these were malicious so none were quarantined. However, all were contained as should have been with Cerberus on the job.

Insane Speed

This is a very fast scanning rate. You can see in the figure below that Nmap was contained and then relaxed. Nmap actually tried several intermittent scans before starting insane speed. If this had continued it would have been contained. However, Nmap started to increase the scan rate and was contained only 63 milliseconds (0.063 seconds) after start of test. This figure does not show all the Ruby Interpreter activity which continued to send messages at long intervals and was contained and relaxed followed by a strong burst 30 minutes after start of test. They were all contained but never quarantined as none were malicious.

metasploit
 

Polite Speed

This mimics a very slow worm, which is usually difficult to detect. You can see in the figure below that Nmap was contained and then relaxed two times, the second at the end of the Nmap part of the test. Cerberus still contained Nmap only 109 milliseconds (0.109 seconds) after start of test. Again, neither Nmap nor Ruby were ever quarantined as they were not malicious despite the scans and messages being illegitimate.

metasploit
 

Sneaky Speed – This is a great example of why Cerberus is a great addition to your computer’s security measures!

This setting does just as the name implies. It is designed to evade intrusion detection attempts. This setting is adaptive. It adapts to the reaction it receives from any protection present. The reason it does this highlights the value of Cerberus. Sneaky speed is designed to defeat common rate limiting methods of detection and detection methods that use thresholds. For example, in the latter, being adaptive, Nmap tests its boundaries and determines the threshold. It then scans below that threshold to avoid being detected. However, Cerberus detected and contained Nmap sneaky speed in only 125 milliseconds (0.125 seconds) after start of test. Nothing sneaky speed could do would convince Cerberus to let it go. This demonstrates the validity and usefulness of Cerberus’ signature-free approach!

metasploit

Rongvhin.C – Development stage test results

The Rongvhin family of malware is a trojan, sometimes referred to as a virus. It is not one that we were designing Cerberus to catch as, while a pest and difficult to remove, it is not that dangerous. At least in relative terms, we would call it less dangerous than others. It is also not a worm and not known as self-propagating.

The version tested, Rongvhin.C, was discovered in October 2013. We performed this testing on March 18 2014. We knew mostly what to expect and this was not a test to determine how Cerberus performed with zero day malware. Rongvhin.C is most correctly described as a trojan but also often discussed as a virus.

Rongvhin’s main purpose seems to be to generate reputation and google rankings for certain ads, websites or software downloads for its authors or their Customers. Rongvhin Rongvhin.C may also change the blocked and allowed sites set on your computer. This can be rectified by returning to the default values. You can read more about the Rongvhin family and Microsoft’s suggested manual removal method at http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanClicker%3aWin32%2fRongvhin.C#tab=1.

We installed TrojanClicker: Win32/Rongvhin.C from file H_LOADER.exe. This installed files miniads.exe miniads2.exe, miniads3.exe & adsminirun.exe. This is where the name confusion enters as while the Rongvhin.C is a trojan, the executables installed behave as viruses.

During our testing miniads.exe and miniads3.exe were the only ones to become active. Miniads.exe did not display malicious activity but tried to send several messages. Miniads3.exe would try to send out messages about every 8 minutes and SigFree Cerberus would contain it. If it is not contained, it will send messages for about 2 minutes and then go dormant for 8 more minutes, and then repeat the cycle. However, Cerberus contained it meaning that Cerberus stopped its messages from being launched into the web.

Rongvhin.C

Cerberus did not quarantine. Cerberus can control the Rongvhin.C programs by simply containing them when they attempt to send messages. Through Cerberus’ actions, you may determine you want to remove the infection from your computer. But, even if you choose not to do so, Cerberus will still be protecting you. Cerberus will continue protecting even if Rongvhin.C mutates or is changed into a new variant that other programs cannot protect. Cerberus does not need known signatures!

As with Sirefef discussed in a prior blog entry, this was a test at an early stage of development before all features were installed and the program optimized. We consider this test a success! SigFree Cerberus protected the computer from the effects of the Rongvhin.C trojan and rendered its objects useless to complete their tasks!

Sirefef – Early development stage test results

The Sirefef family of malware is a virus. It is not one that we were designing Cerberus to catch as, while a pest and difficult to remove, it is not that dangerous. At least in relative terms, we would call it less dangerous than others. It is also not a worm and not known as self-propagating.

