Wormguard Hiding?

Discussion in 'WormGuard' started by Luthorcrow, Jan 3, 2003.

Thread Status:
Not open for further replies.
  1. Luthorcrow

    Luthorcrow Registered Member

    Joined:
    Nov 30, 2002
    Posts:
    56
    Location:
    California
    Hi,

    I just tried the three test files at the bottom of this page from AV Test.org.
    http://www.av-test.org/sites/tests.php3?lang=de#short (2002-11-04)

    What was strange was that Wormguard blocked my attempt to open each of these files. I thought TDS-3 would have been the one. Now here is where it got really odd. I closed Wormgaurd to see what TDS-3 would do and again WG jumped up and blocked each attempt. I tried reviewing my task manager but did not find an open process that looked WG and I did the whole thing over it appeared that I had successfully closed WG but again it was there doing the block.

    Not that I am complaining but is it normal for WG to working this way and if so, was intended to be opened, click on install, and then closed as an active app but still be active in the OS (i.e. no window/systray, etc)?
     
  2. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Hi Luthor:

    Did you try to open the Test Results of the 3 files [sorry can't read German?]

    I downloaded the one with my cursor in pic, unzipped and tried to open [I do not have xls, so it opened in notepad in gobblygook, but still opened] WG did not jump up on it.

    Am I misunderstandting your post.

    edit: last sentence of your post. Yes with WG you just hit "install" then X close, and it's working in background all the time, unless you "Uninstall" the protection [not the program]
     

    Attached Files:

    • test.gif
      test.gif
      File size:
      2.7 KB
      Views:
      1,487
  3. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Once it's installed, it does NOT have to run [on taskbar or sys tray]

    You can do test to see if it's working.

    Or, in notepad, create a file [put anything you like in the notepad] but using the "Any file [*.*]" option, save it with multiple extensions or with excess spaces and then try to execute it and watch WG work.

    test.jpg.exe
    test.jpg exe
    test.vbs

    as long as you have the likes of VBS, SHA, SHS, VBE, HTA etc. in the "Blocked Editor's List"
     

    Attached Files:

  4. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    1 more pic/test shot.

    I created a file called it "test.jpg.exe" and tried to execute it.

    See pic/file on left
     

    Attached Files:

  5. Luthorcrow

    Luthorcrow Registered Member

    Joined:
    Nov 30, 2002
    Posts:
    56
    Location:
    California
    First, my bad, here is an english version of the same page, test files are at the bottom as per the German page.
    http://www.av-test.org/sites/tests.php3?lang=en

    Still, I am not sure why it didn't work for you unless it is because you do not have Excel. I did the following steps:

    1. I downloaded each of the test files
    2. Unzipped one test file to my desktop
    3. Double click on the file and I get this warning from WG (see image)

    I'll try your test as well, but that I think I tested this with these files. It's just I was expecting TDS-3 to be the one to do it. And then it was a nice discover to find that the WG app didn't need to be active on the taskbar/systray.

    - Adjusted image borders to fix webpage width problem - LWM
     

    Attached Files:

  6. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Ahhh, now I see your *problem* Luthor.
    First, it did not "alert" to me because it was gobblygook in Notepad,
    BUT, because you have Excel and it tried to open, the mere fact that what you were opening probably had words virus/etc. etc. in it hence WG leapt all over it.

    Now this is what you can do. See your pic. On the right hand side, at bottom, select "Safely View File" and in that same window, it will open up the strings, etc.

    I am willing to bet that somewhere in there a code relating to the test or the words virus, etc. triggered off the alarm.

    Actually, LOL, it already says it in the initial window. See that? About the strings then the wording, that's what's in the file.

    Unfortunately, it's better to err on cautious side than auto run and no warning. :(

    edit: Re TDS alerting. TDS is virtually strictly TROJAN, not a worm/code, hence no reaction.
    It will only alert when trying to execute [open] a file and within that file a known trojan exists, not a worm, nor bad coding, but an actual troja/server that will "phone home", etc.
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    That's right, WG-3 runs all hidden in the background.
    You might have seen Jason's posting telling WG-4 will have an icon to click for extra functions.
    For me it has been WG jumping up when i was about to open a suspicious file, while in scanning TDS alerts on the nasties if they have suspicious code, not on testfiles which are not doing anything wrong, except for the GRC leaktest for instance (suppose that one is added on users request). But jumping up to alert, no, did not happen yet in all those years i use them both.
    Trying to run a suspicious thing like an attachment from the mailbox it can happen my mailsafe alerts in the first place, if i still insist running it i get to WG warning again and i expect if i still want to run it if it's an executable TDS will scream if it's not safe, but i took the former warnings serious already so don't get that far.
     
