GreenBorder Test II - Beta

Hi guys,

Well, I created a bit of controversy with beta testing the first GreenBorder test; it bypassed a few favorite AV and HIPS products, and uses an HTA document which some people said was an executable (it isn't, mshta.exe is). I also at first didn't include cleanup code (which was quickly added), sorry about that. However I do like HTA files because they're peer-reviewable, and I objected to internal efforts to make it an binary file. I do wish there was a vendor forum to give vendors heads up, because some vendors were defensive about the test results. This next test bypasses the AV signatures simply by compressing javascript.

The first go-around I worked with Dror Shalev who one of the worlds' best browser exploit experts. Turns out exploits weren't needed, the test highlights entry points into your system without specific exploits. Plus the exploits were high-maintenance zero-day efforts, and I wasn't too enthused about maintaining zero-days. It's a simple test, not an exploit site.

I quickly discovered I was not a programmer, and neither was Dror. So, I sought professional help from a new enthusiastic programmer in our company - Marc-Antoine Ruel. Please provide feedback in this thread for the beta Online Security Test. I do appreciate all feedback, even if it's 'harsh and direct'. Anyway, without further ado, I present to you the beta of the new Online Security Test.

Beta Online Security Test
--> http://www.greenborder.com/newtest/ <--

________
​

Separately, we're also launching a beta of GreenBorder Corporate v3.0, please fill out five fields in the form at the link below and an (non-automated) email with instructions will eventually be sent to you on beta testing. The beta form asks for a phone number, use ours if you don't want to provide yours, but we'd like a support person to check up on how beta testing is going.

Beta GreenBorder Corporate 3.0
(Adds IM support, doesn't support FireFox!)
--> http://www.greenborder.com/registration/betasignup/wilders <--​

Please post feedback to the GreenBorder Corporate 3.0 beta to beta@greenborder.com. Also the thread for the Corporate Beta is here: https://www.wilderssecurity.com/showthread.php?t=161458

Thanks,
Bill Stout

 

Whoa I smell a soldified and canned pork product

 

Nope, no spam here.

 

has anyone tried the new test yet? i'm waiting to hear if anyone experinces problems like with the first one from greenborder.

 

I'm curious also. If there are any problems with it I'd like to know immediately. We did put it through a QA cycle also.

Seems all of the forums are very quiet, is this normal for mid-January?

 

Hi Bill

Gave it a quick run just now on my desktop which I suspected would fail and duly did on all but password stealing which Cyberhawk intercepted. Laptop is another matter and I'll run it there later.

As well as the Stolen Files folder this little something has appeared on my desktop - File 16_united_256ram

PS I still have notepad crapola on start up from your last test. LOL . Easy to get rid of ?

 

The test doesn't have a function with a name like '16_united_256ram', and should not write a file outside the 'Stolen Files' folder. Is the date/time on that file the same as for the 'Stolen Files' folder?

Sorry about the residue from the first beta test. At first I wasn't too keen on any cleanup or delete functions in the test, but I learned from Wilders feedback that residue was worse than not cleaning up.

The notepad starting up was from the old test section which checked to see if your startup folder was protected. Go to Start - All Programs - Startup, right-click on gb*.txt file, and select delete.

If an explorer window opens after login, this was caused by the old test section which tests if your registry startup section was protected. I first added a space, then later a period which was the most benign entry I could think of. It can be found in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. In regedit the first value should be (Default) REG_SZ (value not set)'. If the first value contains a . or space, it should be deleted. I believe the dot behaviour is similar to starting an explorer window from the command line, 'explorer .' opens the current directory, and 'explorer' opens 'My Documents'.

Thank you for checking it out.

 

Hmm

Not remotely similar Let me do some checking. Thanks for the Notepad advice.

I'll try the laptop and come back.

 

Hi

Laptop runs test but wont show results - script error in both Firefox and IE.

Guess my settings are blocking something. Stolen files folder showing so I aasume I at least failed that one .........again !!

