Tech Un-penetrable

I wasn't kidding when I said no one visits our website. It's all through word of mouth no joke. Yes the name of the company is BBX, and if you go back to the website and look at the logo again, you will notice that the BXB is actually BX(backwards B). Don't ask me, I didn't design the site. We don't have a web designer, so no glorious graphics here. I'm in IT, and not sales, so I'm not the person to talk to when it comes to pricing. You can get in on the demo as well, what is your e-mail address and I will be sure to add you to my list. The live meeting session can hold up to 15 people including me. So me as a presenter and 14 attendants. The employees here is an undisclosed #, but I can say that we are a small company.

Yeah, McAfee VirusScan Enterprise 8.0i does that, too-- except after blocking the harmful content it still allows you to view the rest of the page-- so it can selectively block the harmful parts and allow the harmless stuff to show up. *MUCH* more useable.

And it doesn't constrain you to using some hack of a cmd.exe to do command-line work.

Come back when your software does something unique.

Why would a program be disguised as an .EXE? That's scarcely a disguise at all-- as an .EXE (along with .BAT, .DLL, .SCR, and .COM) is *already* a program.

All programs that run in an OS rely on the OS to some extent-- especially given the way current Microsoft OS's separate processes from direct control of the hardware (through the Hardware Abstraction Layer.) The program *requires* the OS to run, therefore it cannot be independent of the OS.

A great way to crash a system-- just force it to run as many immuneEngines as it takes to use all the available CPU time or cause the system to run out of memory.

<br />
1) if the site was containing a virus that was a new unknown virus, McAfee would not have been able to stop the virus, because of the whole virus signature design. The site in question was nothing but a malicious site, so there was nothing to view to begin with. Let's take another site for instance...VictoriaSecret.com VS.com if you sit long enough on the site to establish a session with it, it will download a .exe to your machine. What the .exe does, I don't know, all I know is that we detect it, and eradicate it. However, I am still able to browse VS.com and purchase items if I wish. So, no it dosen't block the site from you viewing it, just the crap it tries to put onto your machine.<br />
<br />
2) Constrain is not what we do. The Admin, is allowed to do his daily routine. He just is no longer able to screw with the computer. He is forced to use the GUI to execute code, to which we have contorl over as well.<br />
<br />
3) I think a binary search engine, no virus signatures required, the fact that it still works in safe mode, the fact that it doesn't bog down the system = Unique. If you would like to see it work in action I would have no problem giving you a demo as well. All I need is your e-mail address.

A common hacking ploy is to take an executable and deposit into the system as something like Tom.txt. You can try it on your computer. All you have to do is copy say for instance your calculator program. Copy Calc.exe to another place on your hard drive. Now rename Calc.exe to say Tom.txt. Windows will recognize it as a text file, and even display the icon for a text file. However, if you double click it, it will run and the program will launch the calculator. This is what happens when people recieve e-mails, they think they are reading a Document sent by their favorite friend, only to find out it was a program disguised as a document. By that time, it's to late. If you don't have that AV signature for that trojan, virus, worm, etc...You have been had. Because of our binary search engine, our policy dispatch, this will not happen.

A common hacking ploy is for the hackers to break into the system, take your current executables and copy them to different parts of the system and rename them. We stop this by the general nature of just two aspects of our software...binary search engine, and policy dispatch.

When I say independent of the OS, this translates into, we have our own event handling system. We do not have to sit and wait till something happens (execution of the program) in order for us to find it, eradicate it, and report it. It has been done, I'm not a liar. The software is available on pretty much all flavors of Windows. From NT4 to Advanced 2003 Server. If the computer isn't running, then you can't deposit a payload...duh! So, don't state the obvious like "The program requires the OS to run".

This is pretty interesting, but what ahppens when an admin needs to intall new software, or windows update? hum, I guess the engine knows to let those happen? Or do you have to specify some type of rules to let the engine know what to allow, and what not to allow, or maybe only what to allow?

