This thread lists all known attacks that are currently virtualized by BufferZone
We hope to update this thread frequently with your help.
Known End point Attacks category Methods virtualized by BufferZone Technology
1. Registry tampering
The Windows registry contains information crucial to the normal operation of the operating system and installed applications. An attacker may try to corrupt the Registry which may result in an un-bootable system or writing new values to the Registry (for example making a Trojan to start automatically every time the system start).
BufferZone Solution: Programs running in the BufferZone interact with a Virtual Registry. All registry writes are directed to the virtual registry, hence protecting the real registry.
2. Files tampering
A Trojan may try to overwrite existing files, hide itself inside existing files or exiting folders, or steal files and send them to a remote site.
BufferZone Solution: Programs running in the BufferZone can't write to files out of the BufferZone. All writes are directed to a Virtual-HD. In addition, a "confidential" property may be set to files or folder out of the BufferZone making them in-accessible for both read and write (data steal is prevented).
3. DLL injection
This method uses a trusted process to load a malicious DLL file. After it's loaded, the DLL code becomes a part of the trusted process; hence any malicious activity is related to the trusted application. This technique is often used by Trojans.
BufferZone Solution: The "Contamination" mechanism ensures that whenever a trusted application is trying to execute an un-trusted code, it is first moved to the BufferZone before execution is allowed.
4. Process/Thread injection
This method tries to inject malicious code to a running trusted process, or write faulty data to the memory space of a trusted process.
BufferZone Solution: Program running in the BufferZone are prevented from accessing programs that run out of the BufferZone.
5. Global Hooks installing.
A global hook is a piece of code that is connected to a specific system event. Every time this system event occurs, the code will be executed by the system. An attacker may abuse this mechanism to trigger the execution of a malicious code.
BufferZone Solution: Program running in the BufferZone are prevented from installing global hooks.
6. Physical Memory access attacks
Writing to physical memory allows a Trojan to change the behavior of the OS and under some circumstances even gain an Administrator rights.
BufferZone Solution: Programs running in the BufferZone do not have access to physical memory.
7. Service Manager Operations
The Service Manger controls the system services. A service is a program that runs in the background and is usually part of the OS. Services can be the front-end of device drivers, OS components (spooler for example), Antivirus Real-Time scanners etc… A Trojan may try to disable the Antivirus or install a malicious device driver by using Service Manager operations.
BufferZone Solution: Programs running in the BufferZone can't access the Service Manager.
8. Starting\Killing Processes
This method tries to kill a running process (a Real-Time Antivirus scanner for example), or to run a program / system command ("format c:" for example).
BufferZone Solution: Programs running in the BufferZone can't access programs out of the BufferZone. A program running in the BufferZone will "contaminate" any new program it will try to run ("contaminate" means move it to the BufferZone).
9. Key Loggers
Keyloggers are used to record keyboard input typed by the user and either save it to a file or send it to a remote site. This method may be used to steal passwords and other sensitive data.
BufferZone Solution: KeyLoggers running in the BufferZone are prevented from using specific system calls required for capturing keyboard input.
10. Scripting Attacks
Scripts are text files containing commands that are parsed and executed by a host program. Common script files are .bat, .cmd, .vb, etc… An attacker may write a malicious script that is later executed by a trusted host.
BufferZone Solution: The "Contamination" mechanism ensures that the host program will be temporarily moved to the BufferZone prior to execution of an un-trusted script.
Known Hacking Tools, Trojans and Viruses that were successfully tested against the BufferZone:
1. Finjan data theft tests.
2. Win 2K/XP SDT Restore - Service Descriptor Tables overwriting.
3. DiamondCS Hooktest – installing hooks
4. Zapass – DLL Injection.
5. Ghost Security RegTest – Registry write
6. DiamondCS APT (Advanced Process Termination)
7. Keyloggers at: http://www.keylogger.org/