This test is what a user could expect from a Hips when it encounters execution of a unwanted.The site I am tesing is a real threat that contains trojans,Rogues AV and anyones guess what else.It requires a Active X download that appears to execute with out the users intervention from the active x pop.I will try to post all screens for example.This is also when the trojans and rogue would normally be dropped on a users machine providing they had no blocking as hips or un detected by a Antivirus or a behavior blocker.Also perhaps No Active X would be a big plus here on this site anyways.

Screen shot 2

screen shot 3

Screen shot 4

Ok appreantly there is about 10 different pop warnings here to deal with and some freezing between snipping images making it difficult for screen shots.Some findings, Malware Defender effectively Blocks providing users make the correct choice.The user should come out clean,No files where dropped on my machine, So it is very good at blocking, However Malware Defender struggles with Deny and termination, the pop ups to run the exe kept poping up makeing it difficult to close the common pops that come with adult sites.It did terminate but seem to be a few minute or so delay.I am No expert here but these are my finding.All and All great program light stable didn't crash even while waiting for longer periods while waiting user reply of deny or allow or Deny and terminate processes.IMO deny and terminate would be the obvious choice unless the user would like to answer nearly a dozen pop ups in this case.

Interesting, Dave. Thanks! :thumb:

Your welcome it was fun fun fun.:thumb:

Dave, could you pm me a link to that site? I'd like to do some testing of my own.

After the initial Learnimg Mode period I've got used to placing MD in Silent Mode when surfing, particularly unknown sites. I'm assuming if you did that then these threats would be blocked/denied without the need for multiple pop-ups/decisions.

Is that correct?

Cheers

-{ Quote: "Dave, could you pm me a link to that site? I'd like to do some testing of my own." }-


Check you PM

-{ Quote: "After the initial Learnimg Mode period I've got used to placing MD in Silent Mode when surfing, particularly unknown sites. I'm assuming if you did that then these threats would be blocked/denied without the need for multiple pop-ups/decisions.

Is that correct?

Cheers" }-
Hi chris1341,That would be the best choice IMO,However my test is with Normal mode and this little buger is persistent you will still get popups even in silent mode minus not decision making one from the soft but from the site it self.Keep in mind this is IE7 X active enable,java script.

I know this post relates to malware defender's ability to handle drive-by malware, but I couldn't help but want to try a small test against the site using my own protections, so forgive the brief impertinence, here were my findings:

Dave, I checked out the site you sent me, I find this odd, because after visiting it, I looked in agnitum firewall's content filtering log, expecting to see blocked activex scripting, blocked embedded spyware, blocked referers, pop-ups ect ect - but I saw nothing, not one blocked element. Then again I use ad-muncher to complement outpost firewall's ad-blocking and content filtering modules, so I then took a look at ad-muncher's log, again expecting to see something wild- all I got was this, which is nothing major:

Default filter match - No filtering on URL: /jquery.js [http:**/jquery.js]
Removed suspected web bug [htt:**]
Default filter match - No filtering on URL: /jquery.js [http:**/]
Prevented site from changing the browser status bar [[url]http://**]

I just don't get it,all I got was a clean web page. Of course I use sandboxie, which removed any element of fear in testing the siteno matter how badly infected it may've been, but sandboxie wouldn'tve affected the elements in the web pages themselves.

thoughts? ???

Did you get the second link with porn tube that require new active X for Video.the first link was wrong.I tested this with NOD32 4 beta another post.My testing files was also sent to VT which only a few scanners detected at first and more at a latter the link is not clean.I will recheck it again.

Ahhhh, I see now, the web page itself was clean, but when you click to watch a video,you're prompted to install a "video activex object". I downloaded and ran the executable, at which point it tried to access the internet and evoke a command prompt -I allowed the calling of the command prompt through outpost's h.i.p.s. module, but sandboxie denied any access to the internet, and that's as far as anything went, nothing else tried to happen and I could test no further.

But back on topic, this kind of thing is easily handled by h.i.p.s. apps like malware defender, I imagine it could knock it out blindfolded:thumb:

Excuse me now while I go empty the sandbox;D

Here ya go

and here.

Yep, I see it there in the flesh. I am thinking that whatever that activex setup object wants to do, it has to download from the internet in order to do it, because I allowed it to evoke a command prompt, and i'd think that at that point it would install it's malicious code if it was gonna, but when it couldn't access the internet it gave up, so it relys on downloading the rogue code from the net, it's not included in the setup itself (unless you count it wanting to download crapware to begin with). Then again, as your screenshot points out, they're all trojan downloaders, so it's fairly obvious ;D Any rate, I grabbed a handful of the buggers and dumped the sandbox on top of 'em, whereupon they scurried away crying and squealing ;D

-{ Quote: "Hi chris1341,That would be the best choice IMO,However my test is with Normal mode and this little buger is persistent you will still get popups even in silent mode minus not decision making one from the soft but from the site it self.Keep in mind this is IE7 X active enable,java script." }-
very impresive john:thumb: good test

-{ Quote: "Yep, I see it there in the flesh. I am thinking that whatever that activex setup object wants to do, it has to download from the internet in order to do it, because I allowed it to evoke a command prompt, and i'd think that at that point it would install it's malicious code if it was gonna, but when it couldn't access the internet it gave up, so it relys on downloading the rogue code from the net, it's not included in the setup itself (unless you count it wanting to download crapware to begin with). Then again, as your screenshot points out, they're all trojan downloaders, so it's fairly obvious ;D" }-
thanks Chrome Sturmen for testing,lots of fun;D perhaps not for some folks that explore these areas not knowing what lurks behind the seens.Somebody worst nightmare waiting to happen.

-{ Quote: "very impresive john:thumb: good test" }-
Thank you jmonge I am know expert here just a amateur but thank you for the compliment.

-{ Quote: "Thank you jmonge I am know expert here just a amateur but thank you for the compliment." }-you did very good man and you have a big wepon in your hands:thumb:

I decided to have some fun with the malicious code that the activex video object downloads and installs on the system ;D

it starts out like so, when you click on a video to watch:


204732

once you run the setup, it connects to this site to download the malware, i assume:

204733

upon being allowed to do so,it downloads and runs these exes:

204734
204735
204736

continued...

204737

one of the exes launches a command prompt
204738

evokes rundll32.exe
204739

br41.exe? oh my
204740

all of which culminates in the lovely virus response lab 2009, a definite security addition for any antimalware aficinadio :thumbd: :thumbd:
204741

seems clicking "watch video" can be a dangerous affair these days of late ;D

Nice,rather more informative details of the variants:thumb:

enjoyed it, we should do it again sometime (you buy the beer?)

Sure No problem cold ones on me.

Awesome examination fellas. Some excellent screenshots too. Darn ole Active X eh? For that matter clicking on some unknown setup.exe ;D They Do Bite.

Thanks John for testing - How come all these rogue programs got neater gui's then real security programs?

Your welcome Ges/Por and Good question Most of this rogues have very attractive GUI,I could only guess be perhaps they figure the appealing eye candy will set the trap.My neice Fell for these a couple of times her words where it looked so nice an real.