Released on: April 18, 2008, 9:16 am

Press Release Author: Comodo Group

Industry: Software

Press Release Summary: New application can help technical community expose virus
threats such as rootkit installations, commonly overlooked by many other testing
tools

Press Release Body: Jersey City, NJ (April 18, 2008) - Comodo, a leading security
company, announced today the release of a new application which incorporates five
new security and HIPS functionality tests. These tests, especially those that detect
rootkit installations, incorporate techniques commonly used by virus authors and
provide a very good indication of a security product\'s ability to block real-world
threats. Comodo developed these tests largely so that it can deliver new
preventative intelligence to end users on the performance of their PC security
solutions before damage is done.

Comodo Malware Labs is constantly identifying techniques that malware authors use to
bypass PC security solutions. One particularly damaging threat identified by Comodo
engineers occurs when a rootkit is installed, without permission, on a user\'s
system. Rootkits are the \"ultimate backdoor\" giving hackers ongoing and virtually
undetectable access to the systems they exploit. Rootkits are so damaging because
they compromise computer systems by subverting the Windows Kernel, the central
component of most computer operating systems (OSs) which manages the system\'s
resources and the communication between hardware and software components. In worse
case situations, a PC can be rendered useless once it has been infected with a
rootkit, as often this type of virus cannot easily be removed or quarantined.
Therefore, it is critical that users have an easy means to test for this type of
vulnerability before damage is done. It is Comodo\'s hope that end users who discover
they are vulnerable to rootkit installations after running these new tests will take
measures to upgrade or replace their security software.

This set of testing tools was designed to emulate different types of attacks and
include the following tests:

* Rootkit Installation 1 - Loads a driver in via ZwSetSystemInformation API. A
very old, known and effective way to install a rootkit.
* Rootkit Installation 2 - Loads driver by overwriting a standard driver
(beep.sys) and starting it with service control manager (e.g.
Trojan.Virantix.B).
* DLL Injection 1 - Injects DLL into trusted process (svchost.exe) by injecting
APC on LoadLibraryExA with \"dll.dll\" as a param. The string \"dll.dll\" is not
written into process memory, it\'s from the ntdll.dll export table which has the
same address in all processes. The APC is injected into second thread of the
svchost.exe which is always in alertable state.
* DLL Injection 2 - An old technique but very widespread technique. A DLL is
injected via remote thread creation in the trusted process, without using
WriteProcessMemory.
* BITS Hijack - Downloads a file from the internet using \"Background Intelligent
Transfer Service\" which acts from the trusted process (svchost.exe)

\"Comodo\'s Labs identify many different techniques used by malware authors around the
globe.\" said Melih Abdulhayoglu, CEO and Chief Security Architect of Comodo. \"It is
our hope that with these set of tests, users can be better informed about the state
of their PC security and deliver this vital feedback back to their security
providers. This is how we hope these tests will help drive better security solutions
- industry wide.\"

The new Comodo HIPS and Firewall Leak Test Suite can be downloaded from the Comodo
website at: http://personalfirewall.comodo.com/cltinfo.html

Web Site: http://www.comodo.com

Contact Details: +1 888 266 6361
media-relations@comodo.com