This sounds like a great end-user/admin tool, but I guess it is only for windows based machines. Are you thinking of doing anything for other OS machines? I am thinking here webservers running linux/apache/mysql/php which is a lot of them. Many times I had to deal with hack attempts in terms of sql injections, or php code execution. I wonder if you have a windows webserver running apache/Mysql/PHP (the horror) would it still be able to detect an intruder attack from defacing a website?

Jsut throwing some random questions here from things that I had to deal with.

X

I've seen it and tested it. It runs very lean on the system. And lets just say hypothetically you were trying to do that.

1) I would know the computer was under attack because of all the alerts that you would be generating. And act accordingly to stop you from doing that.

2) All I would have to do is just reboot, and the machine will boot back up normally with ImmuneEngine still running.

3) You wouldn't have access to try and shut the main executable down to begin with.

This defense mechanism was put into place from the simple fact that Admin's are using Admin purpose tools for hacking. I'm speaking of PSTOOLS in particular. If you do a search on PStools, all you will find is how "GOOD" it is for admins to do adminstrative things for the computer network using these tools. What you WON'T find is articles of admins using them as a means to wreak havoc on the network of companies, and organizations. That's what they don't tell you. So, whe had to put this in to stop tools that were designed to allow access to the machine remotely and give you admin rights...remotely. However, this defense thread is really no longer of great importance to us, because we stop PStools before you can even use them.

When installing software. The "trusted" admin has the ability from his desk to send down a signal to all the clients(probes as we call them) either globally, or to one individual machine to bring down the defense shield around it. When the shield is down, you will be allowed to install programs. When windows needs to update (although I have spoken to people who no longer care about critical OS updates because they have ImmuneEngine installed) we have in the main host station a feature to filter the OS updates into the machine. This folder is monitored, and whenever an update is recieved into the specified folder, you will recieve an alert for that. You can have the machine run a script that you program yourself, to bring down the shield....install update...and bring shield back up. To which the new update will now become apart of the matrix of the computer. Right now, because of the market hold that Microsoft has, we are focusing on patching up all Microsoft OS's. There might be plans later for other OS systems. But they do not have the biggest section of the market, nor nearly as many problems as Microsoft has. When it comes to defacing websites...there is a built in feature in our software called Extend Shield. What this does is it provides a layer of protection over your static data, to where no one can remove, delete, change in anyway the content of what it is you want to protect. It backs up the data, and the minute you try to remove it, it puts it back and sends an alert to Admin. The minute you try to edit it, it puts back the original and sends an alert to the Admin. It restores it so fast, that in some cases, I have tried to delete the protected data, and never saw it actually disappear from the screen. In cases were I actually saw it delete from the screen, Extend Shield returned the orginial file in about a sec. or less.

Thanks, that clears up some questions in trying to understand the software. So you say it protects static data, waht happens to dynamic data? Sql databases? ect.

I definitely understand that protecting the Windows operating system is the upmost concern at the moment since so many threaths are out there, but I am still a little confused on how it will work at the server end where let's say there are thousand of files written in and out by hundreds of users at any given moment, does it have to keep track of that, or only the executables?

Unfortunately I can't be part of the net meeting because I can connect to outside networks from work, but when the other guys have gotten their demos hopefully they can share their findings with us.

X

Ok-- so with the "Hide extensions for known file types" turned back on, what was "calc.exe" now show up as "calc" and retains the icon we are familiar with. However, when I right-click it and rename it, although it displays as "calc.txt" it retains the executable's icon. Furthermore, because suddenly THIS file shows an extension (but other .EXE and .TXT do not), I can tell immediately that something is amiss-- after all, known file types are supposed to NOT have a visible extension. Obviously, if this file DOES have a visible extension, it must really mean that the .EXE is still hidden from view and the .TXT is just part of the filename itself. So, with the "Hide extensions" option turned on, there is still no threat to my system's security because that file sticks out like a sore thumb.

