Beta browser test - Too harsh? Too mild?

Discussion in 'other security issues & news' started by Bill Stout, Oct 17, 2006.

Thread Status:
Not open for further replies.
  1. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
  2. Wai_Wai

    Wai_Wai Registered Member

    Joined:
    Dec 28, 2004
    Posts:
    556
    I couldn't get your logic.
    You failed the test, but you say your current security system is fine (not undermined).
    You may think since it is a *.hta or you won't execute such a suspicious file in reality. If that's the case, then rethink.
    A mlaware writer will not deliver a malware in such a stupid and obvious way either. A malware writer can reuse the codes to make another real malware. And it is not limited to *.hta
    It can be *.exe, *.com, or even *.jpg or *.doc

    Common sense and safe browsing habits doesn't help you against vulnerabilties found in your system. Connecting to the Internet is the only pre-requisite to get infection. You don't need to do anything else. Depending on the vulnerabilties and how they exploit, they don't need to always ask for your permissions before they can execute anything.
     
  3. Wai_Wai

    Wai_Wai Registered Member

    Joined:
    Dec 28, 2004
    Posts:
    556
    I don't know why it has been detected by many anti-virus companies. There are several possibilities:
    - When the test is first released, no AV vendors can detect it. But as it spreads, some users report it or their AV experts spot this test. They either consider the code may pose potential threat if it is used in a malicious way, so they add the test into their signature bases.
    - Or since they would like to get a pass in the test too, they add it into their signature base anyway.
    - Or similar to what you say, Greenborder simply reuse (a part of) the malicious codes found in the wild to create this test. That's why it can detect it even before the release of the test.
     
  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,132
    Location:
    Saudi Arabia/ Pakistan
    The second test uses a software that can be potentially used to hack passwords so this is the reason it is detected by many scanners. I don,t think that AV companies would have added it now. It,s common practice to detect such software by an AV if u use its highest settings( that many wilders members do).
     
  5. Bill Stout

    Bill Stout Registered Member

    Joined:
    Oct 14, 2004
    Posts:
    100
    Location:
    Mountain View, CA
    I agree, the Nirsoft software is great in the right hands. Like airplanes. But I was uncomfortable in that it reveals the entire password.

    I'm no longer testing using the Nirsoft software. Since I could not find a password revealer which obfuscates part of the password, I asked one of our developers last night to write one which does not reveal either the entire password or the entire username, so it's safe to use on other computers. http://www.greenborder.com/scan/wilderspass.hta
     
  6. Bill Stout

    Bill Stout Registered Member

    Joined:
    Oct 14, 2004
    Posts:
    100
    Location:
    Mountain View, CA
  7. steely

    steely Registered Member

    Joined:
    Aug 24, 2006
    Posts:
    12
    Hi Longboard,

    Sorry for the delay; you can set that in WinXP Pro SP2 Group Policy:
    Enable Consistent mime handling and Mime sniffing safety in Computer / User configurations,
    Disable Open file based on content.
     
  8. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    I get your point. Well, like I said earlier on, if I need to handle any suspicious files, I can always switch to non-admin mode at any time I want to reduce the chances of damage to my system. So, how does the hacker send the files to me, could be through e-mail most probably or IM. And, most important of all is how do I open the file? My web browser of course. I am fully aware of all avenues of attack and I do take serious action without hesitation, but I will not go into detail about my daily security procedures.

    Based on my system configuration, there are very few avenues of attack into my system. I can go to the extent of blocking a particular program from executing completely the moment I know it is a potential avenue for attacks to occur. Harden Windows? Yes, I already did that a long time ago.

    I use GeSWall, and anyway even if I open a suspicious file, does it have full rights to execute and drop its code into my system? No. If that ain't enough I can simply switch my account to non-admin mode. I don't see what's so difficult and complex about this issue.

    Based on your argument that connecting to the internet is the only pre-requisite for infection, here's what I do:
    I set up my firewall and configure it correctly BEFORE connecting to the internet. I install all of Microsoft's bloody patches and updates.
    Secondly, I DO NOT use IE at all. Thirdly, my browsers are all protected.
    Connecting to the internet is the only pre-requisite for infection. All right, this is for those users who have unpatched versions of Windows, use IE with low security settings ( MOST LIKELY), to keep it simple and short,

    Connecting to the internet is the only pre-requisite for infection IF:
    1) You never updated your OS and security programs.
    2) You don't bother to check your security settings.
    3) You open files without a proper protection system in place.
    4) You use some stupid P2P or some other malicious program without thinking.
    5) Downloading and opening all attachments freely without a proper protection system in place.
    6) You don't run a firewall or your firewall's security settings are not configured for optimum protection. Hardware firewalls are NOT enough.
    7) You don't bother to keep up-to-date at all.
    :cool: Unpatched and unprotected, meaning, drive-by downloads, simply put, don't update and don't protect means instant infection.
    9) Physical access to the machine. DON'T always rely on your security programs to do the job for you.
    10) If you have patched, updated, and secured your computer, then automated malware CANNOT execute without your permission or its chances of damaging your system are significantly reduced.

