Beta browser test - Too harsh? Too mild?

Discussion in 'other security issues & news' started by Bill Stout, Oct 17, 2006.

Thread Status:
Not open for further replies.
  1. Bill Stout

    Bill Stout Registered Member

    Joined:
    Oct 14, 2004
    Posts:
    100
    Location:
    Mountain View, CA
    Dror Shalev and I have built a browser test page, and am looking to roll this out as a consumer browser test page. The target audience is non-technical users. This was a challenge because what's technically cool is boring to non-techies. And what's cool to non-techies is lame to techies. But before I roll it out and apply a few updates, I want to get feedback from this knowlegeable group.

    The animation needs updating (waiting on my consultant for that), so the test doesn't do as much as the animation displays.

    There are currently five checks which the test performs:
    1. Attempts to steal confidential files from My Documents (Javascript copy of files to a desktop folder)
    2. Simulates installing a keylogger (writes a blank space to the registry run key)
    3. Searches files for 'pass' (searches inside confidential files for text)
    4. Attempts to reveal passwords from protected storage (currently disabled since I need to hide parts of the password)
    5. Attempts to open disk manager via System Call (Could be any system call with parameters like 'delete volume')
    There's much more I planned to have online by now, but I had to remove an 0day (fixed by MS patch last night) and other tests which were too intrusive, and tests which appear to work in a virtual environment (attacks spoofed resources).

    The scan is located here: http://www.greenborder.com/scan

    The engine of the scan are javascript and wscript run in an .hta, any HIDS should protect the system against files launched from a browser.

    Please let me what you think.

    Thanks,
    Bill
     
  2. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Hello,
    I guess this is directed at IE users?
    Mrk
     
  3. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    That's me:
    FF does nothing ( get text file with code visible)with scripts allowed or not
    IE trys to dl the same file

    heh: not idiot proof enough for me :blink:
    or is that a "pass" by mistake?
     
  4. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Running the file is a prerequsite before the test can even start.

    from the link Bill@Greenborder placed above:
    For some IE users the instructions need to say "Run" instead of "Ok"....especially since it is geared toward non-techies\less knowledgeable....some of whom need to have exact instructions.

    Bubba
     
  5. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
    Test seems fine to me Bill. Of course using GreenBorder I passed :)

    Thanks,

    Chris
     
  6. Bill Stout

    Bill Stout Registered Member

    Joined:
    Oct 14, 2004
    Posts:
    100
    Location:
    Mountain View, CA
    Good feedback guys.

    At one time I had the start button grayed out until the checkmark was selected, but our web gui guys wanted an image there. I'll have to talk to them about that.
     
  7. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
    Just for info.I ran the test 4 times without making any changes to my browser settings. Each time I failed the Spying on Keystrokes and twice I failed the Stealing Files. Even when it reckoned I had passed the Stealing Files, the Stolen Files folder appeared on my desktop. So I failed but it said I had passed.
     
  8. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    All I do when I run the test is see the source code. This is with opera 9, nothing disabled. Same thing happens on both linux and windows. So it is definately too mild here(--edit---my bad, I didn't notice it was for IE only, sorry)

    Cheers,
    Alphalutra1
     
    Last edited: Oct 18, 2006
  9. Bob D

    Bob D Registered Member

    Joined:
    Apr 18, 2005
    Posts:
    1,150
    Location:
    Mass., USA
    Very interesting.
    IE passed all (running, as always, under DropMyRights).
    Failed ALL except "Steal Passwords" running w/o DMR.
    So it's true what they say about running browsers with Admin privileges!
    Thanx Bill
     
  10. GS2

    GS2 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    42
    Just one little 'bug' Bill. If you do not select the tick box
    and click on the green 'start' button, after the warning appears which reminds one to check the box, this box diasappears:
    http://www.greenborder.com/scan/scannerIdle.gif

    To get it back you have to refresh the page. This is on IE6 fully patched.
     
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Tried with GesWall but failed to get any scan results with many tries.
    May be GesWall is not allowing the file to run.
     
  12. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I saved the file and run it after that and got the following results. It failed on stealing and searching files but that is expected as GesWall only protects the confidential file folder it puts in my documents.
    Failed with keylogger that was not good, even snoopfree did not gave any warning.
    It showed failed against system corruption but as u can see Disk amnagement tool was launched but failed to open so that was infact passed.
    BTW, test looks cool.
     

    Attached Files:

    • GW.JPG
      GW.JPG
      File size:
      60.4 KB
      Views:
      1,194
  13. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    Ok got it
    NAV picked it up first as malicious script: wanted to block.

    Failed the first two :mad:

    PrevX gave no warnings :mad: :mad:
    ( unless they have some database of benign tests that was bad.)
    E-mail to them.

    Thanks Bill.
    Back to db again for more tools

    PG looking better all the time.
     
