Beta browser test - Too harsh? Too mild?

Bill,

Getting multiple virus check done quickly is easy when you use these two sites to upload your samples to.
http://virusscan.jotti.org/
http://www.virustotal.com/en/indexx.html

muf

 

I couldn't get your logic.
You failed the test, but you say your current security system is fine (not undermined).
You may think since it is a *.hta or you won't execute such a suspicious file in reality. If that's the case, then rethink.
A mlaware writer will not deliver a malware in such a stupid and obvious way either. A malware writer can reuse the codes to make another real malware. And it is not limited to *.hta
It can be *.exe, *.com, or even *.jpg or *.doc

Common sense and safe browsing habits doesn't help you against vulnerabilties found in your system. Connecting to the Internet is the only pre-requisite to get infection. You don't need to do anything else. Depending on the vulnerabilties and how they exploit, they don't need to always ask for your permissions before they can execute anything.

 

I don't know why it has been detected by many anti-virus companies. There are several possibilities:
- When the test is first released, no AV vendors can detect it. But as it spreads, some users report it or their AV experts spot this test. They either consider the code may pose potential threat if it is used in a malicious way, so they add the test into their signature bases.
- Or since they would like to get a pass in the test too, they add it into their signature base anyway.
- Or similar to what you say, Greenborder simply reuse (a part of) the malicious codes found in the wild to create this test. That's why it can detect it even before the release of the test.

 

The second test uses a software that can be potentially used to hack passwords so this is the reason it is detected by many scanners. I don,t think that AV companies would have added it now. It,s common practice to detect such software by an AV if u use its highest settings( that many wilders members do).

 

I agree, the Nirsoft software is great in the right hands. Like airplanes. But I was uncomfortable in that it reveals the entire password.

I'm no longer testing using the Nirsoft software. Since I could not find a password revealer which obfuscates part of the password, I asked one of our developers last night to write one which does not reveal either the entire password or the entire username, so it's safe to use on other computers. http://www.greenborder.com/scan/wilderspass.hta

 

Thanks muf, cool test! Looks like I have some more work to do.

 

Hi Longboard,

Sorry for the delay; you can set that in WinXP Pro SP2 Group Policy:
Enable Consistent mime handling and Mime sniffing safety in Computer / User configurations,
Disable Open file based on content.

 

I get your point. Well, like I said earlier on, if I need to handle any suspicious files, I can always switch to non-admin mode at any time I want to reduce the chances of damage to my system. So, how does the hacker send the files to me, could be through e-mail most probably or IM. And, most important of all is how do I open the file? My web browser of course. I am fully aware of all avenues of attack and I do take serious action without hesitation, but I will not go into detail about my daily security procedures.

Based on my system configuration, there are very few avenues of attack into my system. I can go to the extent of blocking a particular program from executing completely the moment I know it is a potential avenue for attacks to occur. Harden Windows? Yes, I already did that a long time ago.

I use GeSWall, and anyway even if I open a suspicious file, does it have full rights to execute and drop its code into my system? No. If that ain't enough I can simply switch my account to non-admin mode. I don't see what's so difficult and complex about this issue.

Based on your argument that connecting to the internet is the only pre-requisite for infection, here's what I do:
I set up my firewall and configure it correctly BEFORE connecting to the internet. I install all of Microsoft's bloody patches and updates.
Secondly, I DO NOT use IE at all. Thirdly, my browsers are all protected.
Connecting to the internet is the only pre-requisite for infection. All right, this is for those users who have unpatched versions of Windows, use IE with low security settings ( MOST LIKELY), to keep it simple and short,

Connecting to the internet is the only pre-requisite for infection IF:
1) You never updated your OS and security programs.
2) You don't bother to check your security settings.
3) You open files without a proper protection system in place.
4) You use some stupid P2P or some other malicious program without thinking.
5) Downloading and opening all attachments freely without a proper protection system in place.
6) You don't run a firewall or your firewall's security settings are not configured for optimum protection. Hardware firewalls are NOT enough.
7) You don't bother to keep up-to-date at all.
Unpatched and unprotected, meaning, drive-by downloads, simply put, don't update and don't protect means instant infection.
9) Physical access to the machine. DON'T always rely on your security programs to do the job for you.
10) If you have patched, updated, and secured your computer, then automated malware CANNOT execute without your permission or its chances of damaging your system are significantly reduced.

