Excel exploit testing
4 posters
Page 1 of 1
Excel exploit testing
Finally got my hands on another interesting exploit. Not sure how new this one is, but the file was only detected by 3/41 on VirusTotal (I uploaded it a few hours ago. As you can see below, other black-listing scanners are picking it up now too). As usual, I'll test it on Windows XP, SP3 with various anti-malware mechanisms.
Some details of the file:
"Trojan.Mdropper.xls"
MD5: f1ed085a994e63024c4f866bc5d9e8c2
SHA1: aa7fea3469eb6a94dd89c70b891d6ef157d7b4a1
SHA256: 83a59aea6521e4be5de0ee716527b4796eaa9d59c3e1379a5988083446433091
Note that this file is not a primary executable file - it's a harmless looking excel file. All the user needs to do to get infected is to double click the file (and have Microsoft Excel installed). As far as I can tell, the exploit spontaneously drops a file called "svchost.exe" into the user's temp directory and then spontaneously executes it. This results in a file called "uxtheme.dll" being spontaneously created in the C:\Windows directory. Here are the VirusTotal results for the respective malicious files involved:
Some details of the file:
"Trojan.Mdropper.xls"
MD5: f1ed085a994e63024c4f866bc5d9e8c2
SHA1: aa7fea3469eb6a94dd89c70b891d6ef157d7b4a1
SHA256: 83a59aea6521e4be5de0ee716527b4796eaa9d59c3e1379a5988083446433091
Note that this file is not a primary executable file - it's a harmless looking excel file. All the user needs to do to get infected is to double click the file (and have Microsoft Excel installed). As far as I can tell, the exploit spontaneously drops a file called "svchost.exe" into the user's temp directory and then spontaneously executes it. This results in a file called "uxtheme.dll" being spontaneously created in the C:\Windows directory. Here are the VirusTotal results for the respective malicious files involved:
Last edited by ssj100 on 1/10/2010, 17:17; edited 3 times in total
Re: Excel exploit testing
Malicious exploit on Administrator account, Windows XP, SP3, 32-bit:
1. Prevx 3.0.5.206: BLOCKED
It's hard to know if Prevx will effectively block this malware (since I only tested it with the free version), but it did detect "svchost.exe". This probably means that if you have the paid version of Prevx, it would have removed/blocked "svchost.exe", thereby rendering the exploit useless. Note that unlike previous testing, I've tested Prevx first, since I wanted to know how well it did against fairly new malware. For this particular malware, it did very well.
2. SRP (setup as described here: http://www.mechbgon.com/srp/ ): BLOCKED
"svchost.exe" is spontaneously created but fails to execute. "uxtheme.dll" fails to be created.
3. Faronics Anti-Executable 2: BLOCKED
Same as with SRP.
4. COMODO Internet Security 5.0.162636.1135 (default configuration): BLOCKED
5. Online Armor Premium Personal Firewall v4.5.0.234 (default configuration): BLOCKED
6. Malware Defender 2.7.2.0001 (default configuration): BLOCKED
7. Sandboxie 3.48: CONTAINED:
Of course, Sandboxie can be configured to block all unknown executables too. If so configured, this is what happens:
So for example, if you were to come across this excel exploit while browsing a web-site, and you have start/run restrictions enabled, Sandboxie would block this dead, as well as contain it even if you allowed it to run. Such is the power of Sandboxie. "bellgamin" once said that anti-execution was useless. Not so "bellgamin"! As you can see, even for the experienced/advanced user, anti-execution is probably the most powerful form of defence in computer security. Just ask "Rmus".
8. DefenseWall 3.07: CONTAINED
I think it's contained anyway. The system freezes for a short period and Microsoft Excel appears to crash with an error.
9. GeSWall 2.9 Professional: CONTAINED
Similar situation to DefenseWall except the system didn't freeze.
