Malware Defender Hips-Testing with trojans and Rogue AV

Discussion in 'other anti-malware software' started by Dark Shadow, Dec 8, 2008.

Thread Status:
Not open for further replies.
  1. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    This test is what a user could expect from a Hips when it encounters execution of a unwanted.The site I am tesing is a real threat that contains trojans,Rogues AV and anyones guess what else.It requires a Active X download that appears to execute with out the users intervention from the active x pop.I will try to post all screens for example.This is also when the trojans and rogue would normally be dropped on a users machine providing they had no blocking as hips or un detected by a Antivirus or a behavior blocker.Also perhaps No Active X would be a big plus here on this site anyways.
     

    Attached Files:

    Last edited: Dec 8, 2008
  2. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Screen shot 2
     

    Attached Files:

  3. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    screen shot 3
     

    Attached Files:

  4. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Screen shot 4
     

    Attached Files:

  5. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Ok appreantly there is about 10 different pop warnings here to deal with and some freezing between snipping images making it difficult for screen shots.Some findings, Malware Defender effectively Blocks providing users make the correct choice.The user should come out clean,No files where dropped on my machine, So it is very good at blocking, However Malware Defender struggles with Deny and termination, the pop ups to run the exe kept poping up makeing it difficult to close the common pops that come with adult sites.It did terminate but seem to be a few minute or so delay.I am No expert here but these are my finding.All and All great program light stable didn't crash even while waiting for longer periods while waiting user reply of deny or allow or Deny and terminate processes.IMO deny and terminate would be the obvious choice unless the user would like to answer nearly a dozen pop ups in this case.
     
    Last edited: Dec 8, 2008
  6. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Interesting, Dave. Thanks! :thumb:
     
  7. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Your welcome it was fun fun fun.:thumb:
     
  8. chrome_sturmen

    chrome_sturmen Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    785
    Location:
    Sverige
    Dave, could you pm me a link to that site? I'd like to do some testing of my own.
     
  9. chris1341

    chris1341 Guest

    After the initial Learnimg Mode period I've got used to placing MD in Silent Mode when surfing, particularly unknown sites. I'm assuming if you did that then these threats would be blocked/denied without the need for multiple pop-ups/decisions.

    Is that correct?

    Cheers
     
  10. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA

    Check you PM
     
  11. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Hi chris1341,That would be the best choice IMO,However my test is with Normal mode and this little buger is persistent you will still get popups even in silent mode minus not decision making one from the soft but from the site it self.Keep in mind this is IE7 X active enable,java script.
     
  12. chrome_sturmen

    chrome_sturmen Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    785
    Location:
    Sverige
    I know this post relates to malware defender's ability to handle drive-by malware, but I couldn't help but want to try a small test against the site using my own protections, so forgive the brief impertinence, here were my findings:

    Dave, I checked out the site you sent me, I find this odd, because after visiting it, I looked in agnitum firewall's content filtering log, expecting to see blocked activex scripting, blocked embedded spyware, blocked referers, pop-ups ect ect - but I saw nothing, not one blocked element. Then again I use ad-muncher to complement outpost firewall's ad-blocking and content filtering modules, so I then took a look at ad-muncher's log, again expecting to see something wild- all I got was this, which is nothing major:

    Default filter match - No filtering on URL: /jquery.js [http:**/jquery.js]
    Removed suspected web bug [htt:**]
    Default filter match - No filtering on URL: /jquery.js [http:**/]
    Prevented site from changing the browser status bar [http://**] I just don't get it,a...in the web pages themselves. thoughts? ???
     
  13. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Did you get the second link with porn tube that require new active X for Video.the first link was wrong.I tested this with NOD32 4 beta another post.My testing files was also sent to VT which only a few scanners detected at first and more at a latter the link is not clean.I will recheck it again.
     
  14. chrome_sturmen

    chrome_sturmen Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    785
    Location:
    Sverige
    Ahhhh, I see now, the web page itself was clean, but when you click to watch a video,you're prompted to install a "video activex object". I downloaded and ran the executable, at which point it tried to access the internet and evoke a command prompt -I allowed the calling of the command prompt through outpost's h.i.p.s. module, but sandboxie denied any access to the internet, and that's as far as anything went, nothing else tried to happen and I could test no further.

    But back on topic, this kind of thing is easily handled by h.i.p.s. apps like malware defender, I imagine it could knock it out blindfolded:thumb:

    Excuse me now while I go empty the sandbox:D
     
  15. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Here ya go
     

    Attached Files:

  16. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    and here.
     

    Attached Files:

  17. chrome_sturmen

    chrome_sturmen Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    785
    Location:
    Sverige
    Yep, I see it there in the flesh. I am thinking that whatever that activex setup object wants to do, it has to download from the internet in order to do it, because I allowed it to evoke a command prompt, and i'd think that at that point it would install it's malicious code if it was gonna, but when it couldn't access the internet it gave up, so it relys on downloading the rogue code from the net, it's not included in the setup itself (unless you count it wanting to download crapware to begin with). Then again, as your screenshot points out, they're all trojan downloaders, so it's fairly obvious :D Any rate, I grabbed a handful of the buggers and dumped the sandbox on top of 'em, whereupon they scurried away crying and squealing :D
     
  18. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    very impresive john:thumb: good test
     
  19. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    thanks Chrome Sturmen for testing,lots of fun:D perhaps not for some folks that explore these areas not knowing what lurks behind the seens.Somebody worst nightmare waiting to happen.
     
  20. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Thank you jmonge I am know expert here just a amateur but thank you for the compliment.
     
  21. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    you did very good man and you have a big wepon in your hands:thumb:
     
  22. chrome_sturmen

    chrome_sturmen Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    785
    Location:
    Sverige
    I decided to have some fun with the malicious code that the activex video object downloads and installs on the system :D

    it starts out like so, when you click on a video to watch:


    Snap1.jpg

    once you run the setup, it connects to this site to download the malware, i assume:

    Snap2.jpg

    upon being allowed to do so,it downloads and runs these exes:

    Snap3.jpg
    Snap4.jpg
    Snap5.jpg

    continued...
     
  23. chrome_sturmen

    chrome_sturmen Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    785
    Location:
    Sverige
    Snap6.jpg

    one of the exes launches a command prompt
    Snap7.jpg

    evokes rundll32.exe
    Snap9.jpg

    br41.exe? oh my
    Snap10.jpg

    all of which culminates in the lovely virus response lab 2009, a definite security addition for any antimalware aficinadio :thumbd: :thumbd:
    Snap11.jpg

    seems clicking "watch video" can be a dangerous affair these days of late :D
     
  24. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Nice,rather more informative details of the variants:thumb:
     
  25. chrome_sturmen

    chrome_sturmen Registered Member

    Joined:
    Apr 29, 2006
    Posts:
    785
    Location:
    Sverige
    enjoyed it, we should do it again sometime (you buy the beer?)
     
Loading...
Thread Status:
Not open for further replies.