DefenseWall Test Part 2 - suite -

Publié le par nicM and Kareldjag

                                                          Suite of Part 2

b) Worms and virus

* With Feebs : The .hta file does launch IE on a false “ secure mail server” link, mshta.exe is ‘untrusted too. Except the 100 % CPU annoyance, nothing happens once ‘untrusted processes are killed. Passed

* With P2P Silly : (eMule was installed to perform the test):

Once run, the executable simulates an execution error, but its action is blocked by DefenseWall : Passed.

* With WormRay : It does copy files in Windows directory, and tries to set this process to restart (run key), and to alter various system settings. All is blocked by DefenseWall, and the MSTray.exe file never starts : Passed.

* With Ganda : The files created in Windows directory are never executed, because the Run key is blocked : Passed.

* With Virus : Once launched, it’s Run key is blocked by DefenseWall, and a global hook is blocked too. The only remaining trace, once the process is killed, is a registry entry, which can be canceled. Passed

c)Script protection

* With Finjan VBS : Wscript.exe is launched ‘untrusted, but DefenseWall doesn’t prevent it from creating the “you’ve been hacked” folder. However, the script fails to pick any personal files if the “Secured files” feature is used to protect it (with all the folder “My documents” protected). Passed

* With GesWall script : The script was launched from C (doesn’t work from CD), and it was only able to send a popup about to delete some documents, and to close the opened explorer window. All startup registry entries were blocked, and even an attempt to rename a file in “my documents” – although the file was not in the “Secured files” area. And the attemps to change the size/overwrite notepad was blocked too. Passed

nb : Were blocked the following attempts :

  -To set value gswdemo within the key HKCUSoftwareMicrosoftWindowsCurrentVersionRun

 - To set value Shell within the key HKCUSoftwareMicrosoftWindowsNTCurrentVersionWinlogon

 - To create new key HKCUSoftwarePoliciesMicrosoftWindows

 - To create new key HKCUSoftwarePoliciesMicrosoftWindowsSystemScripts

 - To set value LOAD within the key HKCUSoftwareMicrosoftWindowsNTCurrentVersionWindows

 - To set value Common Startup within the key HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerShell Folders

 - To set value Startup within the key HKCU SoftwareMicrosoftWindowsCurrentVersionExplorerShell Folders

 - To create new file C:Documents and SettingsNminaMenu DémarrerProgrammesDémarragegswdemobd.lnk (=startup folder).




 * With Dhello virus : wscript.exe is launched ‘untrusted, but many infected copies of files are created everywhere on the computer (all files in “My Documents”, except the “Secured area”), all shortcuts on Desktop, the only non-affected files are system files (c:WINDOWS, and Program Files). The only files DefenseWall prevented are the files likely to be restarted (according to their location, not that they were made to restart) after a reboot. Failed







 e) Spywares/adwares and CoolWebSearch



 * With Trytofind toolbar : Once the Smart Web Inc activex is launched, a payload is downloaded and executed, but all changes are either prevented or tracked by DefenseWall.





 Then when I restart IE after the spyware setup, there’s no TrytoFind toolbar. I can just see a new activex listed in the BHO which “were used” by IE, but it’ not in use of course : Test Passed.






 * With IEPlugin : This one is impressive, it could deserve a special page just for it... Not less than 22 executables launched during infection. Result : The desktop bar is installed (although running ‘untrusted of course), and the ZenoSearch spyware is active, causing all searches to open flows of popups along with fake search results IE pages.







  Several global hooks are blocked by DefenseWall, but several of the spyware components are listening to what’s happening on the computer.





  But once the ‘untrusted processes closed, the computer is clean – as IE : nothing was added to startup, so that a HJT log I made after a reboot was actually clean. Are just left all the files, folders and registry keys and values, which are all in the Rollback panel, ready to be deleted.





  Then if some of the spyware components were installed and working during the infection, all was clean once the ‘untrusted processes are closed : Test passed.


  * With Voonda toolbar for Firefox : The toolbar is installed, but once Firefox is restarted, it’s gone. Not even listed in the extensions. Test passed.






  * With 180 Search Assistant : Once launched, the setup file is blocked from being added to startup (several ways), to add toolbar, etc. It causes the setup file to hang, using 100 % cpu. But nothing is added into IE once the ‘untrusted processes are closed : Test passed.






 * With SaHagent : Several hidden instances of IE are launched (with special parameters), and SaHagent is blocked from adding to startup, from modifying winlogon, from using global hook (although IE hidden instances are using WH_MOUSE and WH_KEYBOARD hooks, and saap.exe is using a WH_MSGFILTER hook).






 Finally, all files created and launched, and registry changes non blocked are tracked by DefenseWall, and the computer is clean after closing ‘untrusted processes. Test passed.



 * With 180 Solutions : Once executed, the spyware installer detects that it was not successfully installed, and keeps complaining about that (what a honest behaviour for a spyware ;):




 Test passed.



 * With Wintools. A : The spyware copies new files in Common files folder, and executes several, but fails to be added to startup, and to add toolbar. Searching is not affected in IE, and all files were tracked : Passed





                                                        Part 3






Commenter cet article