10. Returnil System Safe 2011 v3.2.10303: BLOCKED
Default-deny wins again:
11. AppGuard 1.4.7: BLOCKED
12. PE GUARD 2.2: BLOCKED
I personally feel that PE GUARD has good potential. It's simple and very light on the system. One big weakness is that it is still unable to block (foreign) DLL loading. However, it appears that the developer is working on several extra modules including an anti-keylogging and a port monitoring function. I'm sure it shouldn't be long before DLL blocking is also integrated into this anti-executable.
13. Mamutu 3.0.0.16: BLOCKED
Good to finally see a Behaviour Blocker in action:
14. BluePoint Security 1.0.44.99: BLOCKED
15. ProcessGuard 3.500: BLOCKED
1. Prevx 3.0.5.206: BLOCKED
It's hard to know if Prevx will effectively block this malware (since I only tested it with the free version), but it did detect "svchost.exe". This probably means that if you have the paid version of Prevx, it would have removed/blocked "svchost.exe", thereby rendering the exploit useless. Note that unlike previous testing, I've tested Prevx first, since I wanted to know how well it did against fairly new malware. For this particular malware, it did very well.
2. SRP (setup as described here: http://www.mechbgon.com/srp/ ): BLOCKED
"svchost.exe" is spontaneously created but fails to execute. "uxtheme.dll" fails to be created.
3. Faronics Anti-Executable 2: BLOCKED
Same as with SRP.
4. COMODO Internet Security 5.0.162636.1135 (default configuration): BLOCKED
5. Online Armor Premium Personal Firewall v4.5.0.234 (default configuration): BLOCKED
6. Malware Defender 2.7.2.0001 (default configuration): BLOCKED
7. Sandboxie 3.48: CONTAINED:
Of course, Sandboxie can be configured to block all unknown executables too. If so configured, this is what happens:
So for example, if you were to come across this excel exploit while browsing a web-site, and you have start/run restrictions enabled, Sandboxie would block this dead, as well as contain it even if you allowed it to run. Such is the power of Sandboxie. "bellgamin" once said that anti-execution was useless. Not so "bellgamin"! As you can see, even for the experienced/advanced user, anti-execution is probably the most powerful form of defence in computer security. Just ask "Rmus".
8. DefenseWall 3.07: CONTAINED
I think it's contained anyway. The system freezes for a short period and Microsoft Excel appears to crash with an error.
9. GeSWall 2.9 Professional: CONTAINED
Similar situation to DefenseWall except the system didn't freeze.
10. Returnil System Safe 2011 v3.2.10303: BLOCKED
Default-deny wins again:
11. AppGuard 1.4.7: BLOCKED
12. PE GUARD 2.2: BLOCKED
I personally feel that PE GUARD has good potential. It's simple and very light on the system. One big weakness is that it is still unable to block (foreign) DLL loading. However, it appears that the developer is working on several extra modules including an anti-keylogging and a port monitoring function. I'm sure it shouldn't be long before DLL blocking is also integrated into this anti-executable.
13. Mamutu 3.0.0.16: BLOCKED
Good to finally see a Behaviour Blocker in action:
14. BluePoint Security 1.0.44.99: BLOCKED
15. ProcessGuard 3.500: BLOCKED
Re: Excel exploit testing
Nice test ss100.
Of course I dont really have a horse in the race,as I do not have Excel on my system.
Still,the anti-executable program results were intreasting.
Sandboxie with start/run access limited is great.
ProcessGaurd can still do its job,but so many process!!
PE guard does look nice and is as close as anything I have found
to the old anti-executable in Returnil 2008.
I kept looking for a GUI,and at last, tried the "last resort" of reading the help file,and found it is all done from the tray icon,even though on my system,a non-working shortcut is place on my desktop.
A little more "hands on" showed me the Shortcuts do work to enable the program if you have exited.
I just wish it did not have the kind of red cast to the icon,in PowerMode,
as it looks like a malfunction indicator.
I have it installed now in ShadowDefender ShadowMode,and as you said,am kind of impressed.
noor
Of course I dont really have a horse in the race,as I do not have Excel on my system.
