Beta browser test - Too harsh? Too mild?

Hi Chris,

I had updated the test and had an error in the reporting side of the script. It's fixed now.

Bill

 

Thanks Bill! I thought it was strange but wanted to make sure since GB seems to protect me from everything else I throw at it.

Thanks,

Chris

 

Bill what passwords it will reveal from my system and does these passwords are conveyed to ur site?
I don,t know how can I run this test on my PC as if I fail that means all of my password must eb changed then!

 

That was a separate module, and a different .hta file.

Bubba removed the link to that test because the method I used to download the password file triggered a McAfee alert. That separate test was meant to test protected storage exposure to items launched from the browser. It downloads and executes 'password revealer' (a known hack tool) as L.exe, and writes a password file to the startup menu. By default the OS saves the exe to system32, and to prefetch (the script does not do that).

The test was interesting because the download and the execute gets past most AVs, and detection and quarantine of a hack tool exe on disk usually occurs after the file has already executed.

 

For those of you who pass easily, please tell me how you did it!!!!!

I failed all of them and I'm panicking.....

 

Hello,
No you're not.
Mrk

 

Hi Bill,

IE6 mime sniffing feature just blocks this test outright.

 

LOL..

 

Thanks, that gave me a clue to why FireFox opens it as mime type text. On the server side I've added a line in the apache configuration file 'mime.types':

Code:

"application/hta   hta"

Now Firefox will save to disk instead of display it as text, and leave it up to the user what to do next.

 

@steely

How to do that?
Thx

 

PMSL. You are a comedy genius

 

Heh. BLAST from the past! I can't BELIEVE Mickeysoft reopened this same, tired old hole.

Quite an amusing dog and pony show we have here - as quaint as "we know where you've been" using javascript to display history or cookies followed by the "now BUY our mud or we're telling the FEDS where you been, suckah!" =)

Since Muf mentioned that BOClean failed, I'm here "hat in hand" to plead stupid. Heh. What we've got here is an HTA script along with the download of a "legitimate admin tool" called "Passview" from a former trojan author known as "Nirsoft." Admins DO use it legitimately to find lost passwords and because the screen for this particular tool refuses to "hide" we didn't cover the downloaded proggie because it has no value to the "skiddies." However, because of customer complaints received in the past several hours based on this thread, we just did an update for BOClean which you might want to collect if you didn't already as a result of some serious new nasties, so we tacked the detect for the "password.exe" dropped by this "test" as well.

Now ... as to the actual "test" ... there's a problem here which makes it part of the "antivirus realm" as far as detecting and is something that BOClean will not ... the HTA script uses a thing called "MSHTA" which is part of the operating system. The trojan, as is customary these days *IS* Microsoft. Be happy to whack it as some might expect, but "control panel" won't work anymore if we were to biff the actual trojan. MSHTA is what runs (and can't be killed without peasants with torches in my face) and the script is run directly by the IE browser which invokes it directly. Like I said, be happy to biff the ACTUAL trojan but I have this thing about stab wounds.

The problem is that "firewalls" and "antivirus file hooks" already have their mitts in the browser "input stream" and there's a serious risk to "too many cooks" when it comes to hooking IE. If there's too many hands in there, then things WILL slip by and thus, by our design, we don't put our hooks in there. And since people have a tendency to install dozens of conflicting programs which literally fight each other and let the bad guys past, this is POLICY here *not* to step into other software's arguments and just stand our own ground in our own unique way so it don't get past *US* too. If an executable of any sort falls into the file system, that's STILL the domain of file scanners - BOClean's there to stop something when it actually goes to run. So as far as the HTA file, we're not going to see it because it is passed directly between two LEGITIMATE and "trusted" applications. No malware there despite my own opinions of both.

Back in 2001 when HTA was first exploited, we released a freebie called HTASTOP (google it and be amused) ... in 2003, instead of FIXING the problem, Microsoft (as usual) FORCED people to use it and LIVE with the consequences of this piece of qwap. Forced us to redo the freebie owing to complaints ... But the stoppage of HTA is still in our IEClean product, but not in BOClean.

https://www.wilderssecurity.com/showthread.php?t=11988

And by 2004, Microsoft FIXED the "hidden run" of MSHTA ... apparently like so many OTHER of their bandaids, they broke the patch somewhere. This little ditty sure does explain why the sheer volume of nasties we see on a daily basis just keeps multiplying exponentially.

Anyhoo, when Microsoft fixed it, there was no longer a need for HTASTOP so we took it down. But like everything Microsoft security-wise, download a bandaid, watch zombies walk again. SASSER is back too since the last bandaid and we're seeing NETSKIES again as well!

Simtel used to host the file, but that's a 404 as well. I did find this list of mirrors and a few still have HTASTOP for you to download, it was always one of our freebies and it WILL stop this puppy cold if you apply it. Only difference between then and now is that you'll need to hold onto the file rather than deleting it once you've safetied yourself because XPee and Vista and 2000 all need that HTA qwap for control panel and heaven knows what else. But at least it'll keep you safe while browsing and testing, turn HTA back on when you need it, turn it right back off and don't open control panel while you're online. (grin)

Grab HTASTOP here and try the test:

http://www.nsclean.com/htastop.html

And BOClean takes care of the "dropped trojan" without HTASTOP. Boy am *I* even more excited about Blista (and yes, MSHTA works in Blista too and IT fails the test despite its ability to kill Process Guard and all the AV's) ... yep, from all we've seen of Blista, it's back to Win95 in THIS house except for the lab rats. THEY die for YOUR sins. Heh.

