New Leaktest / Security Tool Released - System Shutdown Simulator

Discussion in 'other anti-malware software' started by dmenace, Nov 20, 2007.

Thread Status:
Not open for further replies.
  1. dmenace

    dmenace Registered Member

    Joined:
    Nov 29, 2006
    Posts:
    275
    Dear Wilders Community,

    As mentioned before I have discovered a simple design issue in Windows that can circumvent the protection of some security software today.

    This security tool / leaktest is called System Shutdown Simulator (self-explanatory). It is available for download here:

    http://www.geocities.com/zeroday_software/

    This leaktest highlights a new vulnerability that exists when a user shuts down their computer and a program cancels the shutdown. For example, when installing new software, the installation program often asks the user to restart their computer to complete the installation. When the user allows the computer to be restarted, the installation program could potentially compromise the user's computer completely undetected by security software as these have already shutdown.

    A selection of Security Vendors were notified on the 12/11/07 (list kindly supplied by gkweb of firewallleaktester.com). SySafety was contacted earlier however, on the 10/11/07.

    A response has been received from SoftSphere Technologies (DefenseWall HIPS), SySafety (SSM) and Tall Emu (Online Armor).

    If you have any issues please contact me at: zeroday_software@yahoo.com
    The latest release is 1.0.20
     
  2. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    I don't suppose your tool is been submitted to EQSecurity yet. It sure would do them some good to review their HIPS vulnerability to it so that they might make the neccessary adjustments to protect against it.

    Thanks for your interest and research in this.
     
  3. dmenace

    dmenace Registered Member

    Joined:
    Nov 29, 2006
    Posts:
    275
    No, haven't notified EQSecurity. :doubt:

    Does anyone know their email address?
     
  4. alfa1

    alfa1 Registered Member

    Joined:
    May 3, 2006
    Posts:
    61
    my mistake....
    i misunderstood the leaktest!
     
    Last edited: Nov 21, 2007
  5. ggf31416

    ggf31416 Registered Member

    Joined:
    Aug 20, 2006
    Posts:
    314
    Location:
    Uruguay
    alfa1, I think you are suposed to shutdown manually from the start menu, not click the shutdown button in the leaktest.
     
  6. Old Monk

    Old Monk Registered Member

    Joined:
    Feb 8, 2005
    Posts:
    633
    Location:
    Sheffield, UK

    I had it as an either/or :doubt:

    For those interested, SafeSpace passes the Auto Start Registry Key test when the SSS is run in SafeSpace. Well, thats how I'm reading it :)
     
    Last edited: Nov 21, 2007
  7. alfa1

    alfa1 Registered Member

    Joined:
    May 3, 2006
    Posts:
    61
    you are wrong...

    EDIT:
    sorry again...
     
    Last edited: Nov 21, 2007
  8. ggf31416

    ggf31416 Registered Member

    Joined:
    Aug 20, 2006
    Posts:
    314
    Location:
    Uruguay
    The windows says "or". However I think that check if your security can intercept a shutdown is not the idea. The idea is check if your security doesn't close too early in a shutdown, leaving the computer unprotected against any application that can cancel the shutdown and deliver a malicious payload.

    From SSS:

     
    Last edited: Nov 21, 2007
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
  10. Old Monk

    Old Monk Registered Member

    Joined:
    Feb 8, 2005
    Posts:
    633
    Location:
    Sheffield, UK
    he/she isn't wrong exactly ....it is either/or :)
     
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    It can be either way but u need to allow shutdown prompt by ur HIPS to use the actual leaktest( Step3).
     
  12. alfa1

    alfa1 Registered Member

    Joined:
    May 3, 2006
    Posts:
    61
    ok, i'm very sorry for my mistake...

    I'will try again...:thumbd:
     
  13. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Vert smart Leaktest indeed.:thumb: :thumb: :thumb:

    I tested my system:

    1- GesWall- Passed - Eicar test file was isolated and autostart reg enetry was virtualized. :thumb:

    2- NeovaGuard - Intercepted autostart reg entery creation( I got a skinless prompt as GUI was already terminated). Passed :thumb:

    NG however did not intercepted oubound ping as I think its network monitoring componenet has no such filter. Also NG has no file protection so it,s not supposed to intercept Eicar test file creation.

    3- EQSecure- totally failed. It intercepted creation of neither Eicar test file nor autostart reg entery. :thumbd:

    I did not check Antivir as I am not using it in real time, may try later.
     

    Attached Files:

    Last edited: Nov 21, 2007
  14. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    No problems. Test is really confusing and tricky:) but very nice indeed.
     
  15. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    @aigle

    you are using geswall 2.7 beta right? did you try it vs the shutdown attempt. because i still use 2.6 and it failed the shutdown part of the test.

    edit : geswall stops the machine from being restarted BUT all the program icons near the system clock disappear. even with them gone, geswall still stopped the program from creating a registry entry and the eicar file was indeed created isolated. i just don't get where my icons went ;)
     
  16. alfa1

    alfa1 Registered Member

    Joined:
    May 3, 2006
    Posts:
    61
    ok....

    now i can show you the last pic (sorry again....):

    c.jpg
     
  17. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    zopzop! i am using 2.7 beta. Test is not about shutdown indeed. Test even doesn,t shutdown ur system completely. It just shutdown the system to the extent that all security software are turned off( Step 1 and 2). It,s at that time that the leaktest simlates some malicious actions( Step3).

    Step 2 shutdown is not the real test. It,s my understanding of the test.

    Indeed if some HIPS somehow will not allow step 2( partial system shutdown), there is no way to test that HIPS against this leaktest. Correct me if I am wrong.
     
  18. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    What about file creation and outbound ping? PS has file protection and network access modules as I know.
     
  19. Old Monk

    Old Monk Registered Member

    Joined:
    Feb 8, 2005
    Posts:
    633
    Location:
    Sheffield, UK
    Hi zopzop

    The tray icons disappearing are part of the test as I understand it.

    Like a fake shutdown but in reality it should close the GUI and you should see the service running in Task Manager.

    This I can confirm with Online Armor and SafeSpace. You will find Returnil shut down completely but no major issue as it will reboot with no changes assuming you were in Session Lock.

    Need to check again now I can find Eicar file whether it is in fact running in SafeSpace.
     
  20. alfa1

    alfa1 Registered Member

    Joined:
    May 3, 2006
    Posts:
    61
    1.JPG

    2.JPG
     
  21. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    ah i get it now :) then i can confirm geswall 2.6 passes this test, since the registry entry was virtualized and eicar file was isolated.
     
  22. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Anyone tried:

    DefenceWall
    ThreatFire
     
  23. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
  24. Old Monk

    Old Monk Registered Member

    Joined:
    Feb 8, 2005
    Posts:
    633
    Location:
    Sheffield, UK
    Hi

    Like Geswall, SafeSpace isolates Eicar file when SSS run in SafeSpace so I guess thats a pass as well :thumb:
     
  25. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
Loading...
Thread Status:
Not open for further replies.