Still,the anti-executable program results were intreasting.
Sandboxie with start/run access limited is great.
ProcessGaurd can still do its job,but so many process!!
PE guard does look nice and is as close as anything I have found
to the old anti-executable in Returnil 2008.
I kept looking for a GUI,and at last, tried the "last resort" of reading the help file,and found it is all done from the tray icon,even though on my system,a non-working shortcut is place on my desktop.
A little more "hands on" showed me the Shortcuts do work to enable the program if you have exited.
I just wish it did not have the kind of red cast to the icon,in PowerMode,
as it looks like a malfunction indicator.
I have it installed now in ShadowDefender ShadowMode,and as you said,am kind of impressed.
noor
noorismail- Moderator
- Posts : 193
Join date : 2010-06-23
Re: Excel exploit testing
Thanks noor. You know, this test really got me thinking - Sandboxie 32-bit is certainly the application that I "rely" on most to provide "100%" clean security. I highlight "clean" because each time I empty each sandboxed threat-gate, EVERYTHING associated with it is deleted. I don't think any other application can do this so easily and simply.
And with my security approach, LUA + SRP becomes merely a secondary line of defence. As you can see, the malicious payload file "svchost.exe" was spontaneously dropped into the user's directory, but SRP blocked it from executing. With Sandboxie configured appropriately, I've effectively over-lapped my defences. And not only can Sandboxie block the execution of the payload file, but it forces the file to be dropped into a virtual folder. Simply deleting the sandbox (literally just 2 or 3 clicks away) would completely erase any traces of malware.
What an incredible application Sandboxie is. Honestly, I would be very comfortable running in full blown administrator mode without anything else but Sandboxie and on-demand scans for newly introduced files. It's just that I've got so used to running as a limited user with a tightly configured SRP. If I want to install or update files/programs, I simply log into my Administrator account (literally takes a few seconds) and carry out these admin tasks. Been happily running like this for a year now.
And with my security approach, LUA + SRP becomes merely a secondary line of defence. As you can see, the malicious payload file "svchost.exe" was spontaneously dropped into the user's directory, but SRP blocked it from executing. With Sandboxie configured appropriately, I've effectively over-lapped my defences. And not only can Sandboxie block the execution of the payload file, but it forces the file to be dropped into a virtual folder. Simply deleting the sandbox (literally just 2 or 3 clicks away) would completely erase any traces of malware.
What an incredible application Sandboxie is. Honestly, I would be very comfortable running in full blown administrator mode without anything else but Sandboxie and on-demand scans for newly introduced files. It's just that I've got so used to running as a limited user with a tightly configured SRP. If I want to install or update files/programs, I simply log into my Administrator account (literally takes a few seconds) and carry out these admin tasks. Been happily running like this for a year now.
Re: Excel exploit testing
I agree with all that has been said.
Still,I intend to implement LUA/SRP on my next reformat,
just for the added security.
I hold off because of the problems with implementing on a "mature"
instal.
Having encountered some really "cute",malware in the shape of a
fake Firefox Update,that prompted the download of a exe that was in effect
a Trojan down-loader,that when executed,loaded a fake anti-virus,and started numerous process's,This ran in my basically default WinExe box,
I am even more confident of Sandboxies ability to protect my real system.
(the link for this malware is now dead,but it was detected by only two of the scanners on virus total!!)
The only problem is I wonder if a "novice" user would thank twice about executing this "update" on their real system.
It looked exactly like a Mozilla page.
Only the short,re-direct URL was a giveaway.
noor
Still,I intend to implement LUA/SRP on my next reformat,
just for the added security.
I hold off because of the problems with implementing on a "mature"
instal.
Having encountered some really "cute",malware in the shape of a
fake Firefox Update,that prompted the download of a exe that was in effect
a Trojan down-loader,that when executed,loaded a fake anti-virus,and started numerous process's,This ran in my basically default WinExe box,
I am even more confident of Sandboxies ability to protect my real system.