<br />
Like I said, we are talking about two independencies. You are talking about say for instance, &quot;in order for a car to role, it has to have wheels and tires, therefore the car is dependent on the wheels and tires to operate&quot;. Well, that's not what I'm talking about when I say that it's independent of the OS. When it is fired up, it does not have to wait for the OS to tell it something has happend, like other software. We have our own EVENT HANDLING system. If you ever programmed before, you would know what that means. Here, I'll make it better for you to understand.<br />
<br />
Something gets written to the drive.<br />
<br />
OS: New file!<br />
OS: Hey, it's being executed, you better do something.<br />
traditional AV: Ok, I'm on it, I will try and stop it.<br />
traditional AV: Oh crap, I don't have an update for it, we are screwed!<br />
<br />
ok now ImmuneEngine in the same conversation.<br />
<br />
Imm: We have a new file! <br />
Imm: Don't belong, good bye!<br />
<br />
now if you were to try and execute it real fast before we deleted it, it would go something like this.<br />
<br />
Imm: We have a new file!<br />
...being executed.<br />
Policy: hmmmmmm......nope not going to happen.<br />
Imm: I'm sweeping through, and you don't belong. good bye!

You totally missed the point. If I was to take a program and call it bob.bob, and deposit it into your system32 folder.

1) You will never know it was there.

2) It's still a program even though it has a .bob as the extention.

3) You have just been hacked.

Dude, you are not doing something right. Here follow my steps, cause I just did it myself and it work like I said it would.

1) Make sure the "Hide Extension for Know file types" is NOT checked.

2) do a right click and copy the calc.exe program

3) paste it to a floppy

4) now rename the entire name to say "james.txt"

5) Say "YES" to the dialog box that pops up that says would you like to change the file type.

6) If you get a dialog box that says something about it being read only, just hit "YES"

Now, double click and you should see the calc program launch.

Now, if THAT'S not talking down to someone, I don't know what is.

And as for preventing the execution of the file, McAfee Enterprise has long done on-access scanning which scans files as they are written to or read from the drive.

Apparently, McAfee VirusScan Enterprise *also* does not need to be continuously updated to detect malicious code. Does that mean I would go to my ePolicy Orchestrator Console and disable automatic .DAT updates? No, that would be silly. Nor would I depend on any other software to protect my systems just based on their marketing claims, either.

But something would have to execute that program. The existence of bob.bob in my \windows\system32 folder is not enough for it to execute- it would have to be called from another program, by the registry, or wininit.ini, etc.

And how would you deposit it there? You would need permissions to modify the contents of the \windows\system32 folder through a share, which under a properly set up system you would not have those rights if you were not locally logged in.

I suppose if it were emailed to me and I saved it to that folder it would be there-- but again, it would have to be executed. The presence alone of the file is just not enough.

The claim to do that. But they don't intercept it before it gets to the kernal. I was not trying to belittle you. I just wanted to clarify for you.

It still seems like you guys are just doing what eveyone else is doing...

And if you aren't, I would think (from my non computer science background) that the only way to do what you are claiming to do would restrict everyday activity to a point that isn't reasonable.

dragonitti,
we dont doubt that it is a good software...but honestly i dont think you re-invented the wheel..
and we can't just say that mcAfee "claims to do that but doesn't"

how many people work in that company? how long have you been there?

Everything that can either execute, or execute a program, we will authenticate. Say for instance, you double click on a text file. We don't authenticate the text file, but we authenticate the Notepad.exe that opens the text file. See how that works? Also, if you have access to the internet at work, you can joing the meeting. All you need is a computer that can get on the net. It doesn't require you to establish a connection to another network.

<br />
Simply put, you would have to be a fool to try anything malicious.

Here is the thing, I will be going to my apartment later today, to get the demo laptop. Now, like I said earlier, I can have up to 14 people in my session of Live meeting. However, because I don't have a conference phone, or the ability to setup a conference call, I will have to use my cell phone for 3-way calling. Therefore, I can only explain what you see on the screen to two people in verbal communication. So, everyone else who would like to see the demo, will just have to wait till I post again on the message board to explain what it is you were seeing.

I will just like to watch it's not a big deal for me to hear.. unless you get on aim and do it over that?

