Web based keylogger test

Discussion in 'other anti-malware software' started by CloneRanger, Oct 27, 2010.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    See how your defences stack up against this simulated attack :D

    https://ie.microsoft.com/testdrive/browser/mixedcontent

    https://ie.microsoft.com/testdrive/browser/mixedcontent/assets/woodgrove.htm

    FF v3.6.11 - XP/SP2 - Admin

    Using NoScript to toggle scripts on/off

    scr-https.gif

    scr.gif

    If i test by seperately ONLY allowing - https://ie.microsoft.com - and then retest by seperately ONLY allowing - http://ie.microsoft.com - it didn't work ?

    However if i allowed both at the same time it worked ?

    1.gif

    I copied/pasted some text into the PW box, which didn't work :)

    c-p.gif

    So directly entering data with scripting enabled works, but with scripting enabled & copy/pasting i was secure.

    I got NO alerts from Prevx/Zemana or Anything else ?

    *

    overangry :thumb: has a Prevx thread about it - www.wilderssecurity.com/showthread.php?p=1773983#post1773983 - but as it's not just specific to Prevx i thought it best to not go off topic and start this thread
     
    Last edited: Oct 27, 2010
  2. Kernelwars

    Kernelwars Registered Member

    Joined:
    Aug 12, 2010
    Posts:
    2,155
    Location:
    TX
    Interesting post!!! I got no alerts either from spyshelter...prevx was very silently watching this:mad:
     
  3. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    IE8 with the highest security template from Microsoft Security Compliance Manager failed.;)
    I don't think Prevx / Spyshelter / Zemana would be capable of protecting from this.

    hey Kernelwars does your Avast Free has "Web Shield" ON? did it block anything from this test?
     
  4. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    Last edited: Oct 27, 2010
  5. adrman

    adrman Registered Member

    Joined:
    Jun 23, 2010
    Posts:
    18
    OA Premium with Emsisoft AM, Win7/64, FF 3.6.11 set "run safer" on my test system was silent as well. I've yet to try the site on my other, NIS2011 setup, but I'm not optimistic.
     
  6. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,744
    Location:
    New York City
    PE Guard 2 fails as does the Firefox add-on Perspectives 4.0.
     
  7. Kernelwars

    Kernelwars Registered Member

    Joined:
    Aug 12, 2010
    Posts:
    2,155
    Location:
    TX
    I was shocked to see keyscrambler pro fail.:mad: Can anyone test it against defensewall? or geswall?
     
  8. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    that's bad news buddy:) let's see if some one test DefenseWall;)
     
  9. Kernelwars

    Kernelwars Registered Member

    Joined:
    Aug 12, 2010
    Posts:
    2,155
    Location:
    TX
    Sorry for the late reply... I have been thoroughly mad.. Avast was silent as well.. But i dont know how the pro version will react with script shield on:doubt:
     
  10. Kernelwars

    Kernelwars Registered Member

    Joined:
    Aug 12, 2010
    Posts:
    2,155
    Location:
    TX
    J how did eset deal with it.
     
    Last edited: Oct 27, 2010
  11. tobacco

    tobacco Frequent Poster

    Joined:
    Nov 7, 2005
    Posts:
    1,497
    Location:
    British Columbia
    Actually Cloneman, IMO, copy/paste fails as well :( After you copy/paste, just hit one key on your keyboard and you'll see it already captured the copy/paste text :ouch:

    And Thanks Cudni for re-opening!
     
  12. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    Geswall fails, so probably Defensewall and Sandboxie would fail as well.

    only things that work is to verify that you actually have a legit https transaction (check certificate if you feel paranoid) or disable javascript.
     
    Last edited: Oct 27, 2010
  13. Kernelwars

    Kernelwars Registered Member

    Joined:
    Aug 12, 2010
    Posts:
    2,155
    Location:
    TX
    How is opera handling this? Can anyone please test?
     
  14. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
  15. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    Showed safe in the beginning, then the message changed to i was in danger.
    And failed to protect. Current setup is in sig (Using Latest Chrome :cool: :D
     
  16. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,744
    Location:
    New York City
    Eset is silent -> FAILS.
     
  17. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I think this test is just useless. They added a browser feature that doesn,t exist in other browsers so they will fail the test with defaults. Just wait and see other browsers adding something like this too.

    Also being something inside the browser, your security applications can,t protect against it. I will give an example. Can any security application intercept XSS attack in the browser? No, definitely not.

    BTW the browser will tell you that it,s a mixed content page( http plus https).
     

    Attached Files:

  18. Kyle1420

    Kyle1420 Registered Member

    Joined:
    May 27, 2008
    Posts:
    479
    There's 1 problem, Even if no-script does pass - thats cause you disabled scripting...If the site was legitimate then you'd need to allow the script to login, right?
     