(the link for this malware is now dead,but it was detected by only two of the scanners on virus total!!)
The only problem is I wonder if a "novice" user would thank twice about executing this "update" on their real system.
It looked exactly like a Mozilla page.
Only the short,re-direct URL was a giveaway.
noor
noorismail- Moderator
- Posts : 193
Join date : 2010-06-23
Re: Excel exploit testing
PS#
Another side note on the above malware,is that like the scans of rouge anti-virus programs,within the browser,this seems JavaScript dependent.
With JavaScript enabled,simply doing a "mouse over" of the download links prompted a download box for the fake "update".
With Java Script disabled,the links became "unclickable".
This seems even more justification for either NoScript add-on,or at least default disable of JavaScript within the browser.
While rouges are like the Australian Death Adder,a great threat in potential,
but no problem if you are careful,they still cause grief to untold numbers of users.
I wish conventional Anti-Virus programs were able to detect them better.
regards,
noor
Another side note on the above malware,is that like the scans of rouge anti-virus programs,within the browser,this seems JavaScript dependent.
With JavaScript enabled,simply doing a "mouse over" of the download links prompted a download box for the fake "update".
With Java Script disabled,the links became "unclickable".
This seems even more justification for either NoScript add-on,or at least default disable of JavaScript within the browser.
While rouges are like the Australian Death Adder,a great threat in potential,
but no problem if you are careful,they still cause grief to untold numbers of users.
I wish conventional Anti-Virus programs were able to detect them better.
regards,
noor
noorismail- Moderator
- Posts : 193
Join date : 2010-06-23
Re: Excel exploit testing
Yes, I've become so used to running NoScript that I don't feel right without it. However, probably the only reason I use it is to prevent scripting key-loggers (if they even exist) from monitoring my keystrokes while I'm using a sandboxed web browser that hasn't been deleted yet. As we know, even software like Prevx SafeOnline is powerless against this type of logging malware.
Re: Excel exploit testing
Hi, I tried it with MS Office 2003. Sadly it doesn,t work for me. MS Excel just crashes and nothing else.
Just wonder if it will work with MS Office 2007 or later.
Just wonder if it will work with MS Office 2007 or later.
aigle- Member
- Posts : 21
Join date : 2010-07-25
Re: Excel exploit testing
Mine was XP, SP3, patched up to around middle 2009. Anyway, pity you couldn't reproduce it.
Re: Excel exploit testing
Hi! Can you check exact version build no etc of your office?
Thanks
Thanks
aigle- Member
- Posts : 21
Join date : 2010-07-25
Re: Excel exploit testing
Microsoft Excel 2003 version 11.6560.6568 SP2
Part of Microsoft Office Professional Edition 2003.
Come to think about it, my VM Windows is updated to SP3, but the Office version still isn't (hence why it's SP2). Not sure how much help that is.
Part of Microsoft Office Professional Edition 2003.
Come to think about it, my VM Windows is updated to SP3, but the Office version still isn't (hence why it's SP2). Not sure how much help that is.
Re: Excel exploit testing
The exploit as presented relies on advapi32.dll that comes with XP SP2, but has no restriction on the Office version...
Any version should work.
Any version should work.
Stephen2- Member
- Posts : 34
Join date : 2010-10-18
Location : Melbourne, Australia
Re: Excel exploit testing
Ok, i am happy as I just found a variant of it that works with my XP.
Thanks for help.
Thanks for help.
aigle- Member
- Posts : 21
Join date : 2010-07-25
Similar topics
» Excel macro testing
» DLL exploit testing
» java_rhino exploit
» 0-day exploit speaks Chinese, bypasses UAC
» Windows exploit protection mostly unused
» DLL exploit testing
» java_rhino exploit
» 0-day exploit speaks Chinese, bypasses UAC
» Windows exploit protection mostly unused
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum
|
|