a test

Discussion in 'other anti-malware software' started by a256886572008, Jun 25, 2008.

Thread Status:
Not open for further replies.
  1. a256886572008

    a256886572008 Registered Member

    Joined:
    Oct 26, 2007
    Posts:
    103
    Test your HIPS or AV

    According to your analysis,decide whether it does harm to PC?

    :D

    Removed links Peter2150
     
    Last edited by a moderator: Jun 25, 2008
  2. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    Why do I not want to click on either of those links? :eek:
     
  3. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Yup, i'm also scared...but I'll do it anyways
     
  4. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Downloaded kd.exe
    Runned it sandboxed.
    It crashed.
    Done.

    sudo reboot, so Returnil can take care if anything else happened.

    EDIT: lets see what VirusTotal has to say first---->0/33
    What does this thing do?
     
  5. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    Any more info on this here test?
    What does it try to do?
     
    Last edited by a moderator: Jun 25, 2008
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    Please do not post live links of this nature.

    Pete
     
  7. nosirrah

    nosirrah Malware Fighter

    Joined:
    Aug 25, 2006
    Posts:
    561
    Location:
    Cummington MA USA
    The first one was stopped by my download manager so if that was the test it was not much of one .

    VT says its clean so I guess its some kind of test app .

    The second link did nothing , No exploit , no download , no nothing , just a regular page for me .
     
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    First link: It wasn't remote code execution - he wanted you to dl and run it to see what your HIPS would do.

    The second link had the executable in a zip file.

    Neither suitable in a forum where the general public is probably not set up to test.

    About VT showing clean: I won't post since its against TOS but in the first 20 hours of the .wmf exploit from 2005, no one picked it up.
     
  9. HyperFlow

    HyperFlow Registered Member

    Joined:
    Mar 21, 2008
    Posts:
    115
    i just had to try it out comodo D+ stopped it;)
     

    Attached Files:

  10. nosirrah

    nosirrah Malware Fighter

    Joined:
    Aug 25, 2006
    Posts:
    561
    Location:
    Cummington MA USA
    Exploits yes , but 0/33 exes dont happen much at all .

    Even clean files get a heu or two usually .
     
  11. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Where was kd.exe when comodo D+ stopped it?
     
  12. HyperFlow

    HyperFlow Registered Member

    Joined:
    Mar 21, 2008
    Posts:
    115
    comodo D+ stopped it as soon as it tried to run
     
  13. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    What does the message "kd.exe could not be recognized" mean? Does Comodo use a White List of executables already on the computer?
     
  14. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    It is the same crash popup I got when I runned it sandboxed.
     
  15. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I see what you mean. With the unionseek.com exploit, the .wmf file was not flagged,
    but the payload executable was a trojan recognized by 4/14 at Jotti.

    Here is another one from about that time, where one of the executables downloaded by the dropper
    was not caught by any at Jotti but flagged as suspicious (I didn't use VT at the time):

    http://www.urs2.net/rsj/computing/tests/wallpapers4u

    Back to this kd.exe -- Since this is a file from a non-trusted source, in normal situations, I wouldn't even bother scanning it!
    I just wouldn't run it period.

    ----
     
  16. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    No. It means it's not on the whitelist supplied by Comodo.
     
  17. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    For those who are interested,

    I have personally tested kd.exe against DefenseWall(DW) and can happily report that DW successfully blocks and contains it. I have posted my DW event log below in quotes.

    "Attempt to read directly from the disk \Device\Harddisk0\DR0"


    Peace & Gratitude,

    CogitoErgoSum
     
  18. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Anyone playing with kd.exe sample be advised it is an MBR killer if it goes live:eek:

    RC and fix mbr command for anyone who gets into trouble:thumb:
     
  19. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    :eek: :eek: :eek:
    I'm glad the combination of SBIE and Returnil stopped any harm.

    Is this actual malware or just a PoC?

    Where did you get this info?
    Where can we know more about this exe?
     
  20. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    I have seen it reported at a closed research forum by one of the resident experts there.Threat sample was gained c/o the following topic@ Kaspersky forums>>>
    http://forum.kaspersky.com/index.php?s=&showtopic=74536&view=findpost&p=682280

    Kaspersky are flagging the file as Trojan.Win32.Small.bgo
    Rising = Harm.Win32.KillMBR.a

    Just to make sure whether same sample>>>
    Additional information
    File size: 40960 bytes
    MD5...: cf583f75125d50dd0cab5a7f09fa5a2c

    I would flag it as malware not POC since it dose'nt self heal after doing its function.
     
    Last edited: Jun 27, 2008
  21. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Sadly I deleted the file as soon as I tested it, so I can't check the MD5
     
Loading...
Thread Status:
Not open for further replies.