testers needed

Discussion in 'other security issues & news' started by stormbyte, Dec 7, 2004.

Thread Status:
Not open for further replies.
  1. stormbyte

    stormbyte AV Expert

    Joined:
    Jul 9, 2004
    Posts:
    97
    Hey guys,
    I think i found something that could be called a very tiny security issue in IE :)
    I need people with AV software installed to test it for me
    Go to: http://www.stormbyte.com/vtest/test.php
    and report :
    a. If your antivirus warned you about a new virus on your system
    b. Your operating system, browser, and antivirus

    Don't worry there will be no viruses or spyware installed. I just found a way to trick some antiviruses into thinking that computer is being infected by just visiting a web site.

    Thanks!
    Mariusz
     
  2. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    A - nope
    B - Win2k, Firefox 0.9.1, NOD32

    Just got a blank page there so if it's anything Proxo might have blocked - that might be the case as well.
     
  3. stormbyte

    stormbyte AV Expert

    Joined:
    Jul 9, 2004
    Posts:
    97
    Yeah. Firefox is safe. Try with IE :)
     
  4. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    I've got my own doubts about doing that. I used firefox, clicked on the link, and got a blank page with absolutely nothing happening at all.
    I used IE, and also I get a blank page with nothing happening at all. I'm very secure here.
     
  5. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    Same result - IE 6.0 - also routing through Proxo. I'll try without.
     
  6. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    Same in IE without Proxo.
     
  7. stormbyte

    stormbyte AV Expert

    Joined:
    Jul 9, 2004
    Posts:
    97
    Then NOD32 is not looking at it as a virus.
    But when you scan cookies folder you should find "Eicar" virus.
    Unless Nod does not scan txt's or you have cookies disabled.
    Oh well. Thanks anyway.
     
  8. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    I get this in Proxo's (+ Opera) log window. Ran it with IE, no proxy, and F-Prot 3.16a and got just a blank window and no alert.

    Nick
     

    Attached Files:

  9. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    I'll run a full scan now to see.
     
  10. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Just ran a full scan with all my security applications, nothing found at all. Clean. ;)
     
  11. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,791
    Location:
    SW. Oklahoma

    Checked all of my cookies and found no eicar of any kind.
     
  12. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    F-Prot found this using a manual scan:

    Nick
     

    Attached Files:

  13. stormbyte

    stormbyte AV Expert

    Joined:
    Jul 9, 2004
    Posts:
    97
    That is way I needed more people to test my idea:)
    Basically, when you go to that page your browser will receive a cookie.
    This cookies has eicar test virus string as a value. Some AVs when they see this file being written to the hard drive will inform you about that.
    It will not work if you use Firefox, or have cookies disabled, or your AV is not scanning TCP packets, or txt/cookie files.
    Like I said this is not a big issue, (or in your case it's not an issue) but I had to check it.
     
  14. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    Not sure exactly why but I got nothing in my scan either.
     
  15. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    53,207
    Location:
    Texas
    How did F-Prot do realtime? Or did you try that?
     
  16. stormbyte

    stormbyte AV Expert

    Joined:
    Jul 9, 2004
    Posts:
    97
    So it works:)
    Now I have a question. Do you guys think that this could be called a "security hole" in IE? I know that it's only a cookie, can't be executed and so on, but still it could cause problems for some people. (OMG! My computer is infected - for example)
     
  17. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Interesting....what does all that mean ?

    X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*0
     
  18. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi Ron,

    RealTime did not catch it.

    Nick
     
  19. solarpowered candle

    solarpowered candle Registered Member

    Joined:
    Jan 9, 2003
    Posts:
    1,181
    Location:
    new zealand
    (A) Yes

    (B) XP IE KAV extendia single engine

    I got a blank page with Firefox as I did with IE But with IE Extendia alerted me instantly of access attempted with an infected file ( EICAR -test file )
     
  20. Honyak

    Honyak Registered Member

    Joined:
    Jul 19, 2004
    Posts:
    346
    Location:
    Deep South
    Mariusz
    I closed firefox and opened the page with IE and ArcaVir 2005 immediatly reported a virus.
     
  21. stormbyte

    stormbyte AV Expert

    Joined:
    Jul 9, 2004
    Posts:
    97
    Virus test file. I did not wanted to use string from a real virus so I had to use Eicar. YOu can read more about it here:
    http://www.eicar.org/anti_virus_test_file.htm
     
  22. stormbyte

    stormbyte AV Expert

    Joined:
    Jul 9, 2004
    Posts:
    97
    :) I know. I tested it first with mks_vir.
    Question remains: should this be reported somewhere or not? ;)
     
  23. Honyak

    Honyak Registered Member

    Joined:
    Jul 19, 2004
    Posts:
    346
    Location:
    Deep South
    It would seem to me that it warrants attention to try and prevent future exploitation.
     
  24. bigbuck

    bigbuck Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    4,877
    Location:
    Qld, Aus
    A. No virus reported.
    B. opened in IE...XPSP2 Firewall.....Nav2003.....Cookies set to medium.....Nothing!....
     
  25. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    You won't get any alert if you block stormbyte's cookies. The cookies will cause your antivirus to alert you if allow them in.
     
Thread Status:
Not open for further replies.