Excel exploit testing

View previous topic View next topic Go down

Excel exploit testing

Post by ssj100 on 1/10/2010, 17:05

Finally got my hands on another interesting exploit. Not sure how new this one is, but the file was only detected by 3/41 on VirusTotal (I uploaded it a few hours ago. As you can see below, other black-listing scanners are picking it up now too). As usual, I'll test it on Windows XP, SP3 with various anti-malware mechanisms.

Some details of the file:
"Trojan.Mdropper.xls"
MD5: f1ed085a994e63024c4f866bc5d9e8c2
SHA1: aa7fea3469eb6a94dd89c70b891d6ef157d7b4a1
SHA256: 83a59aea6521e4be5de0ee716527b4796eaa9d59c3e1379a5988083446433091

Note that this file is not a primary executable file - it's a harmless looking excel file. All the user needs to do to get infected is to double click the file (and have Microsoft Excel installed). As far as I can tell, the exploit spontaneously drops a file called "svchost.exe" into the user's temp directory and then spontaneously executes it. This results in a file called "uxtheme.dll" being spontaneously created in the C:\Windows directory. Here are the VirusTotal results for the respective malicious files involved:




Last edited by ssj100 on 1/10/2010, 17:17; edited 3 times in total

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Excel exploit testing

Post by ssj100 on 1/10/2010, 17:05

Malicious exploit on Administrator account, Windows XP, SP3, 32-bit:

1. Prevx 3.0.5.206: BLOCKED
It's hard to know if Prevx will effectively block this malware (since I only tested it with the free version), but it did detect "svchost.exe". This probably means that if you have the paid version of Prevx, it would have removed/blocked "svchost.exe", thereby rendering the exploit useless. Note that unlike previous testing, I've tested Prevx first, since I wanted to know how well it did against fairly new malware. For this particular malware, it did very well.

2. SRP (setup as described here: http://www.mechbgon.com/srp/ ): BLOCKED
"svchost.exe" is spontaneously created but fails to execute. "uxtheme.dll" fails to be created.

3. Faronics Anti-Executable 2: BLOCKED
Same as with SRP.

4. COMODO Internet Security 5.0.162636.1135 (default configuration): BLOCKED


5. Online Armor Premium Personal Firewall v4.5.0.234 (default configuration): BLOCKED


6. Malware Defender 2.7.2.0001 (default configuration): BLOCKED


7. Sandboxie 3.48: CONTAINED:
Of course, Sandboxie can be configured to block all unknown executables too. If so configured, this is what happens:

So for example, if you were to come across this excel exploit while browsing a web-site, and you have start/run restrictions enabled, Sandboxie would block this dead, as well as contain it even if you allowed it to run. Such is the power of Sandboxie. "bellgamin" once said that anti-execution was useless. Not so "bellgamin"! As you can see, even for the experienced/advanced user, anti-execution is probably the most powerful form of defence in computer security. Just ask "Rmus".

8. DefenseWall 3.07: CONTAINED
I think it's contained anyway. The system freezes for a short period and Microsoft Excel appears to crash with an error.

9. GeSWall 2.9 Professional: CONTAINED
Similar situation to DefenseWall except the system didn't freeze.

10. Returnil System Safe 2011 v3.2.10303: BLOCKED
Default-deny wins again:


11. AppGuard 1.4.7: BLOCKED

12. PE GUARD 2.2: BLOCKED

I personally feel that PE GUARD has good potential. It's simple and very light on the system. One big weakness is that it is still unable to block (foreign) DLL loading. However, it appears that the developer is working on several extra modules including an anti-keylogging and a port monitoring function. I'm sure it shouldn't be long before DLL blocking is also integrated into this anti-executable.

13. Mamutu 3.0.0.16: BLOCKED
Good to finally see a Behaviour Blocker in action:


14. BluePoint Security 1.0.44.99: BLOCKED


15. ProcessGuard 3.500: BLOCKED

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Excel exploit testing

Post by noorismail on 2/10/2010, 18:21

Nice test ss100.
Of course I dont really have a horse in the race,as I do not have Excel on my system.

Still,the anti-executable program results were intreasting.

Sandboxie with start/run access limited is great.

ProcessGaurd can still do its job,but so many process!!

PE guard does look nice and is as close as anything I have found
to the old anti-executable in Returnil 2008.

I kept looking for a GUI,and at last, tried the "last resort" of reading the help file,and found it is all done from the tray icon,even though on my system,a non-working shortcut is place on my desktop.

A little more "hands on" showed me the Shortcuts do work to enable the program if you have exited.
I just wish it did not have the kind of red cast to the icon,in PowerMode,
as it looks like a malfunction indicator.
I have it installed now in ShadowDefender ShadowMode,and as you said,am kind of impressed.


noor

_________________
ShadowDefender 1.1.0.323 Sandboxie 3.49, NAT router.
Open DNS with "Malware/Botnet Protection",
MalwareDefender,Malwarebytes on demand.
avatar
noorismail
Moderator
Moderator

Posts : 193
Join date : 2010-06-23

View user profile

Back to top Go down

Re: Excel exploit testing

Post by ssj100 on 4/10/2010, 09:46

Thanks noor. You know, this test really got me thinking - Sandboxie 32-bit is certainly the application that I "rely" on most to provide "100%" clean security. I highlight "clean" because each time I empty each sandboxed threat-gate, EVERYTHING associated with it is deleted. I don't think any other application can do this so easily and simply.

