A wakeup call ?

Hi everybody,

http://gentlesecurity.com/demo.html

run gswdemo.vbs (without installing GESWall) and find out

how your apps handle the attacks.

 

I don't understand. Is this just a test of ones security? Or is this a program? And if so, is this program supposed to replace all security programs: AV, PF, AS etc.? And it's free. Any answers? Thanks.

 

ZAPJB,

GESWall is a progam.The demo is a test. I did not install GESWall but ran the demo to see how my apps handled the attacks.

The demo is a simulation of intrusion attacks, virus and mal-ware activity, including:

* Information Disclosure attacks, copying confidential files
* Infecting executables
* Deleting documents
* Code injection
* Sending control keystrokes to windows (shatter attacks)
* Process termination through implicit context of WMI service
* Installing a backdoor attacks

 

ZAP zapped it straight away.

 

Script Defender intercepted it and i then allowed it, but as i have disabled VBScript of course it wouldn't run anyway. I might try later after Rebooting with VBS enabled and see what happens.


StevieO

 

Hello,
I tried it on a XP SP2 station running only DefenseWall 1.4 and Jetico firewall, in Shadow mode.

I put cmd into DefenseWall untrusted alongside the usual default set.
I did first execute the script, which is 99.99% of malware.
Then,
Jetico prompted about the ftp attempt, I disallowed.
Prevented some of the payload downloading and executing.
Consequently, the only exploit that worked was to delete some files from My Documents - which is empty anyway and no place to keep files anyhow.
The replacement of notepad with calc did not work, the backdoor thingie did not work etc. And the rest did not work, I don't remember by heart now.
On the fly, I did not go into details what stopped what and where. I assume that DefenseWall did the trick, and most likely more of the propagation was prevented by using the firewall.

The crucial question everyone should ask themselves is: how come they got a malware exe on their computer and how come they execute it? Furthermore, it is also possible to use anti-virus and anti-trojan tools to check the payload.

Without wasting too much money:
It's possible to use drweb link checker before even downloading the file.
Once downloaded, ewido and clam, both on demand, taking no resources. If you really wanna get fancy, avg / avast / bitdefender offer a nice helpful arsenal.

Mrk


--------------

P.S.

Dr.Web discovers VBS.Psyme.204 exploit in the link even before the dl ...

 

Hi Mrk,

Any particular reason not to keep files in My Documents?
Is it just that it is the default folder name and so more of a target?

 

Hello,
First, yes default folder and better target.
Second, if your OS gets screwed and you must reinstall, everything inside it gets screwed too.
Third, do you know the path to My Documents? For instance can you access it from another computer easily?
You can safely live without it.
And if you really need My Documents, make a folder eg F:\My Documents or F:\My Docs or something.
Mrk

 

Yes, it safely resides on separate drives (RAID 1 array) from the OS and is regularly backed up to offsite drives. It's one of the first things I do after installing OS.

Well that's a problem because with RAID you pretty much need to use the same RAID controller to access the data. RAID 1 might be a little more forgiving than RAID 0 (you could possibly break the array into individual drives on the other RAID controller) but I haven't actually tried that out yet.

Thanks

 

What happens if you add My docs to DW "secured files"? Does that protection work?

Edit:

Tried to open it - Antivir protested.

Saved and ran in DW untrusted:

- Antivir protested all the time.

Result;
"Intrusion simulation ... attackers remote shell has been started.
Macinename COMPAQ
Running on behalf of COMPAQ\AT account
Administrative rights
Current directory: C:\documents and settings\AT

Download tool files from ftp server ..gswtest.dll is not downloaded, probably ftp server is too busy, pls try again later part of demo function are disabled.

Information disclosure attacks
-Copy "My documents\confidential" .. Failed

Modify/Delete Attacks
-Administrative rights, infect notepad.exe virus (replace by calc.exe)
o Disable Window file protection .. Success
o Replace Motepad.exe .. Failed
-Delete (rename) files in ¤My Documents"
No files in C:\Documents and Settings\AT\My documents
- Sending windows keystrokes messages to delete documents .. Success
-Terminating Windows Explorer process .. Failed

Install a Backdoors Attacks
-Installing a command shell backdoor
o Setting autorun link to backdoor in registry .. Failed
o Creating Startup menu shortcut to backdoor .. Failed

C:\Documents and settings\AT"

I cant analyze this so if anyone feels up to it... I will post at DW forum also to see what Ilya says.

cmd.exe showed in DW untrusted - as it should.

The files and tracks entry (1) - I Rolled it back. DW hangs - has happened before but I thought it was fixed - still a bug somewhere. Have a feeling it has to do with trying to rollback the latest(top) entry.

Some startup icons dissapeared also after forced reboot but the programs are in the taskmanager so I suppose they work.


Best Regards

 

Why is topic in this section? "Other Security issues" seems like a more appropriate place, don´t you all agree?

But anyway, I don´t understand a couple of things about this test, even when it seems to fail to perform certain things, it still claims that it succeeded. But so far ZA Pro and Neoava Guard seem to stop most of the actions, strangely KIS and Prevx1 didn´t perform too well, they were only able to block the startup entry.

And btw, on my machine CMD.EXE and Windows Scripting Host are both disabled (don´t need them) so they can (hopefully) not be used in attacks.

 

Rather useless test seeing as Script Sentry prevents it in the first place.

I selected allowed and still was told INVALID PARAMETERS.

We need some real tests not old hat vbs scripts IMO