New security test: DFK Threat Simulator (DFKTS)

Discussion in 'other security issues & news' started by nick s, Oct 24, 2005.

Thread Status:
Not open for further replies.
  1. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Wilders Team note from SunBlog:
    Note this is only for highly experienced users. Don’t play with this thing unless you really know what you are doing.

    Courtesy of Sunbelt BLOGS, I found an interesting new security test: DFK Threat Simulator (DFKTS). Quoting from the overview:

    "Although the security community has relied on the "Eicar Antivirus Test File" for years, the complex advances in malware requires a more modern and thorough threat simulation. To this end the "DFK Threat Simulator" was created. Bundling a declawed collection of dropper, rootkit, virus, trojan, spyware, keylogger, leaktest, and alternate data stream technology, the DFK Threat Simulator is a serious representation of the modern dangers facing computer users today."

    It is for advanced users. Before you decide to try it, keep in mind the warnings at the bottom of the page, including:

    "DO NOT run this simulator if...
    4. You do not mind reformatting the machine you are installing it on (in case it crashes).
    5. You think "ReadMe" files are pointless and never read them."


    Nick
     
    Last edited by a moderator: Oct 24, 2005
  2. AvianFlux

    AvianFlux Registered Member

    Joined:
    Dec 7, 2004
    Posts:
    237
    Very cool.

    Wish I had a junk PC to run it on. Not in the reformating mood right now.
     
  3. dog

    dog Guest

    I look forward to testing this out. :D Which I will either latter tonight or tomorrow ... I'm looking forward to the experience. :cool:

    Thanks Nick ;)

    Steve
     
  4. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    I'll just take their word that it works. My comp is working to well at this time.;)
     
  5. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,701
    Location:
    Texas
    Hi Guys,

    Looks intresting/tempting, but I think I'll side with Bigc, this time.

    rico
     
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I ran the test this evening.

    Here are my results

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  7. dog

    dog Guest

    Nice little run through Rich ;)

    I ran it myself just now ... as a precursor to any kind of documentation of the fun. Here's a preliminary log of it's actions ...
    I'll have to look at it a little more yet. ;) I'll try to document it with both PG's Protection on and off. ;) As well as log the key/values in the registry that are modified.
     
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Quite a bit of action going on behind the scenes!

    Is that log from PG?

    -rich
     
  9. dog

    dog Guest

    Yes that's PG ;)

    I'll have to set RD to monitor each registry hive completely to get a better picture of those modifications - With my current setup they're lots of changes/modifications, but I'd like to see them all. :ninja:

    I'll also have to let it run -free- (aka: no PG protection) to see the unprotected results. Which should be very interesting. :cool:

    Steve
     
  10. Nice, they combined all the indidivual threats into one packaged payload for people to test.

    I don't intend to test this, because based on what I have already seen, it isn't really going to do anything unexpected that I haven't tried indidivually.

    Basically it runs optix which tries to shuts down a boatload of security programs plus phone home.

    At the same time, it runs a shitload of other stuff that is hidden by vanquish the rootkit. Included thermite,eicar, crippled versions of keylogger, "spyware" and NTFS hidden popups
     
  11. dog

    dog Guest

    Hmmm ... well I've run it several more times with both PG on/off as well as disabling other protections. -Fun Stuff- :D

    I thought I'd post a few more screen shots. This SS is of the vanquish folder; which under normal circumstances would be hidden by the rootkit, also included in the shot is notepad showing part of the keylogger text file.

    *puppy*
     

    Attached Files:

  12. dog

    dog Guest

    It drops 3 other files besides the initial drop in the temp folder and those shown above.

    Within C:\Windows it drops vanquish.exe & vanquish.dll as well as vanquish.log in C:\