The version of Sirefef tested was discovered in November 2013. We performed this testing on March 12, 2014. We knew what to expect and this was not a test to determine how Cerberus performed with zero day malware.

Sirefef’s main purpose seems to be to generate ad revenue for its authors Sirefef by altering search results. It may download updates to add to its capability or to alter its signature. It seems capable of carrying a payload. You can read more about the Sirefef family and Microsoft’s suggested manual removal method at http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Virus:Win32/Sirefef.gen!B.

We ran this on XP SP3, as most likely being the most vulnerable.

We installed TrojanDropper:Win32/Sirefef.gen!B. Scanning, we found files TrojanDropper:Win32/Sirefef.gen!B, Trojan:Win32/Sirefef, and Trojan:Win32/Sirefef.AB. The virus is capable of turning off Windows firewall and Microsoft Security Essentials. Added protection in this case is definitely a benefit.

The virus infected two host processes, services.exe and svchost.exe. Services.exe was the most active and was contained five times by SigFree Cerberus and then quarantined. This process would go dormant when contained but was finally deemed malicious. It was almost five seconds after installation that the process was quarantined but most of this time it had returned to its dormant state.

As we mentioned, this is often the case with the operation of Cerberus. The suspect will respond to being contained by moving to a dormant state. With some malware, repetition of this action is enough to expend the limits of the malware. This repeated containment is not dangerous. Containment is simply a first stage of quarantine. We developed this method to prevent containment of good objects. Remember, we are signature-free. We are not only trying to find malware that has already been found. Our objective is to find our targets quickly and to be able to find our zero day targets just as quickly.

The second instance of the virus infected svchost.exe but was almost inactive. SigFree Cerberus contained it six times during the test but it fell dormant each time. It presented no danger.

Again, this was a test at an early stage of development before all features were installed and the program optimized. We consider this test a success!

Cerberus Takes a Bite Out of Zero Day Malware

Cerberus v1.0, the revolutionary added cerberusmalware protection for Windows, is being released today by DayZero Systems. When serious problems strike, SigFree Cerberus may be the only solution that offers protection from malware.

Harrisburg, PA – 16 October 2014: The time has come for new thinking in internet security software and DayZero Systems is stepping up to the challenge. The first zero day, signature-free detection application for protection from worms is being introduced today by DayZero Systems, Inc. The new DayZero SigFree(TM) Cerberus(TM) Version 1.0 brings a new level of added protection to any Windows computer user.

SigFree Cerberus provides zero day protection against worms and other similar self-propagating and self-mutating malware, including many viruses. Cerberus does not require known signatures so detection can occur before malware spreads and causes costly damage. And, before the malware steals personal information or uses system resources as part of a bot network.

The constant onslaught of new threats and breaches is proof enough that a new approach to internet security is necessary. Microsoft issues regular patches and in a recent announcement stated, “Attackers often spread malicious code through self-propagating malware, like worms.” With regard to the prevalent use and sharing of USB drives, Karsten Nohl, chief scientist with Berlin’s SR Labs, discovered the ease of planting malware in USB microcontrollers, “Now all of your USB devices are infected. It becomes self-propagating and extremely persistent. You can never remove it.”

SigFree Cerberus v1.0 strikes at these types of threats and is the first in an arsenal of future signature-free applications to be released by DayZero Systems, the new leader in zero day threat protection. Cerberus does not protect systems from every type of malware. DayZero still recommends continued regular scans using Windows(TM) Security Essentials or, in the case of Windows 8, Windows Defender.

SigFree Cerberus v1.0 comes with a free two week trial, just click: http://cerberus.dayzerosystems.com/download/. DayZero promotes safe computer use. After downloading, right click on the file name in its folder, click properties, and click the digital signature tab. This ensures that the software comes from a trusted, certified source.

The version 1.0 license is US$14.00 per computer on which it is installed, comes with all v1.0 upgrades, and is not time-limited. The license may be purchased through Digital River by clicking http://cerberus.dayzerosystems.com/buynow-v1/.

DayZero Systems Inc. has been active in the internet security community since 2006 and is affiliated with the Pennsylvania State University and the Pennsylvania State Research Foundation. Follow us on Twitter (https://twitter.com/DayZeroSys) and look for news at http://blog.dayzerosystems.com/.

DayZero