  19. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Yes, and NOT only a legitimate www but a phish one too !
     
  20. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    I've been re-thinking about this test.

    1 - Can this be described as a "Man in the browser Attack" ? If so PSOL, at least, is supposed to protect against such things ! If it isn't, what's the official terminolgy for it ?

    2 - Any www HTTP/HTTPS we need to enter a PW/User name etc on obviously already has our data stored somewhere in it's database, otherwise we couldn't log in. So it appears to me that this test is hardly stealing etc anything, as the www has our data already. Even if a www was a full SSL login, or not, the stored data might not be encrypted, so i'm thinking they can retrieve it locally at their end, if they wanted to ?

    *

    Copy/Paste re-test

    un.gif

    Allowed scripts

    cpt.gif

    Yes you're right :thumb: I missed doing that :( Thanks
     
  21. Jav

    Jav Guest

    I agree with you.
    As I have been saying in prevx forum.

    It is not really that big a threat. It is really easy to spot it.
    You will see that it IS mixed content with almost any browser.

    And It is not something new.
    Look at the date of the article Microsoft links.
    http://blog.watchfire.com/wfblog/2009/02/active-man-in-the-middle-attacks.html (February 2009)
    http://37signals.com/svn/posts/1431-mixed-content-warning-how-i-loathe-thee (November 2008 )

    And this is from article written almost 2 years ago.... :rolleyes:
    As you can see, In 2008 both firefox and IE already had warning for mixed content.


    no, it is not in the browser.
    It is Man in the middle attack.

    2- as I said it is man in the middle.

    it theoretically can be exploited:
    Simple example, lets say:
    A) you are using public wifi and
    b) login in to some sensitive site which for some strange reasons use mixed content on login page.
    c) someone tampers data in this mixed page. He doesn't touch ssl connection , so certificate is still there. But he put malicious script into http connection.

    But I dont think it is really that big of a threat.
    a) why you are trying to login while using public wifi?
    b) why the hell your bank (or other site) uses mixed content instead of full ssl? only benefit of using mixed content is:
    Is your bank stupid? Does he want to use browser cache to speed up browsing but insanely decrease security? (due to caching of sensitive data+ this type of attack)...

    Or to use google ads inside ssl page... (I will not even comment for this one. it is just stupid)

    c) cant you see that something wrong with your browser? red skull? crossed https? crossed lock?

    So, I think it is just a exploit which was there for years, but now it is making such a noise because of marketing trick by Microsoft.



    I can not see the point of testing it against AV products....


    P.S. in my opinion sending session cookies in non ssl connection is way way bigger threat which can actually be abused. ( and somehow it doesn't get half the spotlight as this "exploit")

    P.S.2. Anyway, moving into full ssl encrypted internet seems a way to go.
     
    Last edited by a moderator: Oct 28, 2010
  22. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Set Disable mix content for both Internet Zone and Trusted websites to
    a) Enable -> Disable

    You won't get the prompt Konota mentions (good old 'unsafe' IE8 passes :D) with this fake https. I can't imagine a bank designing a safe tunnel with mixed content, so you can safely set it to disable. See picture with GPEDIT.msc disallowing mixed content.

    Please read Aigle and Jav responses, it is as we say in Holland, a storm in a glass of water.

    NB look at the system tray: only safe-admin and Windows FW-2way, no icons of security programs
     

    Attached Files:

    Last edited: Oct 28, 2010
  23. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
    Hi Kees, do you perhaps know of a way to disable mixed content in Firefox and Opera? In Firefox I found a warning you could turn on, but you can't let it load the HTTPS content only, in Opera there isn't even a warning.
     
  24. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    No Sorry,

    I am using IE8 and Chrome. IE8 has it build. Chrome has a extention which prevents entering unsafe passwords. Download here https://chrome.google.com/extensions/detail/mjpinemnkjlppmemjfabdaelpfgfjgkj

    See it kicking in picture 1

    You have to click options and manaully enter the domainname plus suffix, refesh page to surpress warnings, see pic 2

    Regards
     

    Attached Files:

    • 1.png
      1.png
      File size:
      58.4 KB
      Views:
      2
    • 2.png
      2.png
      File size:
      27.7 KB
      Views:
      1,205
    Last edited: Oct 29, 2010
  25. De Hollander

    De Hollander Registered Member

    Joined:
    Sep 10, 2005
    Posts:
    718
    Location:
    Windmills and cows
    Here you go..
     

    Attached Files:

    • 1.jpg
      1.jpg
      File size:
      21.3 KB
      Views:
      1,154
    • 2.jpg
      2.jpg
      File size:
      31 KB
      Views:
      1,143
    • 3.jpg
      3.jpg
      File size:
      16 KB
      Views:
      1,135
Loading...
Thread Status:
Not open for further replies.