Unhookers Tests
This comparative have been made to show the behaviour of different HIPS (Host Intrusion Prevention System) in front of a very special, singular kind of malwares : Some trojans and rootkits which literally 'break' HIPS's sensors, by restoring the kernel-mode hooks they use to detect changes on the system. When such hooks are restored, that mean the Nt functions are restored to their original state : non hooked.
These hooks, used in + or - large amount by HIPS, are what allow them to detect, to intercept changes they are designed to protect from. These changes can be creation of new autostart keys in the registry, creation of a new service, execution of a process, modification of a process memory by another process, etc. Kernel-mode hooking (often called 'ring 0') is generally seen as the most 'powerful' way to monitor system changes, in opposition to user-mode hooks ('ring 3'); user-mode hooks do not benefit from any special privilege on the system, whereas kernel-mode hooks are those which allow the highest privilege level on the system. They allow virtually anything to the program using them.
So far, HIPS running at kernel level (those using kernel-mode hooks) were seen as always able to prevent changes requested by apps running without the same level of privilege as them, as long as these changes were included in the monitored perimeter.
For example, such HIPS running at kernel-level were able to block kernel-mode rootkits, provided service/driver install was part of the protection offered by the program used.
However, these strange rootkits and trojans, tested in this comparative, are changing the rule : Some of these samples try to 'break' the HIPS - or firewall - in order to bypass it . The reason is that in normal circumstances, the HIPS would detect and prevent the changes needed by the malware to install, or to work the way they are designed to do, thanks to its 'sensors' (kernel-mode hooks). Thus, it is probably a kind of workaround the authors of these malwares have found : They try to break the 'sensors' of programs that are in theory able to block them, to prevent their install. By breaking these 'sensors', the HIPS or firewall running is left in a state where it is still running, but completely blind : It is not able to intercept anything anymore, thus to prevent anything either. Exactly as if it has been uninstalled...
This way, these malwares are free to install and to perform any changes they need on the system (for example, during tests with one program, after a simple process execution, a rootkit was installed, undetected, and could install 2 other kernel-mode rootkits, without any alerts from the HIPS; nothing in the logs either : The program was like dead). Once they've anaesthetized/killed the HIPS, or the firewall, nothing can stop them, except detection/removal by an antivirus, antispyware or antitrojan. Or manual removal with specific tools, like some antirootkits.
These malwares are then very dangerous, not only because they can bypass programs that are supposed to block them, but because once they're installed, nothing abnormal is showing on the system protected by an HIPS which was bypassed : If the HIPS was killed, the program interface is still showing its status as 'OK', 'running', leaving the user in a false sense of security (thinking he is protected, although he isn't).
It must be some recent kind of threat, since we can't find a lot of informations about such malware's features.
Remember that this comparative is only meant to test programs on these unhookers, which is a very special, singular, and uncommon kind of malwares - though all these samples (except Bifrost server) are coming from real infections, meaning that such malware are spreading for real. Thus, this comparative is NOT meant to reveal general efficiency of the various programs tested, in any way.
The test files
Was used a set of 7 samples. This is not a lot, but was enough to show the various behaviours of programs tested, in front of them.
Among these samples, 5 samples try to bypass HIPS directly, as soon as they're launched, before to perform various changes on the system : Backdoor Win32.Agent.alm (opens a connection with svchost.exe), Rootkit Win32.agent.EZ (installs kernel-mode rootkit, hides a spamming bot), Rootkit Win32.Agent.FQ (installs kernel-mode rootkit, opens connections), Trojan Small.emw (launchs other executables, opens connections). These 4 samples do perform a FULL restore of the kernel-mode hooks, when they are not prevented to do.
Another sample, a server made with Bifrost backdoor, restore 15 kernel-mode hooks only (just those needed to evade detection : hooks related to registry protection, process detection, port detection, memory protection..).
The last rootkit, Rootkit Win32.Agent.EY was included as 2 tests (2 samples), to reveal another behaviour of the HIPS tested : One sample is a dropper, and does restore all hooks only once its kernel-mode driver is loaded. The other one is a downloader, and needs to alter svchost.exe memory in order to restore all kernel-mode hooks. Though both samples are the same malware, they do not proceed the same way to bypass HIPS, and to restore hooks.
Note : These malwares are unable to perform unhooking, and to install, when run in an user-mode account. They are tested under administrative account.
The programs tested
10 HIPS were included in this test. (Comparatives results are available in the last page, see below).
One of them, Dynamic Security Agent (freeware), was tested in another review, here : http://membres.lycos.fr/nicmtests/Dynamic-Security-agent-tests/DSA_index.htm The tests against these samples are located in the bottom of the page. Other programs are :
Process Guard Full 3.4 Tests : process_guard_unhook.htm
Online Armor 2.0.1.203 Tests : online_armor_unhook.htm
CyberHawk Pro 2.0.4 Tests : cyberhawk_unhook.htm
ProSecurity 1.30 Tests : prosecurity_unhook.htm
System Safety Monitor 2.4.0.618 Tests : syssafety_unhook.htm
Prevx 2 (v 1.0.2 build 56) Tests : prevx_unhook.htm
EQSecure 3.3 (freeware) Tests : eqsecure_unhook.htm
Primary Response SafeConnect 2.1.0.661 Tests : prsafeconnect_unhook.htm
AntiHook 3.0 Tests : antihook_unhook.htm
__________
Update : Tests of new versions (SSM, EQSecure) : update.htm
__________
Global results : See below
___________________________
***** The comparative results : Verdict *****
Comparative result page :
The configuration and settings used
All programs were installed on a clean XP SP 2 system, and the only other security program running was a firewall (Jetico 1). For all programs providing execution prevention, the test wample was allowed to run .
* Process Guard was running with all global protections enabled (after training mode disabled), and the install service/driver privilege removed for services.exe.
* Primary Response SafeConnect was used with default settings.
* CyberHawk was used with default settings, 'Community protection' enabled.
* ProSecurity was used with default settings (after training mode disabled), and 'debugging at system level' protection enabled.
* System Safety Monitor was used with default settings (after training mode disabled ), and all modules enabled.
* Dynamic Security Agent was used with default settings, Process detection enabled.
* AntiHook was used with default settings, running in 'Normal mode' (after training mode disabled)
* Prevx was used in 'Expert' mode, Behaviour for unknown programs set on 'query', 'Event Notification' enabled. Important note : ALL samples used for these tests were known from Prevx database, and were jailed automatically when folder containing these files was copied to the computer. In order to test the behaviour of Prevx in front of such unhookers, these files were set 'on probation'. Thus, their initial execution was allowed (nb : tests were done a 2nd time, after jail was cleaned, samples copied again to the computer, and without network connection, to prevent access to the Central database, to make sure results were convincing).
* Online Armor was used with default settings, 'Advanced mode', and its own firewall was not installed.
* EQSecure was used with all protections enabled (except 'load library file').
*** DISCLAIMER : These tests do only focus on a very special kind of malware, and therefore should not be seen as an assessment of the general efficiency of the programs tested, in any way ***
Contact :