Malware Defender Hips-Testing with trojans and Rogue AV

[Dark Shadow]

This test is what a user could expect from a Hips when it encounters execution of a unwanted.The site I am tesing is a real threat that contains trojans,Rogues AV and anyones guess what else.It requires a Active X download that appears to execute with out the users intervention from the active x pop.I will try to post all screens for example.This is also when the trojans and rogue would normally be dropped on a users machine providing they had no blocking as hips or un detected by a Antivirus or a behavior blocker.Also perhaps No Active X would be a big plus here on this site anyways.

[Dark Shadow]

Screen shot 2

[Dark Shadow]

screen shot 3

[Dark Shadow]

Screen shot 4

[Dark Shadow]

Ok appreantly there is about 10 different pop warnings here to deal with and some freezing between snipping images making it difficult for screen shots.Some findings, Malware Defender effectively Blocks providing users make the correct choice.The user should come out clean,No files where dropped on my machine, So it is very good at blocking, However Malware Defender struggles with Deny and termination, the pop ups to run the exe kept poping up makeing it difficult to close the common pops that come with adult sites.It did terminate but seem to be a few minute or so delay.I am No expert here but these are my finding.All and All great program light stable didn't crash even while waiting for longer periods while waiting user reply of deny or allow or Deny and terminate processes.IMO deny and terminate would be the obvious choice unless the user would like to answer nearly a dozen pop ups in this case.

[bellgamin]

Interesting, Dave. Thanks!

[Dark Shadow]

Your welcome it was fun fun fun.

[chrome_sturmen]

Dave, could you pm me a link to that site? I'd like to do some testing of my own.

[chris1341]

After the initial Learnimg Mode period I've got used to placing MD in Silent Mode when surfing, particularly unknown sites. I'm assuming if you did that then these threats would be blocked/denied without the need for multiple pop-ups/decisions.

Is that correct?

Cheers

[Dark Shadow]

Quote:

Originally Posted by chrome_sturmen

Dave, could you pm me a link to that site? I'd like to do some testing of my own.

Check you PM

[Dark Shadow]

Quote:

Originally Posted by chris1341

After the initial Learnimg Mode period I've got used to placing MD in Silent Mode when surfing, particularly unknown sites. I'm assuming if you did that then these threats would be blocked/denied without the need for multiple pop-ups/decisions.

Is that correct?

Cheers

Hi chris1341,That would be the best choice IMO,However my test is with Normal mode and this little buger is persistent you will still get popups even in silent mode minus not decision making one from the soft but from the site it self.Keep in mind this is IE7 X active enable,java script.

[chrome_sturmen]

I know this post relates to malware defender's ability to handle drive-by malware, but I couldn't help but want to try a small test against the site using my own protections, so forgive the brief impertinence, here were my findings:

Dave, I checked out the site you sent me, I find this odd, because after visiting it, I looked in agnitum firewall's content filtering log, expecting to see blocked activex scripting, blocked embedded spyware, blocked referers, pop-ups ect ect - but I saw nothing, not one blocked element. Then again I use ad-muncher to complement outpost firewall's ad-blocking and content filtering modules, so I then took a look at ad-muncher's log, again expecting to see something wild- all I got was this, which is nothing major:

Default filter match - No filtering on URL: /jquery.js [http:**/jquery.js]
Removed suspected web bug [htt:**]
Default filter match - No filtering on URL: /jquery.js [http:**/]
Prevented site from changing the browser status bar [[url]http://**]

I just don't get it,all I got was a clean web page. Of course I use sandboxie, which removed any element of fear in testing the siteno matter how badly infected it may've been, but sandboxie wouldn'tve affected the elements in the web pages themselves.

thoughts?

[Dark Shadow]

Did you get the second link with porn tube that require new active X for Video.the first link was wrong.I tested this with NOD32 4 beta another post.My testing files was also sent to VT which only a few scanners detected at first and more at a latter the link is not clean.I will recheck it again.

[chrome_sturmen]

Ahhhh, I see now, the web page itself was clean, but when you click to watch a video,you're prompted to install a "video activex object". I downloaded and ran the executable, at which point it tried to access the internet and evoke a command prompt -I allowed the calling of the command prompt through outpost's h.i.p.s. module, but sandboxie denied any access to the internet, and that's as far as anything went, nothing else tried to happen and I could test no further.

But back on topic, this kind of thing is easily handled by h.i.p.s. apps like malware defender, I imagine it could knock it out blindfolded

Excuse me now while I go empty the sandbox

[Dark Shadow]

Here ya go

[Dark Shadow]

and here.

[chrome_sturmen]

Yep, I see it there in the flesh. I am thinking that whatever that activex setup object wants to do, it has to download from the internet in order to do it, because I allowed it to evoke a command prompt, and i'd think that at that point it would install it's malicious code if it was gonna, but when it couldn't access the internet it gave up, so it relys on downloading the rogue code from the net, it's not included in the setup itself (unless you count it wanting to download crapware to begin with). Then again, as your screenshot points out, they're all trojan downloaders, so it's fairly obvious Any rate, I grabbed a handful of the buggers and dumped the sandbox on top of 'em, whereupon they scurried away crying and squealing

[jmonge]

Quote:

Originally Posted by djohn

Hi chris1341,That would be the best choice IMO,However my test is with Normal mode and this little buger is persistent you will still get popups even in silent mode minus not decision making one from the soft but from the site it self.Keep in mind this is IE7 X active enable,java script.

very impresive john good test

[Dark Shadow]

Quote:

Originally Posted by chrome_sturmen

Yep, I see it there in the flesh. I am thinking that whatever that activex setup object wants to do, it has to download from the internet in order to do it, because I allowed it to evoke a command prompt, and i'd think that at that point it would install it's malicious code if it was gonna, but when it couldn't access the internet it gave up, so it relys on downloading the rogue code from the net, it's not included in the setup itself (unless you count it wanting to download crapware to begin with). Then again, as your screenshot points out, they're all trojan downloaders, so it's fairly obvious

thanks Chrome Sturmen for testing,lots of fun perhaps not for some folks that explore these areas not knowing what lurks behind the seens.Somebody worst nightmare waiting to happen.

[Dark Shadow]

Quote:

Originally Posted by jmonge

very impresive john good test

Thank you jmonge I am know expert here just a amateur but thank you for the compliment.

[jmonge]

Quote:

Originally Posted by djohn

Thank you jmonge I am know expert here just a amateur but thank you for the compliment.

you did very good man and you have a big wepon in your hands

[chrome_sturmen]

I decided to have some fun with the malicious code that the activex video object downloads and installs on the system

it starts out like so, when you click on a video to watch:




once you run the setup, it connects to this site to download the malware, i assume:



upon being allowed to do so,it downloads and runs these exes:





continued...

[chrome_sturmen]

one of the exes launches a command prompt


evokes rundll32.exe


br41.exe? oh my


all of which culminates in the lovely virus response lab 2009, a definite security addition for any antimalware aficinadio


seems clicking "watch video" can be a dangerous affair these days of late

[Dark Shadow]

Nice,rather more informative details of the variants

[chrome_sturmen]

enjoyed it, we should do it again sometime (you buy the beer?)