New Leaktest / Security Tool Released - System Shutdown Simulator

Dear Wilders Community,

As mentioned before I have discovered a simple design issue in Windows that can circumvent the protection of some security software today.

This security tool / leaktest is called System Shutdown Simulator (self-explanatory). It is available for download here:

http://www.geocities.com/zeroday_software/

This leaktest highlights a new vulnerability that exists when a user shuts down their computer and a program cancels the shutdown. For example, when installing new software, the installation program often asks the user to restart their computer to complete the installation. When the user allows the computer to be restarted, the installation program could potentially compromise the user's computer completely undetected by security software as these have already shutdown.

A selection of Security Vendors were notified on the 12/11/07 (list kindly supplied by gkweb of firewallleaktester.com). SySafety was contacted earlier however, on the 10/11/07.

A response has been received from SoftSphere Technologies (DefenseWall HIPS), SySafety (SSM) and Tall Emu (Online Armor).

If you have any issues please contact me at: zeroday_software@yahoo.com
The latest release is 1.0.20

 

I don't suppose your tool is been submitted to EQSecurity yet. It sure would do them some good to review their HIPS vulnerability to it so that they might make the neccessary adjustments to protect against it.

Thanks for your interest and research in this.

 

No, haven't notified EQSecurity.

Does anyone know their email address?

 

my mistake....
i misunderstood the leaktest!

 

alfa1, I think you are suposed to shutdown manually from the start menu, not click the shutdown button in the leaktest.

 

I had it as an either/or

For those interested, SafeSpace passes the Auto Start Registry Key test when the SSS is run in SafeSpace. Well, thats how I'm reading it

 

you are wrong...

EDIT:
sorry again...

 

The windows says "or". However I think that check if your security can intercept a shutdown is not the idea. The idea is check if your security doesn't close too early in a shutdown, leaving the computer unprotected against any application that can cancel the shutdown and deliver a malicious payload.

From SSS:

 

alfa1, u did not understand the test. U need to allow shutdown and then use step 3 to test ur HIPS( PS).

 

he/she isn't wrong exactly ....it is either/or

 

It can be either way but u need to allow shutdown prompt by ur HIPS to use the actual leaktest( Step3).

 

ok, i'm very sorry for my mistake...

I'will try again...

 

Vert smart Leaktest indeed.

I tested my system:

1- GesWall- Passed - Eicar test file was isolated and autostart reg enetry was virtualized.

2- NeovaGuard - Intercepted autostart reg entery creation( I got a skinless prompt as GUI was already terminated). Passed

NG however did not intercepted oubound ping as I think its network monitoring componenet has no such filter. Also NG has no file protection so it,s not supposed to intercept Eicar test file creation.

3- EQSecure- totally failed. It intercepted creation of neither Eicar test file nor autostart reg entery.

I did not check Antivir as I am not using it in real time, may try later.

 

No problems. Test is really confusing and tricky but very nice indeed.

 

@aigle

you are using geswall 2.7 beta right? did you try it vs the shutdown attempt. because i still use 2.6 and it failed the shutdown part of the test.

edit : geswall stops the machine from being restarted BUT all the program icons near the system clock disappear. even with them gone, geswall still stopped the program from creating a registry entry and the eicar file was indeed created isolated. i just don't get where my icons went

 

ok....

now i can show you the last pic (sorry again....):

 

zopzop! i am using 2.7 beta. Test is not about shutdown indeed. Test even doesn,t shutdown ur system completely. It just shutdown the system to the extent that all security software are turned off( Step 1 and 2). It,s at that time that the leaktest simlates some malicious actions( Step3).

Step 2 shutdown is not the real test. It,s my understanding of the test.

Indeed if some HIPS somehow will not allow step 2( partial system shutdown), there is no way to test that HIPS against this leaktest. Correct me if I am wrong.

 

What about file creation and outbound ping? PS has file protection and network access modules as I know.

 

Hi zopzop

The tray icons disappearing are part of the test as I understand it.

Like a fake shutdown but in reality it should close the GUI and you should see the service running in Task Manager.

This I can confirm with Online Armor and SafeSpace. You will find Returnil shut down completely but no major issue as it will reboot with no changes assuming you were in Session Lock.

Need to check again now I can find Eicar file whether it is in fact running in SafeSpace.

 

ah i get it now then i can confirm geswall 2.6 passes this test, since the registry entry was virtualized and eicar file was isolated.

 

Anyone tried:

DefenceWall
ThreatFire

 

Thanks

 

Hi

Like Geswall, SafeSpace isolates Eicar file when SSS run in SafeSpace so I guess thats a pass as well

 

Hello,

I'm mirroring the file, with dmenace's agreement :
http://www.firewallleaktester.com/mirror/zeroday_software/sss.htm

Regards,
gkweb.