Eset only solution to 100% block w/o behavior means. https://www.mrg-effitas.com/wp-content/uploads/2019/08/2019Q2-Online-Banking.pdf
The most intesting thing was the Simulator Test, which uses a rogue extension. I wonder how those 4 managed to stop it, since it's basically part of the browser. But anyway, Zemana and McAfee performed the worse. Makes you wonder just how good the AI from Zemana truly is. Also, I need to get my hands on Wontok, it always performs well. https://www.wontok.com/safecentral/
Not really a legit test in my opinion: Don't know how this is done in Chrome but in FireFox it is Toolbar -> Tools -> Web Developer. Web developer tools can be disabled in FireFox by: -EDIT- Appears its fairly easy for malware to enable developer mode and install malicious extensions in Chrome: https://www.bleepingcomputer.com/vi...le-chrome-developer-mode-extensions#installed
BTW, did you download the extension, perhaps you can test it. https://github.com/Z6543/ZombieBrowserPack
My bad, I thought you was the testing guy. I don't use any virtual machines, so I don't test this type of stuff anymore. But would be interesting to see if Eset could stop it.
The MRG report already shows Eset failed to detect it. Eset and a number of other AVs do not check for malicious browser extensions. How would they? Note that Google has a poor record on that regard. And they only check for same in Google Store/Play; not once the extension has been installed in the browser.
Indeed, that is why it is a good idea to have an extension from a reputable source that monitors and looks at other extensions once installed
As far as the simulator ZombieBrowser Pack test, I wouldn't worry about it. As noted by the Github web site page documentation on it, Meterpreter has to be installed on the device to pull off the attack. Most major AV's are pretty good at detecting and preventing Meterpreter from being installed. It appears to me MRG must have disabled the AV's realtime protection and installed Meterpreter to perform this test.
Forgot about it. Then I wonder how Kaspersky, Bitdefender and Avast managed to block it, I'm guessing it's because their safe browser doesn't allow extensions to be installed? Why do you say so, I believe that a malicious extension can simply steal data and send back the data to the hacker, without any additional malware installed.
Your miss the point. First, developer mode has to be enabled in Chrome. That is what Meterpreter is used for. I know that Eset disables existing extensions on Chrome and FireFox. I assume that is done when the browser is started in banking protection mode. I also assume it wasn't checking to see if developer mode was enabled thereafter, allowing for the malicious extension to be installed.
Mozilla has an in depth tech article on FireFox developer mode here: https://developer.mozilla.org/en-US/docs/Archive/B2G_OS/Developer_Mode . The main thing to glean from this article is first, it is "God mode" for all practical purposes as to what can be done by the browser. The next thing to note is that it is not easy to activate developer mode except for one deprecated feature - WebIDE. Assumed this feature is what is being exploited by Meterpreter. Thankfully, it appears WebIDE feature should be removed from FireFox and retired shortly. -EDIT- If WebIDE is activiated from FireFox, it will create an .exe in the current User Temp folder. Assumed is everyone is blocking any exec's running from that directory.
