Drive-by testing

i am just wondering if there is a site where we could test drive-by attacks and the like.

i am not looking for real malwares, just a simulation.

if it does not exist maybe it would be nice for someone to build one.

 

Interesting idea.

Though I don't know a testing site, can't build one, but would like to test

So someone need to post a link...if it exists that is

 

There are several ones, but they are outdated (http://bcheck.scanit.be/bcheck/ for example). You could always try to contact them to give their tests a much needed update

 

You don't specify what type of testing.

If you are thinking of drive-by tests where your security alerts to downloading/running of executables, which is the payload of most of today's exploits, it's a daunting task for several reasons.

1) What type of products are you testing? If black listing products, then unless it is real malware, the product isn't going to alert to something benign.

2) What types of exploits? If PDF, not all PDFs with exploit code are triggered by all versions of the Reader. I've looked at dozens of PDFs over the years and have found only two that trigger. Same thing with Flash.

Now, if you have White Listing security, that's pretty easy to test. I've set up my own drive-by tests in the past and have posted them here before, but they require IE6 which most people no longer have. However, if anyone wants to test, I'll post one.

Beginning with IE8 I cannot make any drive-by exploit work except those using Java! And none of the current malware exploits work against Opera or Firefox.

However, you can test by just attempting to download a non-white listed executable.
It's similar to a drive-by exploit: an executable tries to write to disk. In this case, you trigger it yourself, and your security should not allow it. The security doesn't care how the executable tries to get in -- it just prevents it in any case. Here, I use winpad32.exe to test:



Also, USB is a good test, since it is a remote code execution exploit, as is a drive-by.
Just set up an autorun.inf file with these two lines with the filename of the executable you use:



put it on a USB drive with a non-whitelisted executable and enable autorun for the test:



Also, a CD installation disk usually has an autorun.inf to automatically run a setup.exe.
Being non-white listed, your protection should alert:





A drive-by exploit is just one type of remote code execution attack which can be simulated in other ways.

regards,

-rich

 

i am looking for something that would execute automatically without the user input.

basically, just to check if Chrome by itself (maybe with LUA + UAC + SRP) would allow writing to the drive.

i am just curious.

 

Is there a driveby exploit in the wild that targets Chrome (or Opera or Firefox?) Looking in the exploit kits, the drive-by exploits use plugins (PDF, Flash) that use the browser as an entry point.

If an exploit uses an enabled plugin and you have LUA + SRP, then you are protected against drive-by exploits that download malware executables because

1) In a LUA, executables can write only to %User% directories. Here, I attempt to copy a program to %Windows%:



2) With SRP, nothing can execute except from %Program Files% and %Windows%.
Here, I attempt to execute a program, a .bat file, and a .vbs file from a %User% directory.
I chose this directory because recently I saw an drive-by infection (IE8 ) that wrote files to this directory and executed them.
With SRP, that could not have happened:









So, while you might not find a drive-by exploit to test, you can simulate the results and see how you are protected with LUA and SRP.

regards,

-rich

 

tnx a lot Rmus for taking the time!
that is very useful info.

i am at the office right now but i will play with this when i get home!

 

Excuse my ignorance but what's SRP ? How to use it ?
I'm using Emet on 7 64 bits, with UAC on.

Thanks.

 

This explains - How to Allow Shortcuts When Using SRP on Windows XP Workstations - http://www.windowsitpro.com/article...uts-when-using-srp-on-windows-xp-workstations

P.S. I don't use SRP, I use my computer, solely...in admin mode

 

SRP is a whitelist, anti-executable 'app'.
it denies any executable from launching if it's not on the 'whitelist'.


For Windows 7 Professional, Ultimate, and Enterprise editions SRP can be launched from the Local Group Policy Editor. (run gpedit.msc)
-http://www.sevenforums.com/tutorials/3652-local-group-policy-editor-open.html-

for Windows 7 Starter, Home Basic, and Home Premium editions you have to use SRP via Parental Control:
https://www.wilderssecurity.com/showthread.php?t=297834

 

Thanks for the answer, i'm going to read that.
Is it a problem if i'm using an admin account with uac max ? Because i need to create a LUA and i don't want.

 

You can use SRP with your admin account yes. Be sure to exclude the administrator account (under "enforcement" click "all users except local administrator").

 

Ok, i'm going to try it. Thanks.

 

Here's a selection of www's that "might" be useful

 

You don't need to create LUA, because you have UAC. The programs that run with limited rights under UAC are blocked by SRP if they aren't excluded.

 

I've seen that, thanks for the precisions.