A wakeup call ?

Discussion in 'other security issues & news' started by egghead, Apr 26, 2006.

Thread Status:
Not open for further replies.
  1. egghead

    egghead Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    443
    Location:
    The Netherlands
    Last edited: Apr 26, 2006
  2. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    3,518
    Location:
    USA - Back in a real State in time for a real Pres
    I don't understand. Is this just a test of ones security? Or is this a program? And if so, is this program supposed to replace all security programs: AV, PF, AS etc.? And it's free. Any answers? Thanks.
     
  3. egghead

    egghead Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    443
    Location:
    The Netherlands
    ZAPJB,

    GESWall is a progam.The demo is a test. I did not install GESWall but ran the demo to see how my apps handled the attacks.

    The demo is a simulation of intrusion attacks, virus and mal-ware activity, including:

    * Information Disclosure attacks, copying confidential files
    * Infecting executables
    * Deleting documents
    * Code injection
    * Sending control keystrokes to windows (shatter attacks)
    * Process termination through implicit context of WMI service
    * Installing a backdoor attacks
     
  4. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    ZAP zapped it straight away.:)
     
  5. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Script Defender intercepted it and i then allowed it, but as i have disabled VBScript of course it wouldn't run anyway. I might try later after Rebooting with VBS enabled and see what happens.


    StevieO
     
  6. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Hello,
    I tried it on a XP SP2 station running only DefenseWall 1.4 and Jetico firewall, in Shadow mode.

    I put cmd into DefenseWall untrusted alongside the usual default set.
    I did first execute the script, which is 99.99% of malware.
    Then,
    Jetico prompted about the ftp attempt, I disallowed.
    Prevented some of the payload downloading and executing.
    Consequently, the only exploit that worked was to delete some files from My Documents - which is empty anyway and no place to keep files anyhow.
    The replacement of notepad with calc did not work, the backdoor thingie did not work etc. And the rest did not work, I don't remember by heart now.
    On the fly, I did not go into details what stopped what and where. I assume that DefenseWall did the trick, and most likely more of the propagation was prevented by using the firewall.

    The crucial question everyone should ask themselves is: how come they got a malware exe on their computer and how come they execute it? Furthermore, it is also possible to use anti-virus and anti-trojan tools to check the payload.

    Without wasting too much money:
    It's possible to use drweb link checker before even downloading the file.
    Once downloaded, ewido and clam, both on demand, taking no resources. If you really wanna get fancy, avg / avast / bitdefender offer a nice helpful arsenal.

    Mrk


    --------------

    P.S.

    Dr.Web discovers VBS.Psyme.204 exploit in the link even before the dl ...
     
    Last edited: Apr 26, 2006
  7. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Hi Mrk,

    Any particular reason not to keep files in My Documents?
    Is it just that it is the default folder name and so more of a target?
     
  8. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Hello,
    First, yes default folder and better target.
    Second, if your OS gets screwed and you must reinstall, everything inside it gets screwed too.
    Third, do you know the path to My Documents? For instance can you access it from another computer easily?
    You can safely live without it.
    And if you really need My Documents, make a folder eg F:\My Documents or F:\My Docs or something.
    Mrk
     
  9. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Yes, it safely resides on separate drives (RAID 1 array) from the OS and is regularly backed up to offsite drives. It's one of the first things I do after installing OS.
    Well that's a problem because with RAID you pretty much need to use the same RAID controller to access the data. RAID 1 might be a little more forgiving than RAID 0 (you could possibly break the array into individual drives on the other RAID controller) but I haven't actually tried that out yet.

    Thanks
     
  10. Rivalen

    Rivalen Registered Member

    Joined:
    Oct 18, 2005
    Posts:
    413
    What happens if you add My docs to DW "secured files"? Does that protection work?

    Edit:

    Tried to open it - Antivir protested.

    Saved and ran in DW untrusted:

    - Antivir protested all the time.

    Result;
    "Intrusion simulation ... attackers remote shell has been started.
    Macinename COMPAQ
    Running on behalf of COMPAQ\AT account
    Administrative rights
    Current directory: C:\documents and settings\AT

    Download tool files from ftp server ..gswtest.dll is not downloaded, probably ftp server is too busy, pls try again later part of demo function are disabled.

    Information disclosure attacks
    -Copy "My documents\confidential" .. Failed

    Modify/Delete Attacks
    -Administrative rights, infect notepad.exe virus (replace by calc.exe)
    o Disable Window file protection .. Success
    o Replace Motepad.exe .. Failed
    -Delete (rename) files in ¤My Documents"
    No files in C:\Documents and Settings\AT\My documents
    - Sending windows keystrokes messages to delete documents .. Success
    -Terminating Windows Explorer process .. Failed

    Install a Backdoors Attacks
    -Installing a command shell backdoor
    o Setting autorun link to backdoor in registry .. Failed
    o Creating Startup menu shortcut to backdoor .. Failed

    C:\Documents and settings\AT"


    I cant analyze this so if anyone feels up to it... I will post at DW forum also to see what Ilya says.

    cmd.exe showed in DW untrusted - as it should.

    The files and tracks entry (1) - I Rolled it back. DW hangs - has happened before but I thought it was fixed - still a bug somewhere. Have a feeling it has to do with trying to rollback the latest(top) entry.

    Some startup icons dissapeared also after forced reboot but the programs are in the taskmanager so I suppose they work.


    Best Regards
     
    Last edited: Apr 26, 2006
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    Why is topic in this section? "Other Security issues" seems like a more appropriate place, don´t you all agree? o_O

    But anyway, I don´t understand a couple of things about this test, even when it seems to fail to perform certain things, it still claims that it succeeded. But so far ZA Pro and Neoava Guard seem to stop most of the actions, strangely KIS and Prevx1 didn´t perform too well, they were only able to block the startup entry. :rolleyes:

    And btw, on my machine CMD.EXE and Windows Scripting Host are both disabled (don´t need them) so they can (hopefully) not be used in attacks.
     
  12. EASTER.2010

    EASTER.2010 Guest

    Rather useless test seeing as Script Sentry prevents it in the first place.

    I selected allowed and still was told INVALID PARAMETERS.

    We need some real tests not old hat vbs scripts IMO
     
Loading...
Thread Status:
Not open for further replies.