wallbreaker3, technical details

This should appear to be a not very difficult test, but it is still interesting how different HIPS pass it.

The test can be found here:
http://www.matousec.com/projects/security-software-testing-suite/

What is of the most interest is commandline detection, because it allows to 100% detect suspiciouse activity at the very early stage.

OA 2.1.0.119

 

Hi Alex,

Yes, interesting result.
I've just tried Wallbreaker3 on Comodo with D+ activated and it appears there is no command line analysis carried out.

On starting Wallbreaker3, there is a pop-up stating explorer.exe is trying to execute wallbreaker3.exe

After Allow to start the test, there is another pop-up stating that wallbreaker3.exe is trying to execute cmd.exe

At this stage I guess Comodo is considered to have passed the test because you can block cmd.exe from executing.

If you allow execution of cmd.exe, then a pop-up appears indicating iexplore.exe is trying to connect to internet.

It appears there is no analysis of the command line parameters as in the case of OA.

 

I see you read my post in the other thread before bluezanetti deleted it.
Good .

Although it would be nice if you made the thread for several tests instead of just wallbreaker3.

 

Thanks for the test ! What about EQSecure ?

PS. I saw it in your sign

 

wallbreaker3.exe (from SSTS) does almost the same as wallbreaker test 3 (calling cmd.exe to call explorer.exe to start iexplore.exe) but there are some small differences:

2 differences between the "old" wallbreaker test 3 and wallbreaker3.exe:
* "old" WB3 causes an alert (comodo) about Service Control Manager (like almost every software ) but it doesn't affect the result of the test.
* "old" WB3 creates a .bat file, matousec's WB3 not

 

He also deleted mine

I see no probs with the other tests, but they are too numerous and it can get crowded. Some of them are almost duplicates. But first I'd really want to see info about other HIPS. EQSecure, ProSecurity, OutPost. I have two more tests to ask for, but after cmdline processing will be more clear.

 

EQS and Outpost exceed the test at the same way as OA. First is detected the launch of wallbreaker.exe then attempting to start cmd.exe, then explorer.exe for the opening web page.

 

EQS Pop-up's

http://img150.imageshack.us/img150/4787/pu1xc3.jpg

http://img100.imageshack.us/img100/4056/pu2fj4.jpg

http://img237.imageshack.us/img237/2360/pu3es9.jpg

http://img237.imageshack.us/img237/1796/pu4kb5.jpg

 

I must confess, I'm not exactly sure about what this test's intention is. From what I saw in the source code, it atempts to download something from a site (matousec), and checks the downloaded data for a pattern. But if the data was sent, without any response, it also means that the firewall leaked.

As for the command line parameters detection of OA, it seems that it finds that '?' to be suspicious. If I use an address like http://www.somesite.com/StolenPasswordIsHere instead of http://www.somesite.com/get.php?StolenPasswordIsHere OA will find nothing suspicious. Of course, in the first case I will get a 404 from www.somesite.com, but the data was sent.

 

There is a way for improvement, of course. But my interest was of a different kind. Commandline in kernel is not available when ntcreateprocessex is invoked. So it was interesting to know either anobody care of it at all.

Great. almost everybody care in that or other way. Then another interesting test: dnstest from the same pack. almost every pack passes it, due to execution control. But then the test infects a lanched process entry point in very interesting way. So the same question about it. What do I mean:

 

Alex,

I cannot seem to reproduce your final red pop-up message with the command line parameters.

Is there any difference between AV+ version and non-AV+ version?

 

As far as I know there should not be any difference in HIPS. AV only checks a file at startup against virusbase. To get it clear remove exe from the programlist before to run.

 

Wallbreaker3 is definitely not in the program list. When I run wallbreaker3, I get 3 pop-ups but the third one is exactly the same as the second one and it is not red and there are no command line parameters.

 

Then this is to Mike, I think. Looks like a bug.

 

do you have the ssts.conf in the same folder as wallbreaker3.exe?

 

Yes it is.
The program doesn't run correctly if it isn't.

 

If you not object, could you tell about EQSecure and dnstest ? It's really very interesting.

 

Alex,

Pop-up's by EQS/OA in response to dnstest.exe
Program Guard in OA disabled.

 

Please, guys. Can somebody test it with Outpost, Comodo, KIS, ProSecurity ?

 

Which test? Wallbreaker3?

These are the popups from prosecurity after running Breakout3, I allowed all until IE attempted network access (not pictured)

 

"Cmd.exe start with new command " by PS is something I see first time by a HIPS- seems a nice filter.

Any other HIPS has such an option?

 

First post on thread, shows OA actually showing the command line parameter.

 

Thanks for wallbreaker3, but another interesting example is dnstest (not old dnstester, but new dnstest). The interesting point of dnstest is it is two layered. After simple first level with execution control alert, entry point infection happens.

 

Results of dnstest against PS:-

 

Thanks, super. Prosecurity passed 100%