Who says common sense and safe browsing habits don't help? If you have already secured and updated your system, then that's more than enough.
I really can't understand why you think it does not help.
Sure, malware writers can make all sorts of files, but they have to trick the user into opening the file first. And they have to send the file to the user first, right? Or another case is where the user clicks on an unknown link and opens an attachment.
Simple, if you don't know about the file, DO NOT RUN IT. Automated drop-bys and installations should already be covered by most normal security procedures.

 

I've updated the test to clean up after itself. It left a space or dot in the registry, and I quickly added a clean-up statement for that. I also had two log files, one in the startup folder, and one in the C:\ directory. The one thing I'm leaving is the 'STOLEN FILES' folder on the desktop which can be manually deleted.

I shot myself in the foot previously by using a Nirsoft tool to read protected storage in a separate wilderspass.hta. I pointed out that the wilderspass.hta downloads and executes a hacktool before AV detects it. The AV response was to update their signatures at various points during the week, to detect the method used to download and execute a binary. So, now that I'm using our homegrown (partial password) protected storage reader in the main test with the same method, the password portion of the test will be flagged by many AV vendors. 'Hosed myself' I believe is the proper technical term.

The code is visible, no tricks up my sleeve. I'm not resorting to shellcode or complex hops through multiple entry points. The .hta is a document, just as is .doc, or .xls, or .mov, etc. Since sandboxes or virtualization/sandboxes or other containment technologies should protect whatever the browser launches, I believe this is a pretty simple and solid test.

I believe with the proper protection in place, you should be able to browse any website, and download any document without fear. Products like GreenBorder are like latex, signature-based products are like flu shots. If I'm going to get into something messy, I'd rather be wearing latex.

 

eeewww

Tasteless?
If you want to use that analogy,I would suggest re-evaluating your web "experience"

 

Hello,
I think the best practice is to avoid the sources of contamination altogether, cutting on the preservatives.
I understand that you aim at advancing your product, but the most important issue is education. There will always be some malware that will someday somehow get past this or that security program, no matter how comprehensive or advanced. The execution of the file is the key.
Mrk

 

I have boxes of disposable latex gloves for preparing the dog food, and we use gloves prepping supplements for the horses. I suppose latex could mean many things though...

 

Ha, ha,.. but u should know what is the first thing that comes in mind from the way u used latex in ur post.

 

I have GB installed. Why do I get the empty stolen doc folder on my desktop? I also note that the folder does not have GB protection. Should this be happening?
By the way, I have to download the hta file and run it from my desktop if that tells you anything.

 

Latex - the word always brings a smile.

I agree with Mrkvonic, we need to educate every computer user on computer security. The security of a computer is as strong as the least knowlegeable person who's used the computer. After all, the purpose of a user is 'to click'.

 

Bill, I´m not using the GreenBorder app at the moment. Like I said before, I pass all the tests but I still get the "Stolen Files" folder on my desktop. How exactly do you do this? The only thing that I allow to run is the HTA file. After that everything gets blocked by my HIPS. And btw, the new test does not seem to work correctly, I get a scripterror and I do not get to see my results.

https://www.wilderssecurity.com/showpost.php?p=865251&postcount=87

 

It is definitely important to keep your software or operating system up-to-date, but that doesn't mean you are definitely (or 99%) safe.
Even if you update and patch your software or operating system on time, there are always unpatched vulnerabilities or holes left behind. That's the nature of software. Unless you think hackers can only find out the unpatched vulnerabilities or holes when Windows issue a fix, you will be vulnerable between the time when the hacker find out the vulnerability and when Windows finally realise it and fix that vulnerability. It takes time for Microsoft to realise the problem. Even if it realises, it may not be able to fix it immediately, it may sometimes take months or longer to fix a bug / vulnerability.

