Drive-by testing

Discussion in 'other anti-malware software' started by moontan, Apr 24, 2011.

Thread Status:
Not open for further replies.
  1. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    i am just wondering if there is a site where we could test drive-by attacks and the like.

    i am not looking for real malwares, just a simulation.

    if it does not exist maybe it would be nice for someone to build one. :)
     
  2. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    Interesting idea.

    Though I don't know a testing site, can't build one, but would like to test :thumb:

    So someone need to post a link...if it exists that is :)
     
  3. Martijn2

    Martijn2 Registered Member

    Joined:
    Jul 24, 2006
    Posts:
    321
    Location:
    The Netherlands
    There are several ones, but they are outdated (http://bcheck.scanit.be/bcheck/ for example). You could always try to contact them to give their tests a much needed update ;)
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    You don't specify what type of testing.

    If you are thinking of drive-by tests where your security alerts to downloading/running of executables, which is the payload of most of today's exploits, it's a daunting task for several reasons.

    1) What type of products are you testing? If black listing products, then unless it is real malware, the product isn't going to alert to something benign.

    2) What types of exploits? If PDF, not all PDFs with exploit code are triggered by all versions of the Reader. I've looked at dozens of PDFs over the years and have found only two that trigger. Same thing with Flash.

    Now, if you have White Listing security, that's pretty easy to test. I've set up my own drive-by tests in the past and have posted them here before, but they require IE6 which most people no longer have. However, if anyone wants to test, I'll post one.

    Beginning with IE8 I cannot make any drive-by exploit work except those using Java! And none of the current malware exploits work against Opera or Firefox.

    However, you can test by just attempting to download a non-white listed executable.
    It's similar to a drive-by exploit: an executable tries to write to disk. In this case, you trigger it yourself, and your security should not allow it. The security doesn't care how the executable tries to get in -- it just prevents it in any case. Here, I use winpad32.exe to test:

    wind32pad.gif

    Also, USB is a good test, since it is a remote code execution exploit, as is a drive-by.
    Just set up an autorun.inf file with these two lines with the filename of the executable you use:

    autorun.gif

    put it on a USB drive with a non-whitelisted executable and enable autorun for the test:

    kwjk.gif

    Also, a CD installation disk usually has an autorun.inf to automatically run a setup.exe.
    Being non-white listed, your protection should alert:

    autorun_inf-setup.gif

    autorun_exe.gif

    A drive-by exploit is just one type of remote code execution attack which can be simulated in other ways.

    regards,

    -rich
     
    Last edited: Apr 24, 2011
  5. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    i am looking for something that would execute automatically without the user input.

    basically, just to check if Chrome by itself (maybe with LUA + UAC + SRP) would allow writing to the drive.

    i am just curious.
     
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Is there a driveby exploit in the wild that targets Chrome (or Opera or Firefox?) Looking in the exploit kits, the drive-by exploits use plugins (PDF, Flash) that use the browser as an entry point.

    If an exploit uses an enabled plugin and you have LUA + SRP, then you are protected against drive-by exploits that download malware executables because

    1) In a LUA, executables can write only to %User% directories. Here, I attempt to copy a program to %Windows%:

    srp-copy.gif

    2) With SRP, nothing can execute except from %Program Files% and %Windows%.
    Here, I attempt to execute a program, a .bat file, and a .vbs file from a %User% directory.
    I chose this directory because recently I saw an drive-by infection (IE8 ) that wrote files to this directory and executed them.
    With SRP, that could not have happened:

    srp-exe-exe.gif

    srp-exe-bat.gif

    srp-exe-vbs.gif



    So, while you might not find a drive-by exploit to test, you can simulate the results and see how you are protected with LUA and SRP.

    regards,

    -rich
     
    Last edited: Apr 24, 2011
  7. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    tnx a lot Rmus for taking the time!
    that is very useful info. :)

    i am at the office right now but i will play with this when i get home!
     
  8. EboO

    EboO Registered Member

    Joined:
    Mar 12, 2011
    Posts:
    287
    Excuse my ignorance but what's SRP ? How to use it ?
    I'm using Emet on 7 64 bits, with UAC on.

    Thanks.
     
  9. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,875
  10. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    SRP is a whitelist, anti-executable 'app'.
    it denies any executable from launching if it's not on the 'whitelist'.


    For Windows 7 Professional, Ultimate, and Enterprise editions SRP can be launched from the Local Group Policy Editor. (run gpedit.msc)
    -http://www.sevenforums.com/tutorials/3652-local-group-policy-editor-open.html-

    for Windows 7 Starter, Home Basic, and Home Premium editions you have to use SRP via Parental Control:
    https://www.wilderssecurity.com/showthread.php?t=297834
     
    Last edited: Apr 25, 2011
  11. EboO

    EboO Registered Member

    Joined:
    Mar 12, 2011
    Posts:
    287
    Thanks for the answer, i'm going to read that.
    Is it a problem if i'm using an admin account with uac max ? Because i need to create a LUA and i don't want.
     
    Last edited: Apr 25, 2011
  12. Martijn2

    Martijn2 Registered Member

    Joined:
    Jul 24, 2006
    Posts:
    321
    Location:
    The Netherlands
    You can use SRP with your admin account yes. Be sure to exclude the administrator account (under "enforcement" click "all users except local administrator").
     
  13. EboO

    EboO Registered Member

    Joined:
    Mar 12, 2011
    Posts:
    287
    Ok, i'm going to try it. Thanks.
     
  14. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Here's a selection of www's that "might" be useful ;)

     
  15. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    You don't need to create LUA, because you have UAC. The programs that run with limited rights under UAC are blocked by SRP if they aren't excluded.
     
  16. EboO

    EboO Registered Member

    Joined:
    Mar 12, 2011
    Posts:
    287
    I've seen that, thanks for the precisions.
     
Loading...
Thread Status:
Not open for further replies.