malware enbeded in .jpg, .doc

Thanks for the test files Rmus.
If anyone's interested, here's how KIS 2010 did:



...and unrelated to this, .vbs and .dll management (amongst others) as another example:


etc. etc.

 

Here's Tzuk's reply:
"Anything that is a process. I.e. if you can see it as a standalone process in Task Manager or Process Explorer, then it's subject to Start/Run restrictions. If it's a document (text or binary or music or video, doesn't matter) that is opened by some other executable, then it's that other executable that is subject to Start/Run restrictions".

 

Try this. Load Win 98 SE. Remove all these file types. Install an AV or AS -- NOT REALLY NECESSARY. Now instan SSM Free and winsonar and Opera 10.

Dave
Old things never fade away, they just become "old generals."

 

Thanks for this Rmus! Im gonna test it with sbie.

Edit: Will it work with the word processor in Open Office?

 

Thanks for this SSJ!

Now the question is which binary executables are seen as standalone processes and which are not.

 

1) Good point, but are all script executables run by a .exe as in your examples?

2) Again good point. Although a weak point arises if you're forced to let one of those exe's run in order to enable a program to function properly.

PS: it seems sbie is Gods gift to man!

 

I love Win98 SE! That OS was my favourite!

 

Well mate, in terms of whether Sandboxie protects you (which is ultimately what you're wanting to know), maybe you should ask Franklin - he's tested several billion (haha) malware in Sandboxie, and none has ever bypassed it. I think that's pretty good evidence right?

Anyway, I'll see what Tzuk says about what executables can run etc, and post back.

 

Hi, what are the last two screenshots?

Some real malware?

 

I'm not sure what the screen shots are showing, except I see that you are prompted for action. On what would you base your decision?

The document should open; I don't know if the macro will run. If not, maybe you can convert it, or write an AutoOpen macro yourself.

----
rich

 

I would also like to point out:

So beware when executing files, no matter what extension.

 

For sure!

A simple test shows how an executable will run as a program from the command prompt no matter the file extension.
I rename notepad.exe to notepad.bdf and it runs anyway:



How to protect against malware? This came up last year in a discussion about an exploit where an autorun.inf file used cmd.exe to run the executable.

If I take a malware executable (not White Listed) and rename to .bdf, any Default-Deny protection will block the executable from running:



Someone tested this with SRP but I can't locate the screen shot.

----
rich

 

Hi,
Test.vbs is a custom script that tries to access sensitive browser data, in this case not part of any malware, but it could be... Point is that, it shows that KIS doesn't control the (script) host but the file itself... like for .bat files- it doesn't look at cmd.exe but at the .bat itself.
The later is malware that uses rundll to download additional payload through it's .dll component.

The popups show that KIS is aware of modules with random extensions ran through rundll and is able to control them (like any other "normal" applications). Having said that, it shows you can configure KIS' HIPS to behave like an anti-executable... if some HIPS isn't aware of such methods (amongst others), it wouldn't be a very good anti-executable, would it? KIS main purpose isn't to be an anti-executable, but this further proves that it could be if you want to configure it as such.

Experience, knowledge, common sense or blind luck... like with any other HIPS-like application.