Just threw the remains of the old documentation page up on our site in case anyone comes to visit and read it - be aware that a bunch of graphics are missing (program graphics are OK though) on the page but all the pertinent information is there at least. We scrapped this proggie back in 2004 because Microsoft *had* fixed it ... but then again, how long do holes really remain fixed in Winders with each and every new bandaid?

Old hole, old FIX! GEEZ! Have at it with our compliments ... I'm just saddened that "Vista" is the same bad old code, with bigger holes, and HERE WE GO AGAIN.

 

ROFL
Gotta love that guy. Technical wiz, software god and stand-up comedian.
There is more juicy one liners in there than a whole book by SJP.
Thankyou NSC.

So no recent job offers from MS then?

 

[Saturday morning goofy hat on]

Hopefully Nancy will be along shortly to translate Kevin's wonderful cryptic explanation

[Saturday morning goofy hat off]

 

Heh. Guess I was too busy pithing and moaning about Blista ... way I sum that swine up is "Microsoft goes to Tijuana." Tijuana was the home to the fabled "bride of the burro" show ... and it was legendary indeed. Woman, mule, tickets for sale. And its legend preceded it. Everybody KNEW that if you went to see this bogus show, you were going to get stabbed and robbed. And YET, the line went around the block and halfway through San Diego anyway because they just *HAD* to have THIS. Same for Blista.

As to this "test," for anyone who got a tummyache from the results, download the HTASTOP and go back for a test. DIFFERENT results. For those who have BOClean, yawn and a half. But HTASTOP will do if'n yer a cheapskate. Heh.

 

Hiya,


{translater's headphone on....test test.... }

Exploit released that allowed malware to execute through HTA script.

HTAStop released.

Microsoft patched HTA script.

HTAStop then became meaningless, and interest in it withered away like so much other freeware.

Somewhere in all those following patches, for one reason or another, Microsoft UNdid the patch they wrote for the HTA exploit.

HTAStop is meaningful again. Get it, it's free.

{headphones off, screeching feedback , mic off....click.....}

 

still lmao

Along with the technical wizardry and the utility you didn't even know you might need!
Greatest double act since gracie and george.
Long may they reign.

 

Wow, I took the test with IE7. I got a popup from IE saying whether or not I wanted to run the .hta (I clicked yes for kicks, even though I would never do it except for the test) Then, SSM came up and asked me if I wanted IE to run rundll32.exe, I clicked permit once just for kicks. Then, because I used HTAstop.exe, windows couldn't run the file. I had to friggin do back flips to even allow the stupid thing to attempt to run. Pretty funny actually. So that is props for SSM and for HTAstop( and yes I am a cheapskate ). Nice work.

Alphalutra1

 

I'm glad you guys spend the time to add additional security products. The typical consumer and enterprise is happy to add AntiVirus and AntiSpyware and call it a day. Therefore they're exposed.

Again this is the simplest, most open (code) and basic set of tests to see if system resources could be modified or changed. I would hope it is easy to block it.

 

I failed 2 tests, but it needed the Command Prompt for performing all these tricks right? Of course SSM could block everything. And hta files are also normally not allowed to run on my system. So I guess in a real life "drive by" attack I would not have any trouble.

About the test, I think it needs to be improved, it should give more feedback during the scan, I had no idea what to do with the HTA file (after running it), and I did not get an indication which test it was currently performing.

 

Anyone want to help on how to get 5/5 ?

 

Following (per previous post) worked for me:

 

Well you can probably get 5 out of 5 if you do not allow CMD.exe to run, but if you can pass all the tests by running your browser in non-admin mode it would be really nice, I probably failed 2 tests because I was running in admin mode on my virtual machine.

Edit:

I was right, I´ve just done the test on my real machine and I passed all the tests.

 

Hi

BobD and Rasheed187 - Thanks for that

 

Hey Kevin,

Here's another blast from the past: buffer overflow at the command line, on fully patched XP-SP2 OS. (Credit to Gregory Panakkal Vuln-Dev list, Oct 19, 2006)

Code:

c:\> %comspec% /k "dir \\?\<insert 260 characters here>"
e.g.;

%comspec% /k "dir \\?\AbcdefghijklmnopqrstuvwxyzAbcdefghijklmnopqrstuvwxyzAbcdefghijklmnopqrstuvwxyzAbcdefghijklmnopqrstuvwxyzAbcdefghijklmnopqrstuvwxyzAbcdefghijklmnopqrstuvwxyzAbcdefghijklmnopqrstuvwxyzAbcdefghijklmnopqrstuvwxyzAbcdefghijklmnopqrstuvwxyzAbcdefghijklmnopqrstuvwxyz"

Triple-click on the last line, and paste it into a DOS window. It should bring up a D.E.P. warning. The impact of this buffer overflow is that a user with administrative privileges could write to memory belonging to other applications, since the administrator is a privileged account. A non-adminstrative user would only be able to write to memory belonging to that process. Just an fyi, since this is an entry point for fairly harsh malcode.