Beta browser test - Too harsh? Too mild?

Re: PrevX under scrutiny..

Well I tried it. Sort of silly test tbh.

Firstly, I had to allow it to run. If I said no then it just died. If I said yes, it does a few animated graphics and tells me some I passed some I failed. It copies a few files into a folder and tells me i'm not protected.

Well I wasn't impressed. All I had to do to pass this test was say no to the prompt to run. Also, I had to give it permission with my firewall to have access. Again all I needed to do was 'block' the inbound connection attempts. Also, where's the proof of the other stuff successfully getting through. The keylogger for example. Where was that? Do you think they would tell you that you passed? Of course not. How would they sell their product to you if they said "Well done, you passed every test".

I'm simply not convinced with this test.

muf

 

Hmm, I'm taking this down if anyone complains about it, but here's the password revealer: http://www.greenborder.com/scan/
If it works...
PLEASE CLEANUP AFTER!!
Delete:
• %systemroot%\system32\L.exe
• %systemroot%\prefetch\L.exe*
• %userprofile%\program files\startup\passlist.txt
• Empty recycle bin

The reason I haven't integrated it into the test is because it reveals the entire password.

 

That might be the prudent thing to do Bill considering McAfee for one labels it as VBS/Psyme trojan as soon as I go to that link which I have removed.

Bubba

 

Hi Bubba,

Actually that detection is not caused by the exe, but by the method I'm downloading the exe: SEt g=cREAtEOBjEct("AdOdB.S"^&Nl^& "tREAm").

From http://vil.nai.com/vil/content/v_100749.htm:
" The vulnerability allows for the writing, and overwriting, of local files by exploiting the ADODB.Stream object. "

I'll update the method to bypass McAfee popping up.

 

Yeah I realize what was causing it to show the alert since the script is viewable with script disabled. Altering the code so anti-malware programs don't scream would be the way to go for sure.

Bubba

 

My todo list:

• Not sure why explorer opens system32 on login, the only time the test calls system32 directory is a shell run of diskmgmt.msc (Longboard, Old Monk)
• I'll cleanup the log file, maybe the startup folder wasn't a good place for it (Bob D)
• Figure out if writing a space ' ' to the registry run key causes system32 to open. Weird side effect, did not know that blank run key would open system32 in explorer. (Tommy)

SpikeyB, good feedback on repeated testing. I wonder why it passed you when it was able to copy files...

Longboard, good posts! I haven't tried the test with other products, I wanted to focus on just a handful of tests to show the difference of exposure between unprotected browsers and protected browsers.

 

I chopped up ADOdb.stream a bit more. I should find a McAfee PC, I thought all the methods got past AV.

btw - I'm finding that this is one of the situations where it's a good idea to delete cached files.

 

Re: PrevX under scrutiny..

Hey muf
I,m not suggestimg that the test could walk through anything

Having dl a malicious .hta file, and run it from the desktop !!
I would have thought that PX would block it from executing or at least a pop-up saying "..what is this we dont know it.."

It is not only that test: try a few other of the standard exploits: not impressed.

Even went to PX database with with one simple one and it was in the safe list.
I realise this is a bit vague: was using a frozem snapshot accidentally rebooted before i could get through all the tests and lost where I was.

I'll try and do a few more tests, but 0800 here and off to work to feed the tin lids

Not reall thrilled that BO clean did not stop it either: have emailed to them also.

Regards.

 

Re: PrevX under scrutiny..

BOClean doesn't detect them because they are not malware. It's really that simple. They're just tests. What I think you are looking for is something that works off behaviour analysis. Not sure if there is any application that could detect all of these from behaviour. Maybe something could catch a few of them. I'll re-install SurfinGuard Pro over the weekend and throw these tests at it. That's one of the best behaviour analysing apps i've ever used.

muf

 

Re: PrevX under scrutiny..

Ok took a flyer on it and installed and tested SurfinGuard Pro. It blocks everything. SGP alerts to multiple violation's and didn't even let them get past the run. As soon as I tried to run them it simply blocks them and throws up a message stating blocked due to malicious behaviour. I'd have to turn SGP off to get those tests to run and that pretty much defeats the object.

muf

 

Re: PrevX under scrutiny..

Thanks for the info, Muf. How much ram & cpu does SGP use? I might want to give it a try.

 

Re: PrevX under scrutiny..

Looked in Task Manager and it was registering 0% cpu. Obviously it's using something but not a lot. As for memory. It was using 12mb when I looked with 4mb VM.