    Who says common sense and safe browsing habits don't help? If you have already secured and updated your system, then that's more than enough.
    I really can't understand why you think it does not help.
    Sure, malware writers can make all sorts of files, but they have to trick the user into opening the file first. And they have to send the file to the user first, right? Or another case is where the user clicks on an unknown link and opens an attachment.
    Simple, if you don't know about the file, DO NOT RUN IT. Automated drop-bys and installations should already be covered by most normal security procedures.
     
  9. Bill Stout

    Bill Stout Registered Member

    Joined:
    Oct 14, 2004
    Posts:
    100
    Location:
    Mountain View, CA
    I've updated the test to clean up after itself. It left a space or dot in the registry, and I quickly added a clean-up statement for that. I also had two log files, one in the startup folder, and one in the C:\ directory. The one thing I'm leaving is the 'STOLEN FILES' folder on the desktop which can be manually deleted.

    I shot myself in the foot previously by using a Nirsoft tool to read protected storage in a separate wilderspass.hta. I pointed out that the wilderspass.hta downloads and executes a hacktool before AV detects it. The AV response was to update their signatures at various points during the week, to detect the method used to download and execute a binary. So, now that I'm using our homegrown (partial password) protected storage reader in the main test with the same method, the password portion of the test will be flagged by many AV vendors. 'Hosed myself' I believe is the proper technical term.

    The code is visible, no tricks up my sleeve. I'm not resorting to shellcode or complex hops through multiple entry points. The .hta is a document, just as is .doc, or .xls, or .mov, etc. Since sandboxes or virtualization/sandboxes or other containment technologies should protect whatever the browser launches, I believe this is a pretty simple and solid test.

    I believe with the proper protection in place, you should be able to browse any website, and download any document without fear. Products like GreenBorder are like latex, signature-based products are like flu shots. If I'm going to get into something messy, I'd rather be wearing latex.
     
  10. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,219
    Location:
    Sydney, Australia
    eeewww
    Tasteless?
    If you want to use that analogy,I would suggest re-evaluating your web "experience"
    :gack:
     
  11. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    9,630
    Hello,
    I think the best practice is to avoid the sources of contamination altogether, cutting on the preservatives.
    I understand that you aim at advancing your product, but the most important issue is education. There will always be some malware that will someday somehow get past this or that security program, no matter how comprehensive or advanced. The execution of the file is the key.
    Mrk
     
  12. Bill Stout

    Bill Stout Registered Member

    Joined:
    Oct 14, 2004
    Posts:
    100
    Location:
    Mountain View, CA
    I have boxes of disposable latex gloves for preparing the dog food, and we use gloves prepping supplements for the horses. I suppose latex could mean many things though... :eek: :D :ninja: :blink:
     
    Last edited: Oct 31, 2006
  13. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,132
    Location:
    Saudi Arabia/ Pakistan
    Ha, ha,.. but u should know what is the first thing that comes in mind from the way u used latex in ur post.
     
  14. Rodehard

    Rodehard Registered Member

    Joined:
    Feb 20, 2004
    Posts:
    90
    I have GB installed. Why do I get the empty stolen doc folder on my desktop? I also note that the folder does not have GB protection. Should this be happening?
    By the way, I have to download the hta file and run it from my desktop if that tells you anything.
     
  15. Bill Stout

    Bill Stout Registered Member

    Joined:
    Oct 14, 2004
    Posts:
    100
    Location:
    Mountain View, CA
    Latex - the word always brings a smile. :D

    I agree with Mrkvonic, we need to educate every computer user on computer security. The security of a computer is as strong as the least knowlegeable person who's used the computer. After all, the purpose of a user is 'to click'.
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,165
    Location:
    The Netherlands
    Bill, I´m not using the GreenBorder app at the moment. Like I said before, I pass all the tests but I still get the "Stolen Files" folder on my desktop. How exactly do you do this? The only thing that I allow to run is the HTA file. After that everything gets blocked by my HIPS. And btw, the new test does not seem to work correctly, I get a scripterror and I do not get to see my results.

    https://www.wilderssecurity.com/showpost.php?p=865251&postcount=87
     
  17. Wai_Wai

    Wai_Wai Registered Member

    Joined:
    Dec 28, 2004
    Posts:
    556
    It is definitely important to keep your software or operating system up-to-date, but that doesn't mean you are definitely (or 99%) safe.
    Even if you update and patch your software or operating system on time, there are always unpatched vulnerabilities or holes left behind. That's the nature of software. Unless you think hackers can only find out the unpatched vulnerabilities or holes when Windows issue a fix, you will be vulnerable between the time when the hacker find out the vulnerability and when Windows finally realise it and fix that vulnerability. It takes time for Microsoft to realise the problem. Even if it realises, it may not be able to fix it immediately, it may sometimes take months or longer to fix a bug / vulnerability.