  14. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    ~suddenly feeling so old~

    (more or less cross posted elsewhere too)

    Why on earth would anybody in his/her right mind want to run an .HTA file (index.hta in this case) from a site?

    Did we really forget about the warnings from PCHelp long ago (about scrap files in general)?
    http://www.pc-help.org/security/scrap.htm
    Does anybody here remember PCHelp at all (well, I know Paul does ;))?

    Did anybody here read the warnings at the IEClean site:
    http://www.nsclean.com/ieclean.html
    It may be old, but here you go:
    Does anybody here remember WormGuard?
    Did you see this setting in WG:
    http://www.diamondcs.com.au/wormguard/web/bigscreens.php?screen=Block List Editor

    I'm sure that there are more examples to give.
     
  15. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    Hey FanJ:
    Maybe, but still sharp as a razor

    I wanted to see what would happen in general with this test and if this got behind AV

    Disturbingly:
    Neither BO Clean or PrevX caught or warned about this !! :(

    Ran the test in a special FDISR snapshot ie sandbox type setup
    Not always as stupid as I sound.
    Not really interested in exploiting IE: anyone can do that LOL
    More interested in other "security" utilities

    Heh have to test now with PG: maybe PG is still the topgun.
    Regards.

    OT: Ps I am finding it very interesting how many well known exploits/ leak tests are bypassing PrevX: not entirely sure how to interpret that: many e-mails being sent.
    Be interesting to see what other "safety nets" will do SSM, DefenceWall, OA, ANtiHook etc, etc.
     
    Last edited: Oct 19, 2006
  16. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Tried DefenceWall and failed all except 4th one.
     
  17. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    Ok Bill: it's a set-up? ;)
    Where do I sign up? :cool:
     
  18. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Confirm- hta script runes by trusted svchost, not by browser. Hm, it was really surprise for me! Already fixed, will be released with the next version. Need to check out other staff...
     
  19. Old Monk

    Old Monk Registered Member

    Joined:
    Feb 8, 2005
    Posts:
    633
    Location:
    Sheffield, UK
    Hi

    Neat test.

    Passed all except the Stealing Files test. What action is required to plug that gap?
     
  20. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
    Having done these tests it appears something has been left behind?
    Each reboot the "system 32" directory is on the desktop
    What is this?
    Not happy?

    A fix?
     
  21. Bob D

    Bob D Registered Member

    Joined:
    Apr 18, 2005
    Posts:
    1,150
    Location:
    Mass., USA
    Same here.
    Found in c:\documents settings\all users\start menu\programs\startup:
    desktop.ini & browserscan.txt
    Made them go away.
     
  22. Old Monk

    Old Monk Registered Member

    Joined:
    Feb 8, 2005
    Posts:
    633
    Location:
    Sheffield, UK
    Just ran it on my work desktop, and on this it said Test 1 Passed but like SpikeyB, there is a Stolen Files folder on the desktop.

    Any comments on that, and again how do I stop that security vulnerability?
     
  23. Tommy

    Tommy Registered Member

    Joined:
    Dec 24, 2002
    Posts:
    1,169
    Location:
    Buenos Aires - Munic
    Would you please so kind and tell us which traces this Browser test leaves behind. There are some registry entries which provoke explorer to show up at startup of the PC with the system32 folder. Also some ugly startup entries are made. Please list them all as they don't eliminate themselve after the test is finished.
     
  24. Bill Stout

    Bill Stout Registered Member

    Joined:
    Oct 14, 2004
    Posts:
    100
    Location:
    Mountain View, CA
    Thanks guys!

    Looks like I have a bit of tuning to do. I decided to use publicly visible code for easy code review and to show I'm not doing anything that detects our product or any other competing products. Plus visible code is less threatening than an executable.
    • I fixed the disappearing start icon
    • I need it to cleanup after itself, though I'm hesitant to have the scripts delete anything for safety reasons
    The script which steals files to the desktop could instead, email them or upload them to a website which has WebDAV enabled. It's important to know this can happen.

    The reason I used an .hta was because I wanted auditable scripts, and any software which protects your system from your browser should also protect what the browser launches. Other files which we all open such as pdf, doc, xls, gif, flash, mov, and other files may contain either accidental infections or intentially malicious scripts.

    For those who are concerned that AV and AS are not stopping some of these, I have one more example which I think is a bit over the line. It displays passwords from protected storage and writes them to a text file in your startup folder. It's a four line script which will download a known hacktool (password revealer) to your computer, and launch the hacktool before your AV can stop it. Maybe since it's a known hacktool it's not over the line, however I would like to obscure the passwords and reveal just enough to show it really is extracting your saved passwords.

    Hi Ilya, glad I could help. We talked about this some time before, and your requirement was that the scripts of the test could be audited, and there you go.
     
  25. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    So how we can use it?
     
Loading...
Thread Status:
Not open for further replies.