The only thing is, you will not be able to comprehend what is going on, unless I tell you. Otherwise it would look like I'm just opening a bunch of stuff.

let's get to the skinny of it, how much is it?????????

Wouldn't be able to tell you, I'm not in sales, I'm in IT. Depending on the organization, and the number of machines needed protecting, we work out deals and pricing.

Oh, just to show you no hard feelings are felt, and that I'm not BS! you, here is a screen shot.



Ignore the Cardomain logo, I just used it as a fast means of getting the pic. up.

That doesn't explain why an executable would be disguised *AS* an .EXE. The executable would probably already have the extension .EXE.

On my system, when I rename calc.exe to calc.txt, after double-clicking it, it opens that file in notepad:

Code:

	
MZ       ÿÿ  ¸       @                                   ð   º ´	Í!¸
LÍ!This program cannot be run in DOS mode.

$       ‡EdÃ$x7Ã$x7Ã$x7987Æ$x7d7È$x7Ã$x7Â$x7Ã$y7D$x79  a7Î$x7T=7Â$x7e7ß$x79E7Â$x7RichÃ$x7                        
PE  L
 „};        à 

  (
  œ      u$
     @
    
       
  
         ð
    ü×
   €        
                   €+
 Π   `
 `‰    
                   @                                     `  €      (                          .text   °&
     (
       
            `.data      @
  
   ,
          

So, no, renaming calc.exe to calc.txt forces the system to treat the file like a text file. It does not open the calculator, rather it opens notepad with the contents of the file as if you were trying to edit it like a text document.

And, again, you talked about an executable being 'disguised as an .exe'.... so suppose I disguise the executable "calc.exe" as an executable-- it's still an executable and there was no disguise done. You're talking about disguising Ronald McDonald by putting a red nose and greasepaint on him-- but that's the way he is already.

There is a method of appending an extension on an .EXE so that it looks like a .TXT-- but the file is then named "calc.txt.exe". This would work on those people who have the option "Hide extensions for known filetypes" turned on-- the .EXE would not be displayed and it would look like "calc.txt". In that case, yes, it would run-- but again, because the actual extension IS .EXE.

Come back when you understand the technology better.

Yet the software is written to run within Windows-- does it run on OS/2? Does it run on CP/M, Concurrent DOS, Minix, V2, BeOS, MenuetOS, etc? If it ONLY runs on Windows NT variants, then it is very dependent on the OS.

So, the computer CAN be running, and in such a state that you CAN deposit a payload. Duh!

1) I already knew that.

2) Windows XP by default has the Hide extensions for known file types already selected. Not everyone knows to fix that.

3) That does not apply to say Outlook express, when you get an email you think is a document. Double click on it, and it's an executable.

4) you said to desguise the "calc.exe as an executable"...that is not what I said to do. I said, here follow my steps...

1. Copy calc to another part of the system(program files for instance)

2. rename it to calc.txt

3. now launch it. this should work in XP.

Also, what OS are you running, cause that trick does not happen on all the flavors of Windows. Besides if you desgiuse or not desguise the executable, we still are going to find it due to the binary search engine. I would not say you couldn't desguise them if I had not seen it done with my own eyes during a RED team government test. And would you like another example...

Do you not remember the scare people were having, because code was being imbedded into .jpg images on the web. So, if you were to view the pic, it would run a program on your machine. If you don't remember that, then you don't keep up to date with the news. It seems that you are the only one that is very hostile and insist on trying to insult my intelligence. Are you upset that you don't have the best security software running on your computer or something. I mean, please explain to me why you are so hostile, because I have not once came accross as a jackass that is saying all of your computers are worthless because you don't have ImmuneEngine running on them. Don't insult me, I give you respect, I would like to get some back in return. We can go back and forth till we are blue in the face.

BOTTOM LINE IS THIS! I am willing to allow you in on the LIVE demo. I am putting my foot where my mouth is. I allow you to call my bluff. But if you are not going to take me up on the offer to join the meeting and get proven wrong, then don't waste mine and everyone elses time by trying to insult me and come back and post stuff about how I'm full of it.