That's why connecting to the Internet is the only pre-requisite, no more no less. I'm not scaring you, but I just want to tell you it is possible that you just online and do nothing, have the latest updated security software & OS, and still get the infection.

If what you are infected by a malware which is intended to be sneaky, it can be very hard to detect. Here's one case which the victim is not a n00b. It practices safe browsing and have good common sense. Still the computer is infected. The victim doesn't have any clue on how it gets the infection in the first place. It takes a lot of security experts to come and help to find out that malware. The computer has been scanned by many anti-virus & anti-trojan programs. They even try to reveal the malware by many anti-rootkit programs in vain.

This malware has done a very good job to hide itself. The only trace left which makes the victim aware is the unusual phone home behaviour & spoofed IP addresses in its firewall logs. But for most of the average users, they probably will never notice that. From what the victim reports, the malware could even survive after a low-level reformat (which surprises the security expert too). To find out the answer yourself, try to read:

http://www.castlecops.com/postx165065-0-0.html​

(It takes a whole 16 pages and lots of private communications to resolve this problem )

This is a case where such a very sneaky software is identified and removed. What if it has never been discovered? Not possible? I don't think so.

To clarify, I'm not saying it doesn't help in any aspect. It helps to prevent some but not all sorts of attacks.
Some attacks don't require user intervention (that's why ProcessGuard takes a step further to protect so by offering Secure Message Handling. Again it is not fool-proof either).

Yes, but not necessary.
It is possible they send AND execute the malware without your intervention. As to the possibility, we just can't make certain. No hacker will report this to the authority. But if you ask me, I would say it is not easy, but still not too hard to do.

 

Well I guess I did the test wrong or something--it didnt tell me anything except healthy system--thats all the report I got.

 

Well, I ran it within a BufferZoned (1.9 SA free) and twice had to click a ZoneAlarm "Allow" box.

The report just told the size and 'free-space' of the primary drive and "Healthy System" on partitions.

(The "Your Scan Test Results" screenshot in {this post} was never seen at all.)

However, there was a "STOLEN FILES" Folder created on my desktop that contained (AFAIK) all my MS Word and Excel Documents.

They would not contain any 'harmful' information if anyone were to steal them, but should this be considered a "Fail" since the folder opens without a BZ 'Red Border' and if I had GreenBorder, would that Folder have been created within a Green Border?
_________________________________________________________________________________

Would you want such a Folder to be within your 'sandbox' and would that make it more vulnerable?

 

Bill@GreenBorder, you still around? The test still does not seem to work correctly and I would like to have some feedback.

 

OK Can someone please tell me in plain english how to stop system32 folder from opening on boot.wish i never tried this test.very annoying.

 

@ travellinman
LOL annoying isn't it
running the script file caused the prob.
I thought that Bill had added a clean-up ??
PM him if you have had a problem

Anyhow for what worked before:go to post: #39 and look back and forth a bit.
Go back to the OP and read from there, ignore all the tooing and froing about what the test is, look for peeps complaining about the sys32 folder opening.
Read the post from Kevin McAleavey

Get a script blocker.
Regards.

 

Ooh, sorry about that. The cause of this was adding an entry to the registry startup which I thought was the least invasive possible, by adding a new entry only containing a period or a space.

If you ran an early version of the beta test which left an entry in place, use regedit (Start -> Run, regedit). Then browse to the location HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. The first run key would have a single character or would be 'empty' (space). Right-click that entry and select delete.

After creating the test, I've handed the maintenance of the test to a developer. There's lots of work involved in maintaining something which initially wasn't flagged by AV, but has since been added to a few signature databases.

 

Longboard,Bill thank you. Problem solved.

 

I just saw this thread so sorry for such a late reply.

How do I get this test to work? I tried it on IE6 and Fx 1.5.0.11 and on Fx nothing happens after downloading the file and trying to open it. On IE, ProcessGuard pops up with a warning about mshata.exe which I allowed. Then the test starts on the first check and it hung and finally closed. I did, just now, try it again and this time it got a tiny bit further into the first check and then I got a warning popup that the publisher cannot be trusted. I'm happy to take a test but not from a publisher that cannot be trusted so I canceled.