    That's why connecting to the Internet is the only pre-requisite, no more no less. I'm not scaring you, but I just want to tell you it is possible that you just online and do nothing, have the latest updated security software & OS, and still get the infection.

    If what you are infected by a malware which is intended to be sneaky, it can be very hard to detect. Here's one case which the victim is not a n00b. It practices safe browsing and have good common sense. Still the computer is infected. The victim doesn't have any clue on how it gets the infection in the first place. It takes a lot of security experts to come and help to find out that malware. The computer has been scanned by many anti-virus & anti-trojan programs. They even try to reveal the malware by many anti-rootkit programs in vain.

    This malware has done a very good job to hide itself. The only trace left which makes the victim aware is the unusual phone home behaviour & spoofed IP addresses in its firewall logs. But for most of the average users, they probably will never notice that. From what the victim reports, the malware could even survive after a low-level reformat (which surprises the security expert too). To find out the answer yourself, try to read:
    (It takes a whole 16 pages and lots of private communications to resolve this problem :blink: )

    This is a case where such a very sneaky software is identified and removed. What if it has never been discovered? Not possible? I don't think so.

    To clarify, I'm not saying it doesn't help in any aspect. It helps to prevent some but not all sorts of attacks.
    Some attacks don't require user intervention (that's why ProcessGuard takes a step further to protect so by offering Secure Message Handling. Again it is not fool-proof either).

    Yes, but not necessary.
    It is possible they send AND execute the malware without your intervention. As to the possibility, we just can't make certain. No hacker will report this to the authority. But if you ask me, I would say it is not easy, but still not too hard to do.
     
  18. Rita

    Rita Infrequent Poster

    Joined:
    Jun 28, 2004
    Posts:
    6,863
    Location:
    wilds of wv
    Well I guess I did the test wrong or something--it didnt tell me anything except healthy system--thats all the report I got.
     
  19. pilotart

    pilotart Registered Member

    Joined:
    Feb 14, 2006
    Posts:
    377
    Well, I ran it within a BufferZoned (1.9 SA free) and twice had to click a ZoneAlarm "Allow" box.

    The report just told the size and 'free-space' of the primary drive and "Healthy System" on partitions.

    (The "Your Scan Test Results" screenshot in {this post} was never seen at all.)

    However, there was a "STOLEN FILES" Folder created on my desktop that contained (AFAIK) all my MS Word and Excel Documents.

    They would not contain any 'harmful' information if anyone were to steal them, but should this be considered a "Fail" since the folder opens without a BZ 'Red Border' and if I had GreenBorder, would that Folder have been created within a Green Border?
    _________________________________________________________________________________

    Would you want such a Folder to be within your 'sandbox' and would that make it more vulnerable?
     
    Last edited: Nov 10, 2006
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,165
    Location:
    The Netherlands
    Bill@GreenBorder, you still around? The test still does not seem to work correctly and I would like to have some feedback. ;)
     
  21. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,581
    OK Can someone please tell me in plain english how to stop system32 folder from opening on boot.wish i never tried this test.very annoying.
     
  22. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,219
    Location:
    Sydney, Australia
    @ travellinman
    LOL annoying isn't it
    running the script file caused the prob.
    I thought that Bill had added a clean-up ??
    PM him if you have had a problem

    Anyhow for what worked before:go to post: #39 and look back and forth a bit.
    Go back to the OP and read from there, ignore all the tooing and froing about what the test is, look for peeps complaining about the sys32 folder opening.
    Read the post from Kevin McAleavey

    Get a script blocker.
    Regards.
     
  23. Bill Stout

    Bill Stout Registered Member

    Joined:
    Oct 14, 2004
    Posts:
    100
    Location:
    Mountain View, CA
    Ooh, sorry about that. The cause of this was adding an entry to the registry startup which I thought was the least invasive possible, by adding a new entry only containing a period or a space.

    If you ran an early version of the beta test which left an entry in place, use regedit (Start -> Run, regedit). Then browse to the location HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. The first run key would have a single character or would be 'empty' (space). Right-click that entry and select delete.

    After creating the test, I've handed the maintenance of the test to a developer. There's lots of work involved in maintaining something which initially wasn't flagged by AV, but has since been added to a few signature databases.
     
  24. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,581
    Longboard,Bill thank you. Problem solved.
     
  25. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    I just saw this thread so sorry for such a late reply.

    How do I get this test to work? I tried it on IE6 and Fx 1.5.0.11 and on Fx nothing happens after downloading the file and trying to open it. On IE, ProcessGuard pops up with a warning about mshata.exe which I allowed. Then the test starts on the first check and it hung and finally closed. I did, just now, try it again and this time it got a tiny bit further into the first check and then I got a warning popup that the publisher cannot be trusted. I'm happy to take a test but not from a publisher that cannot be trusted so I canceled.
     
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.