You'll have a bit of a job finding it though. It's not been developed for must be over two years, possibly three. You will need to find version 5.7 if you want to use it on WinXp otherwise the 5.6 version will suffice. My copy from at least 2 years ago is nearly 10mb in size.

muf

 

To find out what is causing the system32 folder to open up, I created a test account, and the following registry key is altered:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

The (default) binary data is changed from

Code:

0000  

to

Code:

0000  20 00 00 00                ...

(the spaces I have put in may not be completely correct).

In addition inside msconfig startup tab, a new statup item is listed under the above key, which has a blank command, and blank startup item name.

To remedy this the safest method is to use msconfig, uncheck the blank item, you will have to restart the system twice. This will stop the system32 folder opening.

As I am more of an avid user than expert, other keys may have been altered too - but I have not had time to check

 

For the non techies :
The "left ov ers" in the reg with the entry for the "no name" file taht looks like a short cut icon is the residue of the script file: Yes?
Some start-up config change?

As noted here as well https://www.wilderssecurity.com/showthread.php?t=151003
Comodo leak tests

CAn clean with Reg Cleaner
Spybot "Sysyem internals" check finds and can fix
As per post #38

 

i can confirm this aigle. geswall stops the test from doing anything when run within IE. but if you save the file to the disk and then run the test (even isolated) geswall doesn't block it.

 

If the browser test can be defeated by any security program, then I would say it has failed in itself. It got owned.

Just any simple method applied by a smart person or good security program just renders the test unusable. If it cant even run how is it going to test a system. This security test is intended at a non-technical audience.

Why not construct a test which attempts to bypass a highly-secured security program/set-up? Make something more challenging Bill. I would love it.

This test is too simple for some people.

 

I will look further into it.

 

Another HIPS program like PG should be able to block it. What I think here is that yes geswall does not block it from EXECUTING but it WILL block it from making any changes to the system by means of redirect.

 

OK Bill this time I ran the password revealer test. I fail stealing files, spying on keystrokes, and system corruption tests. Seems strange I passed all before the password revealer was added. Again this is inside GreenBorder. Any ideas?

Thanks,

Chris

 

Re: That's not the a to perform a test

That's not the way to do the test.
You need to let the malicious script run in order to do the test.
Then you could see if your computer have any precautions to stop its malicious actions. There are 5 tests within the script.

Sure I see you point. You think since it has to ask you for execution, you can simply block it, so you "therotically" pass this test. That's your first guard. But...

First the hacker may trick you into executing that file in real situation, for example when you visit a page, it popup a message. You press "cancel", but this actually execute a malicious script.

Second he doesn't need to use *.hta, he can use any file type, including ones that may seem harmless.

Third, a hacker doesn't always need to ask for your permission before he can execue anything. For example, if a hacker can exploit a vulnerability in IE and able to execute its script without your permission. You will be doomed if you have no other precautions which can stop its evildoing.

Therefore, I still see the value of this test. Simply assume you are in a situation where the file is mis-executed or silently executed.

 

Bill@GreenBorder,
I think your test is mild since I can pass all of them.
McAfee On-access -- warn a suspicious script is running. It also stops the script from calling a file. All pass.
Sandboxie -- the script is trapped into the sandbox. All pass.
Prevx1 -- total failure. It doesn't do anything - no blockage, no popup. All fail.
Firefox/Seamonkey/Opera -- passed as expected. Only text script is shown. Nothing can be executed. You can see how bad IE is.

 

Thanks for the feedback! Now let me judge the feedback, too harsh? too mild? Nope, it's a good mix!

This particular test is geared towards non-technical consumers (my plumber, aunt Lisa, farriers, etc). The intent is to check if things launched from the browser are prevented from modifying local system resources.

 

No, no, no.............
Please make it as harsh as possible.
It is too easy with my security setting.

By the way, what leftovers would reside in my system?

 

Make it harsher the better...i'm lovin' it Security is fun.

 

OK. But I'll need suggestions and contributions.

What I'll plan out in the next few months, will be an ITPro version, and further out, a SecurityAnalyst version. These will be harsher, meaning that only knowledgeable people should access these pages.

The ITPro version will be more technically meaningful, but less flashy. This will be more esoteric to consumers.

The SecurityAnalyst version will include direct links to malware. Analysts tend to say the proof is in the pudding.

Of the scanners out there 95% are just port scanners. The browser test sites I like are:

• http://www.drorshalev.com/SafeCenter/ (Helped develop GreenBorder site tests)
• http://bcheck.scanit.be/bcheck/
• http://onlinecheck.emsisoft.com/en/ (Taken offline?)
• http://www.jasons-toolbox.com/BrowserSecurity/