BufferZone trojan test

Discussion in 'other security issues & news' started by aigle, Aug 8, 2006.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
  2. ghiser1

    ghiser1 Developer

    Joined:
    Jul 8, 2004
    Posts:
    132
    Location:
    Gloucester, UK
    Hi Aigle,

    I'd just like to give you the Prevx view on this one. If you try BufferZone with Prevx in ABC or Pro mode it will be allowed to run. The reason for this is simple. This is not a Trojan, it is a demo of what a trojan might do. It is therefore a legitimate application - it does exactly what it's authors have told you it does. As such it has a Good rating in the Prevx database.

    If you run in Expert mode, you will be queried to allow it to report back home - essentially allowing you to stop the "attack" if you wish.

    We have had a number of Tools like this where part of the user community want it to be treated as Malware as it "acts like malware" but others want it to be treated as Good as it's just a tool. In this case, we opted for the latter as the authors are explicit to its behaviour - it does what it says on the tin. It doesn't use any sneaky techniques, exploits or silent downloaders. It simply isn't Bad.
     
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    U say it is just a tool. What is the function of this tool.
     
  4. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    I´ve tried it and Appdefend stops it, or atleast you get an alert every step the trojdemo takes, then it is up to you to decide.
    Tiny Personal Firewall 6 stops it too. Default settings.
     
  5. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    I've tried this Trojan Test. It was runned as untrusted under network connections switched on and off. In case network is switched on test reports that defense is failed, other case- tests is passed. As I haven't seen it's source code I may accume it is network defense test, not HIPS one.
     
  6. Wai_Wai

    Wai_Wai Registered Member

    Joined:
    Dec 28, 2004
    Posts:
    556
    Although this thread is a bit old, I would like to mention this test may not be reliable. I have tested it with a few firewalls.

    When I pressed on the "attack result", the firewall will warn me. If I press "deny", nothing is displayed. However if I press "allow", my personal files are displayed on the page. Anyway, no matter what I do, the test still says "my system is not secured".

    Any thoughts?
     

    Attached Files:

  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I tried this test with my documents set as confidential in GesWall.
    GW passes the test.
     

    Attached Files:

    • gw.jpg
      gw.jpg
      File size:
      37.1 KB
      Views:
      355
  8. TerryWood

    TerryWood Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    703
    Yes I have tried it and it failed. I use Neoava Guard latest Beta version and I set up My Documents to be protected under "My Protected Files" I ticked aginst open read, write & delete & notify.

    When I ran the test it disclosed the names of all my files in My Documents.

    The only software I had that protected me was Hide Files and Folders.

    I reported it on the Neoava Guard Web Site. but the developer does not seem to respond (from previous post experience).

    Also reported it in the Wilders Other Anti Malware Software

    Terry
     
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    By "It" u mean GW or the so called Trojan itself.:)
     
    Last edited: Nov 7, 2006
  10. TerryWood

    TerryWood Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    703
    I mean the trojan itself. As I said I set up Neoava Guard to protect My Documents because there is a specific feature that allows you to do it. So I thought I would try it. I was disappointed because I did not expect a security application of this calibre to fail. I reported under your thread because the common element is the trojan which seems quite robust given the damage it is causing (See other threads on the web) also it appears that there is confusion about how to treat it (the trojan) in some software applications.

    The problem is my confidence has been knocked with Neova Guard given its failure and I don't know of any other vulnerability testing to throw at NG to see if its just the BufferZone test that is a bit canny or just that Neova Guard needs a lot more development

    Hope this clarifies

    Terry
     
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I don,t know if the HIPS prevent reading files/ docs or not?
     
  12. Wai_Wai

    Wai_Wai Registered Member

    Joined:
    Dec 28, 2004
    Posts:
    556
    Actually it is just a partial pass since the test claims that your taskmgr.exe has been invaded successfully.

    However I doubt the reliability of this test. See my test results for details.
     
  13. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    It did started my calculator ( ?via task manager-- I did not see it running) but as I said this test can,t kill anything on my machine via task manager as Task manager will run isolated in GesWall.
    I can,t see ur results!!!
    Test does seem a bit buggy.
     
  14. TerryWood

    TerryWood Registered Member

    Joined:
    Jan 14, 2006
    Posts:
    703
    Aigle


    I tried the BufferZone Trojan Test with GesWall and got some odd results

    a) TaskMgr.exe, TelNet.exe, FTP.exe all passed ie the trojan WAS NOT successful HOWEVER the calculator showed.

    b) It highlighted all the files in my confidential folder in My Documents

    I thought GesWall BY Default protected the Confidential folder?

    If so what did you do/add to change it. Could you detail it for me please

    Thanks
    Terry
     
  15. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    GW protects the confidential folder by default. I was having nothing in it so I made all MY Documents confidential( just change Confidential to My Documents in resources properties of Confidential.( it is just for the test otherwise I put it back to default with ofcourse changing the name of Confidential folder to make it unattractive at teh same time changing to same name in resources properties as well-- I hope I am able to make it clear).
    I used latest beta version of GW. If u amke all my documents confidential, u will get many pop ups that ur browser is trying to access confidential folders, deny all the access( In order to deny, u have to press Yes button here in the pop up).
    BTW I will say again that test is a bit buggy, results are not reproducible sometimes.
     
  16. Wai_Wai

    Wai_Wai Registered Member

    Joined:
    Dec 28, 2004
    Posts:
    556
    It is just above - my first post of ths thread.

    Anyway, click on https://www.wilderssecurity.com/attachment.php?attachmentid=183152&stc=1&d=1158147509 and see the result.
     
  17. pilotart

    pilotart Registered Member

    Joined:
    Feb 14, 2006
    Posts:
    377
    Opened with a BZ'd IE, it just said I had passed the security test, (it did open Calculator with Red Border).

    Same test opened in an un-BZ'd Firefox also opened Calculator and then needed "Allow" from ZoneAlarm.

    This was the entire "[Attack Result]"

    "...communication attack: SUCCESS!..."

    Does that refer to the fact that I 'allowed' the connection?
     
Loading...
Thread Status:
Not open for further replies.