    Interesting enough the Blacklight Beta finds all the hidden files
    Code:
    0/26/05 01:43:50 [Info]: BlackLight Engine 1.0.24 initialized
    10/26/05 01:43:50 [Info]: OS: 5.1 build 2600 (Service Pack 2)
    10/26/05 01:43:50 [Note]: 4019 4
    10/26/05 01:43:50 [Note]: 4005 0
    10/26/05 01:43:50 [Error]: 3027 5
    10/26/05 01:43:50 [Error]: 3002 0
    10/26/05 01:43:52 [Note]: 4006 0
    10/26/05 01:43:52 [Note]: 4011 572
    10/26/05 01:43:52 [Note]: 4009 0
    10/26/05 01:43:52 [Note]: FSRAW library version 1.7.1013
    10/26/05 01:43:58 [Info]: Hidden file: C:\WINDOWS\vanquish.dll
    10/26/05 01:43:58 [Note]: 10002 1
    10/26/05 01:43:58 [Info]: Hidden file: C:\WINDOWS\vanquish.exe
    10/26/05 01:43:58 [Note]: 10002 1
    10/26/05 01:44:01 [Info]: Hidden file: C:\Program Files\Vanquish Media Group\0wn3d.exe
    10/26/05 01:44:01 [Note]: 10002 3
    10/26/05 01:44:01 [Info]: Hidden file: C:\Program Files\Vanquish Media Group\ads.cmd
    10/26/05 01:44:01 [Note]: 10002 3
    10/26/05 01:44:01 [Info]: Hidden file: C:\Program Files\Vanquish Media Group\delnext.exe
    10/26/05 01:44:01 [Note]: 10002 3
    10/26/05 01:44:01 [Info]: Hidden file: C:\Program Files\Vanquish Media Group\elsave.exe
    10/26/05 01:44:01 [Note]: 10002 3
    10/26/05 01:44:01 [Info]: Hidden file: C:\Program Files\Vanquish Media Group\keylog.txt
    10/26/05 01:44:01 [Note]: 10002 3
    10/26/05 01:44:01 [Info]: Hidden file: C:\Program Files\Vanquish Media Group\runtime.exe
    10/26/05 01:44:01 [Note]: 10002 3
    10/26/05 01:44:01 [Info]: Hidden file: C:\Program Files\Vanquish Media Group\Win32a.cmd
    10/26/05 01:44:01 [Note]: 10002 3
    10/26/05 01:44:01 [Info]: Hidden file: C:\Program Files\Vanquish Media Group\Win32k.exe
    10/26/05 01:44:01 [Note]: 10002 3
    10/26/05 01:44:01 [Info]: Hidden file: C:\Program Files\Vanquish Media Group\Win32l.exe
    10/26/05 01:44:01 [Note]: 10002 3
    10/26/05 01:44:01 [Info]: Hidden file: C:\Program Files\Vanquish Media Group\Win32r_vanquish\bin\bind.exe
    10/26/05 01:44:01 [Note]: 10002 3
    10/26/05 01:44:01 [Info]: Hidden file: C:\Program Files\Vanquish Media Group\Win32r_vanquish\bin\vanquish.dll
    10/26/05 01:44:01 [Note]: 10002 3
    10/26/05 01:44:01 [Info]: Hidden file: C:\Program Files\Vanquish Media Group\Win32r_vanquish\bin\vanquish.exe
    10/26/05 01:44:01 [Note]: 10002 3
    10/26/05 01:44:01 [Info]: Hidden file: C:\Program Files\Vanquish Media Group\Win32r_vanquish\installer.cmd
    10/26/05 01:44:01 [Note]: 10002 3
    10/26/05 01:44:01 [Info]: Hidden file: C:\Program Files\Vanquish Media Group\Win32r_vanquish\setup.cmd
    10/26/05 01:44:01 [Note]: 10002 3
    10/26/05 01:44:01 [Info]: Hidden file: C:\Program Files\Vanquish Media Group\Win32s.exe
    10/26/05 01:44:01 [Note]: 10002 3
    10/26/05 01:44:01 [Info]: Hidden file: C:\Program Files\Vanquish Media Group\XYNTService.exe
    10/26/05 01:44:01 [Note]: 10002 3
    10/26/05 01:44:01 [Info]: Hidden file: C:\Program Files\Vanquish Media Group\XYNTService.ini
    10/26/05 01:44:01 [Note]: 10002 3
    10/26/05 01:44:01 [Info]: Hidden file: C:\Program Files\Vanquish Media Group\XYNTService.log
    10/26/05 01:44:01 [Note]: 10002 3
    10/26/05 01:44:02 [Info]: Hidden file: C:\vanquish.log
    10/26/05 01:44:02 [Note]: 10002 1
    10/26/05 01:44:35 [Note]: 4007 0
    
    And TDS does flag the Optix trojan running in Memory (Screen Shot Below)

    *puppy*
     

    Attached Files:

    • DFK4.jpg
      DFK4.jpg
      File size:
      103.1 KB
      Views:
      430
  13. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Nice screen shots - what did you use to display the hidden Vanquish folder?

    What else was in the keylogger file? Did it pick up any keystrokes, or just capture your logs?

    In your post #7 the log shows projector.exe (the launcher) and swfactive.exe (the Optix trojan) as being allowed to run.

    Shouldn't PG have blocked those as unauthorized executables?

    -rich
     
    Last edited: Oct 26, 2005
  14. dog

    dog Guest

    Regarding post # 7 -> I allowed them ;) (I have to say Rich PG is quite amazing ... something I'd never run without it ... the next comment really demonstrates it's usefulness.

    To show the Folder - I used PG to block the installation of the vanquish service so the rootkit wasn't active. :ninja: :p

    Rootkit revealer also finds Vanquish (Screen shot Below)
     

    Attached Files:

    • DFK5.jpg
      DFK5.jpg
      File size:
      121.2 KB
      Views:
      836
    Last edited by a moderator: Oct 26, 2005
  15. dog

    dog Guest

    One last screen shot for tonight ... once I let run completely without #ANY# protection ... upon a reboot they let you know you're Own3d. :cool:
     

    Attached Files:

  16. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I thought that might be the case, from what I've read about PG's execution protection. Yes, it is an amazing product.

    Thanks, Steve, for the time taken to do all of that scanning!

    I hope from our results, people realize what today's types of malware can do. Granted, according to their site this is a bundling of known exploits, but most people probably haven't actually seen a rootkit in action. (I hadn't until now)

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
    Last edited: Oct 26, 2005
  17. I think the value of PG doesn't lie in execution protection, most users would not know or care about blocking swfactive.exe for example. Personally I wouldn't too, when I run a installer, i routinely get a lot of different process running as they hand off to one another.

    More critical is that it blocks driver installs, and modification/termination of processes. That knocks out vanquish, makes optix termination killer useless and as a side effect also blocks thermite. Of course, if the user is determined to run the package, he would allow driver installs.....
     
  18. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Not necessarily for a little joke "funny" program. I think anyone smart enough to find PG would be smart enough to know that a simple humor program shouldn't be installing a driver. There will always be some, though.. and I agree with your other points, for sure.
     
  19. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Agreed - I was commenting on seeing their execution allowed in Dog's log, not sure if he had PG on or off.

    When running an installer, don't drivers get installed? .dll, .sys files also? - How would you know if they are legit or not?


    -rich
    ________________
    ~~Be ALERT!!! ~~
     
Loading...
Thread Status:
Not open for further replies.