  8. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Of course Luthor, those Alert Warning Windows, appear if some suspicious code,etc. is inside a file.

    This is the warning [modified naturally] you get if you try to actually run a script like VBS if it's in your Blocked Editor's List
     

    Attached Files:

  9. Justin Smith

    Justin Smith Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    13
    Location:
    New York
    I'm gonna jump in here. WG is working, and I don't mind the way it runs in the deep background...but, I am somewhat alarmed by the fact that it can do this and I can't find WG listed as running anywhere...what other (malicious) programs can do this? I really thought any running process must be on the process list. Of course, 'system' PID 4 is not on the list of running processes, either. Would I like to know what PID 4 is and why it has listening ports!
     
  10. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    Hi Justin,
    Actually, Wormguard is not really running hidden in the background. It isn't a process at all. It's an "execution hook." Here is a quote from Gavin on this:
    Best Wishes,
    LowWaterMark
     
  11. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    With Wormguard 3, when an executable is run the Wormguard 3 DLL is loaded which then tests the executable and command line for worms. So the DLL isn't loaded any other time other then when an application is IMMEDIATELY being opened.

    This is quite a nice method for resource usage since it uses no resources until a new program is launched and then quickly gives back all the resources until it happens again.

    To my knowledge there is no way to hide processes from task manager, etc under NT/2K/XP so I wouldn't worry too much Justin :D
    -Jason-
     
  12. Justin Smith

    Justin Smith Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    13
    Location:
    New York
    Aha, excellent, I like that! :cool:

    Now if only XP printer drivers could be designed in some similar resource-conserving way! Lexmark litters my system at all times, even when I'm not connected to a printer! :rolleyes:
     
  13. and

    and Guest

    >To my knowledge there is no way to hide processes from task manager, etc under
    >NT/2K/XP so I wouldn't worry too much Justin :D

    You can go stealth using a code or dll inject. The manager won't enumerate modules. :)
     
  14. xor

    xor Guest

    But you have to know how to do this without crashing the host program :D
     
  15. and

    and Guest

    CreasteRemoteThread? SetWindowsHookEx? CreateProcess / WriteProcessMemory / ResumeProcess? Many ways ...
     
  16. xor

    xor Guest

    CreasteRemoteThread o_O :D

    Gives a Unresolved external linker error without compiling i know this :D
     
  17. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Why don't you guys open some developers / debuggers forum here somewhere for discussing among the developers, which can be really constructive and the products and thus the users all will profit of the usage in the various products.
    Can imagine it's a very lonely task to code many hours on a product so such discussions could be really constructive.
    I mean, the way this thread is leading goes outside the specific WormGuard subject, and even though probably informative for those who know i think this could best be kept for future generations in a special area like suggested.
    I hope you see the reason and like the idea and find a place to continue the develop-discussions!
    Looking forward to it!
     
  18. and

    and Guest

    CreateRemoteThread - better Mr. "I never produce a typo late at night" Xor *g* :D :D :D :D Just a typo :).
     
  19. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    It would actually be an undeclared identifier since the function isn't declared anywhere, a linker error would be caused by the compiler not finding the actual function after it has been declared. Just clearing that up ;)

    Also I meant there is no way to hide PROCESS's from Task Manager, of course you can inject code into other process's but that process would still appear in Task Manager.

    -Jason-
     
  20. Blackman

    Blackman Registered Member

    Joined:
    Feb 28, 2003
    Posts:
    14
    As a note of interest ...

    Check out this source... Its for ShowEQ. It injects code into a memory space via rundll32, and waits for everquest to launch. This is pretty harmless code(it reads a encryption key) but the method could be used for much more malicious intend.

    URL deleted; method could be used for malicious intend indeed - Forum Admin

    Its a very clever method of getting data without the target .exe knowing(atm anyway).
     
Thread Status:
Not open for further replies.