 

I have checked it out and I still have the same problem, I don´t get any results. What happens is the following:

I run the HTA file, after that I block the MSHTA.exe tool plus the Windows Scripting Host tool (in a real life attack this would have been blocked). I do get to see the "Stolen Files" folder, so I need a tool that can protect me against this. Actually, Neoava Guard can stop it, but this feature is not working smoothly at the moment, so that´s why I´m not using it.

 

Interesting. So part of the HTA runs before it's blocked?

 

Correction, I do let the MSHTA.exe tool run, otherwise the HTA file won´t work, but I block it from "internet access" and the "local zone". I think that in test number one the "Command Prompt" was also involved but not in this test. But do you know why I´m not getting to see any results?

 

The test uses javascript, and it contains functions which use try/catch operations. I think we missed a catch since it's exiting before the script is completed and the results are shown. Marc-Antoine will fix this but there will be a delay before he rolls his update in. It seems the test works on most systems but the exit is triggered on certain systems.

 

With GesWall, I can,t see the results.
Script error, tried multiple times. Script error. I think some of my tweaks are the cause. I do see stolen files folder on desktop.

 

No results even out of GesWall.

 

No results!?

 

Here's a new version which should fix the early exit. The current default hta is still the middle of another QA cycle.
http://www.greenborder.com/newtest/GreenBorder-Security-Test-new.hta

/newtest/GreenBorder-Security-Test-new.hta

Original URL updated with new test.

http://www.greenborder.com/newtest

 

Pretty Hilarious test ! I dont know what script or function you are calling but I can duplicate the stolen files and folders test with a simple right click of my mouse and create files and folders all = 0 bytes totally bogus I dont see any threat about being able to do that. As for the rest nothing got past my set up!
I smell serious PORK of course thats my opinion and I'lll stand by it now that I ran through your tests and past all but 1 but as I said that 1st one is a real JOKE!

 

A click could destroy your computer or share everything you don't want to with the Internet, but that would be you, not an unknown script or function.

The script which copied the files to your desktop searches for filenames of certain extensions, up to a certain count (for the sake of brevity), and copies them to a location specified in the script. Change one variable, and it could have copied or emailed them anywhere. Change another, and instead of searching \My Documents\ it could search \local settings\History\ or \local settings\Temporary Internet Files\. Add one line, and it could limit which files are copied by those that contain the text string '1040', 'medical', 'pass', 'ssn', 'account', 'visa', or 'checking'.

The rest of the script uses the same technique as the stolen files test. The test file is in text format, save to your desktop to view it in notepad.

 

Thanks for the feedback, but still no results over here, I do know that I did get to see the results with one of the first versions of this test, even when I blocked certain things. So yes this must be fixed.

 

Hello,
Seems that such methods are easily bypassed by using custom folders and non-English names.
Mrk

 

Yes, true.

The test uses default directory names appended after %USERPROFILE%. The enumeration techniques used by the file search could also be used to find directory names (such as those hexidecimal names used in temp directories), but that would add a minute or so to the execution time.

I should add a FAQ link on the test. The intent is to show the entry points of your computer to web content. These entry points are; Registry, File System, Local Network Services/Shares, COM Objects, System Calls, etc. These are all exposed on a default Windows installation because we open foreign content in the context of the local user (it executes with all user permissions) rather than with permissions that we would grant to the foreign user. The natural reaction is to restrict permissions of the browser, but that affects usability. That was also the natural reaction with company firewalls, where the first reaction to threats was to restrict allowed ports, but users demanded things which used non-standard ports like IM, real audio, VOIP, etc. Placing a browser in a restricted sandbox also causes usability issues since applications and scripts usually crash or lockup if they can't access local system resources. That's where virtualization comes in; it spoofs local system resources, and allows browser applications to run in a virtual environment which cannot change local system resources. By default resources are protected, and some access (read) is allowed by rule.

You can also protect local resources individually, so by adding security tools you create an environment where access is allowed except where explicitly denied. This forum is a good place to find tools which protect individual resources, and with enough tools, nearly everything can be protected.