Try this test.

BOClean stopped it, but failed to stop it from creating the folder on my desktop containing various random copies of files from my pc.

Stopping it is not the test really. It's stopping it 'doing it's thing' once you allow it to run. Remember that you are testing the scenario that you have allowed to run something you have downloaded i.e a desktop game. Allow the demo file to run and see if anything stops it's background activity.
http://www.finjan.com/SecurityLab/SecurityTestingCenter/exploitFinjanPublicEXE.asp

muf

 

I don't get this 'test'; you have to download an .exe and run it (by the way, Process Guard blocks it right away), so what do you expect, that it shouldn't be able to manipulate files? Why? To me it looks like a trojan demo, not a test. I don't see why AV or anti-trojan softwares like Ewido should block this file, since it actually doesn't do anything malicious (as in, it does not open your system to attack).

 

Vba32 blocks and deletes it also.
The monitor caught it after the download was finished.

 

Well, it tests your security. That's why i called it a test. And as to looking like a trojan demo. Well, i posted it in the 'other anti-trojan' forum. Maybe there's your answer? And as to the test itself. Well many people download executables assuming they are safe to run. What the test demonstrates is that once you download and run an exe file then things could be going on in the background you are not aware of. What this test does is shows Tetris running and then collects some data off your pc and puts it on your desktop. It could have tried to send that same data over the internet to a hacker. We know plenty of people on this forum have security like firewalls and process monitors. But it's always nice to test that you are covered. I'm not trying to catch anyone out with this. If it means nothing, then fine. And if you download any exe files in the future and run them knowing they are safe(crystal ball and all that), then good for you. But what if it wasn't what you thought it was? That's what this test demonstrates. Gosh, some people...

muf

 

Well, I don't think an application that copies or creates files in the background automatically should be flagged as 'dangerous' or suspicious. It should only be flagged as dangerous if it wants to weaken existing system settings, terminate or read from other applications, connect in the background to the Internet, etc.

But that's a whole different matter. Copying files or creating a folder on my desktop doesn't make my system any more exposed to external attack, sending data over the Internet might.

 

TNT,

I think thats the whole point. They only put the folder on your desktop to show what info can be gathered. What the hacker chooses to do with the data is up to them. but sending it over the net to themselves is obvious. The test only puts it on your desktop to show you what has been gathered in a few seconds. Imagine having that on your pc for weeks. It would be nice to know we have security that can detect those naughty things happening 'in the background'. Thus the reason for the test/demo.

muf

 

Ok, fine; I don't think it's just the job of an anti-virus or anti-trojan application to flag applications that do filesystem changes, unless they are suspicious. An application you execute on purpose that tires to copy files to a location like the desktop could not possibly be dangerous, even if works in the background (unless the target directory is shared, or unless it's trying to overload the disk with file copies, or unless it's making files with "private" permissions word-readable, etc.). It does not worry me if my system doesn't pop up a security warning for it (by the way, I did not run the test, just saw that Process Guard blocked the execution and left it at that).

Gathering disk data and trying to send it to a remote site, on the contrary, is suspicious, and it's VERY suspicious if it's done in the background, and you bet I would be worried if my system did not pop up a warning for that.

Many legitimate tasks get run in the background; to monitor what happens to the filesystem is the job of a filesystem integrity checker like Tripwire, not of an anti-trojan application. If one were to see what goes on in the background at all times, he would be overwhelmed by pop-ups.

And if there are users who think applications can't do anything in the background and they keep downloading stuff thinking all they see is all they get, I don't think it's possible to save them with an anti-trojan application. They shouldn't use the Internet, period.

 

This looks like a recap of the discussion here https://www.wilderssecurity.com/showthread.php?t=98511&page=3

 

I really think it's missing the whole point to talk about scanners or execution prevention stopping this kind of thing. As for firewalls, all they'd have to do is make mention on the webpage that it's supposed to connect to the internet to download new levels or something.. so you intentionally download and run it, then let it pass through your firewall. Why would you download a game from the internet just to stop it from running? Yes, your AV or AT should pick it up, but we all know that there's a window of time between when malware is released and when these companies can release a signature.. that, again, is the whole point of the test/demo.

What's controversial, however, is the data that this demo does collect. Safe'n'Sec, for instance, will block some of this behavior, but because this data is so benign it's not going to break SnS' rules, and so there won't be any alert. It does alert to the test in the other thread, however, and it might set off alerts if this demo went through the full motions that a real trojan would carry out.

 

One of the things I like about Online Armor is its ability to keep track of files created by an executable. So in this case Online Armor warned that a new executable was about to run – which I allowed. I then view the items created by the executable file from within OA (in this case a .wav file and a few documents) and decide it’s up to no good. So a couple of mouse clicks latter all the files created including registry entries are removed and Online Armor prevents the original executable from re-running.

 

Your results seem to be the most effective. Being able to see what it's doing within Online Armor before it allowed it is very impressive indeed. I did try Online Armor but it weighed heavily on my resources. Maybe when i get my next pc i will give it another shot. Thanks.

muf

 

Hi Muf

OA uses virtually no resources, you should contact Mike Nash, either here or at their forum http://www.tallemu.com/forum/, you most likely have a conflict, OA is a very young product and they are very interested in solving issue's.

 

Unfortunately it’s not quite that clever. It tracks files created once the executable has been allowed to run. So if you imagine in the case of this demo, the created files had been hidden in some obscure places, so you didn’t know of their creation, plus maybe an auto start entry added to the registry. Well looking at the list of files created from within OA (including registry entries) you can see exactly what went on after running the executable, and later, should you decide the application is suspect, remove everything including registry changes automatically, from within OA.
It’s like having an uninstaller provided along with the Trojan. But OA does the uninstalling. HTH

http://myweb.tiscali.co.uk/hesten/OA.gif

 

Ran the exe through sandboxie.Stated a file was created on desktop but wasn't there.Seems it couldn't reach out of the sandbox.

 

NOD32 2.50.25 and Kaspersky AV Pro 5.0.388 did not detect it.

But, McAfee Virusscan Enterprise v8.0i detect it as a joke.

http://img114.imageshack.us/img114/6016/finjan2kn.gif

is this result succesfull and trustworthy for McAfee?
your comments please?

 

One of the main ways that trojans gain access to a system is by hiding in apparently legimate downloads like games from websites and P2P.

it's absolutely vital that you have something on your system to guard against this.

here's an example....

**** In 2004, Nguyen Van Phi Hung, a computer engineering student at the National University of Singapore, was sentenced to 20 months in prison for using a Trojan horse program to steal passwords and user IDs from other students. He ran a program called Perfect Keylogger on a web page where he posted an online game. Hung then sent a hyperlink to the game to his fellow students so whenever one of them played, Perfect Keylogger would be installed on their computer and Hung could capture their information. He used a fellow student's online bank account to purchase $947 worth of prepaid phone cards and a $138 magazine subscription. ****

here we see an example of a trusted program being downloaded and executed - those that got scammed either had no detection software to check the file on download or execution or the software they did have was simply not up to snuff.