And with my security approach, LUA + SRP becomes merely a secondary line of defence. As you can see, the malicious payload file "svchost.exe" was spontaneously dropped into the user's directory, but SRP blocked it from executing. With Sandboxie configured appropriately, I've effectively over-lapped my defences. And not only can Sandboxie block the execution of the payload file, but it forces the file to be dropped into a virtual folder. Simply deleting the sandbox (literally just 2 or 3 clicks away) would completely erase any traces of malware.

What an incredible application Sandboxie is. Honestly, I would be very comfortable running in full blown administrator mode without anything else but Sandboxie and on-demand scans for newly introduced files. It's just that I've got so used to running as a limited user with a tightly configured SRP. If I want to install or update files/programs, I simply log into my Administrator account (literally takes a few seconds) and carry out these admin tasks. Been happily running like this for a year now.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Excel exploit testing

Post by noorismail on 11/10/2010, 00:31

I agree with all that has been said.
Still,I intend to implement LUA/SRP on my next reformat,
just for the added security.

I hold off because of the problems with implementing on a "mature"
instal.

Having encountered some really "cute",malware in the shape of a
fake Firefox Update,that prompted the download of a exe that was in effect
a Trojan down-loader,that when executed,loaded a fake anti-virus,and started numerous process's,This ran in my basically default WinExe box,
I am even more confident of Sandboxies ability to protect my real system.

(the link for this malware is now dead,but it was detected by only two of the scanners on virus total!!)

The only problem is I wonder if a "novice" user would thank twice about executing this "update" on their real system.
It looked exactly like a Mozilla page.
Only the short,re-direct URL was a giveaway.

noor

_________________
ShadowDefender 1.1.0.323 Sandboxie 3.49, NAT router.
Open DNS with "Malware/Botnet Protection",
MalwareDefender,Malwarebytes on demand.
avatar
noorismail
Moderator
Moderator

Posts : 193
Join date : 2010-06-23

View user profile

Back to top Go down

Re: Excel exploit testing

Post by noorismail on 11/10/2010, 00:56

PS#

Another side note on the above malware,is that like the scans of rouge anti-virus programs,within the browser,this seems JavaScript dependent.

With JavaScript enabled,simply doing a "mouse over" of the download links prompted a download box for the fake "update".

With Java Script disabled,the links became "unclickable".

This seems even more justification for either NoScript add-on,or at least default disable of JavaScript within the browser.

While rouges are like the Australian Death Adder,a great threat in potential,
but no problem if you are careful,they still cause grief to untold numbers of users.

I wish conventional Anti-Virus programs were able to detect them better.

regards,
noor

_________________
ShadowDefender 1.1.0.323 Sandboxie 3.49, NAT router.
Open DNS with "Malware/Botnet Protection",
MalwareDefender,Malwarebytes on demand.
avatar
noorismail
Moderator
Moderator

Posts : 193
Join date : 2010-06-23

View user profile

Back to top Go down

Re: Excel exploit testing

Post by ssj100 on 11/10/2010, 08:58

Yes, I've become so used to running NoScript that I don't feel right without it. However, probably the only reason I use it is to prevent scripting key-loggers (if they even exist) from monitoring my keystrokes while I'm using a sandboxed web browser that hasn't been deleted yet. As we know, even software like Prevx SafeOnline is powerless against this type of logging malware.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Excel exploit testing

Post by aigle on 2/11/2010, 19:12

Hi, I tried it with MS Office 2003. Sadly it doesn,t work for me. MS Excel just crashes and nothing else.
Just wonder if it will work with MS Office 2007 or later.

avatar
aigle
Member
Member

Posts : 21
Join date : 2010-07-25

View user profile

Back to top Go down

Re: Excel exploit testing

Post by ssj100 on 2/11/2010, 22:16

I tested it on MS Office 2003. What version of Windows did you test it on?

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Excel exploit testing

Post by aigle on 2/11/2010, 23:01

XP SP2, unpatched
avatar
aigle
Member
Member

Posts : 21
Join date : 2010-07-25

View user profile

Back to top Go down

Re: Excel exploit testing

Post by ssj100 on 3/11/2010, 06:59

Mine was XP, SP3, patched up to around middle 2009. Anyway, pity you couldn't reproduce it.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Excel exploit testing

Post by aigle on 3/11/2010, 10:47

Hi! Can you check exact version build no etc of your office?

Thanks
avatar
aigle
Member
Member

Posts : 21
Join date : 2010-07-25

View user profile

Back to top Go down

Re: Excel exploit testing

Post by ssj100 on 3/11/2010, 10:53

Microsoft Excel 2003 version 11.6560.6568 SP2
Part of Microsoft Office Professional Edition 2003.

Come to think about it, my VM Windows is updated to SP3, but the Office version still isn't (hence why it's SP2). Not sure how much help that is.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Excel exploit testing

Post by Stephen2 on 3/11/2010, 13:42

The exploit as presented relies on advapi32.dll that comes with XP SP2, but has no restriction on the Office version...

Any version should work.

Stephen2
Member
Member

Posts : 34
Join date : 2010-10-18
Location : Melbourne, Australia

View user profile

Back to top Go down

Re: Excel exploit testing

Post by aigle on 4/11/2010, 22:18

Ok, i am happy as I just found a variant of it that works with my XP.

Thanks for help.
avatar
aigle
Member
Member

Posts : 21
Join date : 2010-07-25

View user profile

Back to top Go down

Re: Excel exploit testing

Post by Sponsored content


Sponsored content


Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum