Beta browser test - Too harsh? Too mild?

[Bill Stout]

Dror Shalev and I have built a browser test page, and am looking to roll this out as a consumer browser test page. The target audience is non-technical users. This was a challenge because what's technically cool is boring to non-techies. And what's cool to non-techies is lame to techies. But before I roll it out and apply a few updates, I want to get feedback from this knowlegeable group.

The animation needs updating (waiting on my consultant for that), so the test doesn't do as much as the animation displays.

There are currently five checks which the test performs:

1. Attempts to steal confidential files from My Documents (Javascript copy of files to a desktop folder)
2. Simulates installing a keylogger (writes a blank space to the registry run key)
3. Searches files for 'pass' (searches inside confidential files for text)
4. Attempts to reveal passwords from protected storage (currently disabled since I need to hide parts of the password)
5. Attempts to open disk manager via System Call (Could be any system call with parameters like 'delete volume')

There's much more I planned to have online by now, but I had to remove an 0day (fixed by MS patch last night) and other tests which were too intrusive, and tests which appear to work in a virtual environment (attacks spoofed resources).

The scan is located here: http://www.greenborder.com/scan

The engine of the scan are javascript and wscript run in an .hta, any HIDS should protect the system against files launched from a browser.

Please let me what you think.

Thanks,
Bill

[Mrkvonic]

Hello,
I guess this is directed at IE users?
Mrk

[Longboard]

Quote:

The target audience is non-technical users.

That's me:
FF does nothing ( get text file with code visible)with scripts allowed or not
IE trys to dl the same file

heh: not idiot proof enough for me
or is that a "pass" by mistake?

[Bubba]

Quote:

Originally Posted by Longboard

IE trys to dl the same file

Running the file is a prerequsite before the test can even start.

from the link Bill@Greenborder placed above:

Quote:

Click on the “Start Scan” button below to launch the scan. Once you start the scan you’ll see a dialog box that will ask you whether you want to run “index.hta”. Click the “OK” button.

For some IE users the instructions need to say "Run" instead of "Ok"....especially since it is geared toward non-techies\less knowledgeable....some of whom need to have exact instructions.

Bubba

[Chris12923]

Test seems fine to me Bill. Of course using GreenBorder I passed

Thanks,

Chris

[Bill Stout]

Good feedback guys.

At one time I had the start button grayed out until the checkmark was selected, but our web gui guys wanted an image there. I'll have to talk to them about that.

[SpikeyB]

Just for info.I ran the test 4 times without making any changes to my browser settings. Each time I failed the Spying on Keystrokes and twice I failed the Stealing Files. Even when it reckoned I had passed the Stealing Files, the Stolen Files folder appeared on my desktop. So I failed but it said I had passed.

[Alphalutra1]

All I do when I run the test is see the source code. This is with opera 9, nothing disabled. Same thing happens on both linux and windows. So it is definately too mild here(--edit---my bad, I didn't notice it was for IE only, sorry)

Cheers,
Alphalutra1

[Bob D]

Very interesting.
IE passed all (running, as always, under DropMyRights).
Failed ALL except "Steal Passwords" running w/o DMR.
So it's true what they say about running browsers with Admin privileges!
Thanx Bill

[GS2]

Just one little 'bug' Bill. If you do not select the tick box

Quote:

Note: By checking the above box you agree to let us test your system.

and click on the green 'start' button, after the warning appears which reminds one to check the box, this box diasappears:
http://www.greenborder.com/scan/scannerIdle.gif

To get it back you have to refresh the page. This is on IE6 fully patched.

[aigle]

Tried with GesWall but failed to get any scan results with many tries.
May be GesWall is not allowing the file to run.

[aigle]

I saved the file and run it after that and got the following results. It failed on stealing and searching files but that is expected as GesWall only protects the confidential file folder it puts in my documents.
Failed with keylogger that was not good, even snoopfree did not gave any warning.
It showed failed against system corruption but as u can see Disk amnagement tool was launched but failed to open so that was infact passed.
BTW, test looks cool.

[Longboard]

Ok got it
NAV picked it up first as malicious script: wanted to block.

Failed the first two

PrevX gave no warnings
( unless they have some database of benign tests that was bad.)
E-mail to them.

Thanks Bill.
Back to db again for more tools

PG looking better all the time.

[FanJ]

~suddenly feeling so old~

(more or less cross posted elsewhere too)

Why on earth would anybody in his/her right mind want to run an .HTA file (index.hta in this case) from a site?

Did we really forget about the warnings from PCHelp long ago (about scrap files in general)?
http://www.pc-help.org/security/scrap.htm
Does anybody here remember PCHelp at all (well, I know Paul does )?

Did anybody here read the warnings at the IEClean site:
http://www.nsclean.com/ieclean.html
It may be old, but here you go:

Quote:

"VBS" or "Windows Scripting Host" (WSH) is far and away the single most dangerous security problem in Windows to date.

Does anybody here remember WormGuard?
Did you see this setting in WG:
http://www.diamondcs.com.au/wormguar...0List%20Editor

I'm sure that there are more examples to give.

[Longboard]

Hey FanJ:

Quote:

~suddenly feeling so old~

Maybe, but still sharp as a razor

I wanted to see what would happen in general with this test and if this got behind AV

Disturbingly:
Neither BO Clean or PrevX caught or warned about this !!

Ran the test in a special FDISR snapshot ie sandbox type setup
Not always as stupid as I sound.
Not really interested in exploiting IE: anyone can do that LOL
More interested in other "security" utilities

Heh have to test now with PG: maybe PG is still the topgun.
Regards.

OT: Ps I am finding it very interesting how many well known exploits/ leak tests are bypassing PrevX: not entirely sure how to interpret that: many e-mails being sent.
Be interesting to see what other "safety nets" will do SSM, DefenceWall, OA, ANtiHook etc, etc.

[aigle]

Tried DefenceWall and failed all except 4th one.

[Longboard]

Ok Bill: it's a set-up?

Quote:

Each time I failed the Spying on Keystrokes and twice I failed the Stealing Files.

Quote:

It failed on stealing and searching files but that is expected as GesWall only protects the confidential file folder

Quote:

Neither BO Clean or PrevX caught or warned about this !!

Quote:

Of course using GreenBorder I passed

Where do I sign up?

[Ilya Rabinovich]

Quote:

Originally Posted by aigle

Tried DefenceWall and failed all except 4th one.

Confirm- hta script runes by trusted svchost, not by browser. Hm, it was really surprise for me! Already fixed, will be released with the next version. Need to check out other staff...

[Old Monk]

Hi

Neat test.

Passed all except the Stealing Files test. What action is required to plug that gap?

[Longboard]

Having done these tests it appears something has been left behind?
Each reboot the "system 32" directory is on the desktop
What is this?
Not happy?

A fix?

[Bob D]

Quote:

Having done these tests it appears something has been left behind?

Same here.
Found in c:\documents settings\all users\start menu\programs\startup:
desktop.ini & browserscan.txt
Made them go away.

[Old Monk]

Quote:

Originally Posted by SpikeyB

Just for info.I ran the test 4 times without making any changes to my browser settings. Each time I failed the Spying on Keystrokes and twice I failed the Stealing Files. Even when it reckoned I had passed the Stealing Files, the Stolen Files folder appeared on my desktop. So I failed but it said I had passed.

Just ran it on my work desktop, and on this it said Test 1 Passed but like SpikeyB, there is a Stolen Files folder on the desktop.

Any comments on that, and again how do I stop that security vulnerability?

[Tommy]

Would you please so kind and tell us which traces this Browser test leaves behind. There are some registry entries which provoke explorer to show up at startup of the PC with the system32 folder. Also some ugly startup entries are made. Please list them all as they don't eliminate themselve after the test is finished.

[Bill Stout]

Thanks guys!

Looks like I have a bit of tuning to do. I decided to use publicly visible code for easy code review and to show I'm not doing anything that detects our product or any other competing products. Plus visible code is less threatening than an executable.

• I fixed the disappearing start icon
• I need it to cleanup after itself, though I'm hesitant to have the scripts delete anything for safety reasons

The script which steals files to the desktop could instead, email them or upload them to a website which has WebDAV enabled. It's important to know this can happen.

The reason I used an .hta was because I wanted auditable scripts, and any software which protects your system from your browser should also protect what the browser launches. Other files which we all open such as pdf, doc, xls, gif, flash, mov, and other files may contain either accidental infections or intentially malicious scripts.

For those who are concerned that AV and AS are not stopping some of these, I have one more example which I think is a bit over the line. It displays passwords from protected storage and writes them to a text file in your startup folder. It's a four line script which will download a known hacktool (password revealer) to your computer, and launch the hacktool before your AV can stop it. Maybe since it's a known hacktool it's not over the line, however I would like to obscure the passwords and reveal just enough to show it really is extracting your saved passwords.

Hi Ilya, glad I could help. We talked about this some time before, and your requirement was that the scripts of the test could be audited, and there you go.

[aigle]

Quote:

Originally Posted by Bill@GreenBorder

For those who are concerned that AV and AS are not stopping some of these, I have one more example which I think is a bit over the line. It displays passwords from protected storage and writes them to a text file in your startup folder. It's a four line script which will download a known hacktool (password revealer) to your computer, and launch the hacktool before your AV can stop it. Maybe since it's a known hacktool it's not over the line, however I would like to obscure the passwords and reveal just enough to show it really is extracting your saved passwords.

So how we can use it?