ssj100 Security Forums
Would you like to react to this message? Create an account in a few clicks or log in to continue.

Excel exploit testing

4 posters

Go down

Excel exploit testing Empty Excel exploit testing

Post by ssj100 1/10/2010, 17:05

Finally got my hands on another interesting exploit. Not sure how new this one is, but the file was only detected by 3/41 on VirusTotal (I uploaded it a few hours ago. As you can see below, other black-listing scanners are picking it up now too). As usual, I'll test it on Windows XP, SP3 with various anti-malware mechanisms.

Some details of the file:
"Trojan.Mdropper.xls"
MD5: f1ed085a994e63024c4f866bc5d9e8c2
SHA1: aa7fea3469eb6a94dd89c70b891d6ef157d7b4a1
SHA256: 83a59aea6521e4be5de0ee716527b4796eaa9d59c3e1379a5988083446433091

Note that this file is not a primary executable file - it's a harmless looking excel file. All the user needs to do to get infected is to double click the file (and have Microsoft Excel installed). As far as I can tell, the exploit spontaneously drops a file called "svchost.exe" into the user's temp directory and then spontaneously executes it. This results in a file called "uxtheme.dll" being spontaneously created in the C:\Windows directory. Here are the VirusTotal results for the respective malicious files involved:
Excel exploit testing 81823418
Excel exploit testing 67338564
Excel exploit testing 24168728


Last edited by ssj100 on 1/10/2010, 17:17; edited 3 times in total
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

Excel exploit testing Empty Re: Excel exploit testing

Post by ssj100 1/10/2010, 17:05

Malicious exploit on Administrator account, Windows XP, SP3, 32-bit:

1. Prevx 3.0.5.206: BLOCKED
It's hard to know if Prevx will effectively block this malware (since I only tested it with the free version), but it did detect "svchost.exe". This probably means that if you have the paid version of Prevx, it would have removed/blocked "svchost.exe", thereby rendering the exploit useless. Note that unlike previous testing, I've tested Prevx first, since I wanted to know how well it did against fairly new malware. For this particular malware, it did very well.

2. SRP (setup as described here: http://www.mechbgon.com/srp/ ): BLOCKED
"svchost.exe" is spontaneously created but fails to execute. "uxtheme.dll" fails to be created.

3. Faronics Anti-Executable 2: BLOCKED
Same as with SRP.

4. COMODO Internet Security 5.0.162636.1135 (default configuration): BLOCKED
Excel exploit testing 43174116

5. Online Armor Premium Personal Firewall v4.5.0.234 (default configuration): BLOCKED
Excel exploit testing 24577358

6. Malware Defender 2.7.2.0001 (default configuration): BLOCKED
Excel exploit testing 98287807

7. Sandboxie 3.48: CONTAINED:
Of course, Sandboxie can be configured to block all unknown executables too. If so configured, this is what happens:
Excel exploit testing 29705822
So for example, if you were to come across this excel exploit while browsing a web-site, and you have start/run restrictions enabled, Sandboxie would block this dead, as well as contain it even if you allowed it to run. Such is the power of Sandboxie. "bellgamin" once said that anti-execution was useless. Not so "bellgamin"! As you can see, even for the experienced/advanced user, anti-execution is probably the most powerful form of defence in computer security. Just ask "Rmus".

8. DefenseWall 3.07: CONTAINED
I think it's contained anyway. The system freezes for a short period and Microsoft Excel appears to crash with an error.

9. GeSWall 2.9 Professional: CONTAINED
Similar situation to DefenseWall except the system didn't freeze.

10. Returnil System Safe 2011 v3.2.10303: BLOCKED
Default-deny wins again:
Excel exploit testing 33195913

11. AppGuard 1.4.7: BLOCKED

12. PE GUARD 2.2: BLOCKED
Excel exploit testing 20508212
I personally feel that PE GUARD has good potential. It's simple and very light on the system. One big weakness is that it is still unable to block (foreign) DLL loading. However, it appears that the developer is working on several extra modules including an anti-keylogging and a port monitoring function. I'm sure it shouldn't be long before DLL blocking is also integrated into this anti-executable.

13. Mamutu 3.0.0.16: BLOCKED
Good to finally see a Behaviour Blocker in action:
Excel exploit testing 79827301

14. BluePoint Security 1.0.44.99: BLOCKED
Excel exploit testing 19330439

15. ProcessGuard 3.500: BLOCKED
Excel exploit testing 36546710
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

Excel exploit testing Empty Re: Excel exploit testing

Post by noorismail 2/10/2010, 18:21

Nice test ss100.
Of course I dont really have a horse in the race,as I do not have Excel on my system.

Still,the anti-executable program results were intreasting.

Sandboxie with start/run access limited is great.

ProcessGaurd can still do its job,but so many process!!

PE guard does look nice and is as close as anything I have found
to the old anti-executable in Returnil 2008.

I kept looking for a GUI,and at last, tried the "last resort" of reading the help file,and found it is all done from the tray icon,even though on my system,a non-working shortcut is place on my desktop.

A little more "hands on" showed me the Shortcuts do work to enable the program if you have exited.
I just wish it did not have the kind of red cast to the icon,in PowerMode,
as it looks like a malfunction indicator.
I have it installed now in ShadowDefender ShadowMode,and as you said,am kind of impressed.


noor
noorismail
noorismail
Moderator
Moderator

Posts : 193
Join date : 2010-06-23

Back to top Go down

Excel exploit testing Empty Re: Excel exploit testing

Post by ssj100 4/10/2010, 09:46

Thanks noor. You know, this test really got me thinking - Sandboxie 32-bit is certainly the application that I "rely" on most to provide "100%" clean security. I highlight "clean" because each time I empty each sandboxed threat-gate, EVERYTHING associated with it is deleted. I don't think any other application can do this so easily and simply.

And with my security approach, LUA + SRP becomes merely a secondary line of defence. As you can see, the malicious payload file "svchost.exe" was spontaneously dropped into the user's directory, but SRP blocked it from executing. With Sandboxie configured appropriately, I've effectively over-lapped my defences. And not only can Sandboxie block the execution of the payload file, but it forces the file to be dropped into a virtual folder. Simply deleting the sandbox (literally just 2 or 3 clicks away) would completely erase any traces of malware.

What an incredible application Sandboxie is. Honestly, I would be very comfortable running in full blown administrator mode without anything else but Sandboxie and on-demand scans for newly introduced files. It's just that I've got so used to running as a limited user with a tightly configured SRP. If I want to install or update files/programs, I simply log into my Administrator account (literally takes a few seconds) and carry out these admin tasks. Been happily running like this for a year now.
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

Excel exploit testing Empty Re: Excel exploit testing

Post by noorismail 11/10/2010, 00:31

I agree with all that has been said.
Still,I intend to implement LUA/SRP on my next reformat,
just for the added security.

I hold off because of the problems with implementing on a "mature"
instal.

Having encountered some really "cute",malware in the shape of a
fake Firefox Update,that prompted the download of a exe that was in effect
a Trojan down-loader,that when executed,loaded a fake anti-virus,and started numerous process's,This ran in my basically default WinExe box,
I am even more confident of Sandboxies ability to protect my real system.

(the link for this malware is now dead,but it was detected by only two of the scanners on virus total!!)

The only problem is I wonder if a "novice" user would thank twice about executing this "update" on their real system.
It looked exactly like a Mozilla page.
Only the short,re-direct URL was a giveaway.

noor
noorismail
noorismail
Moderator
Moderator

Posts : 193
Join date : 2010-06-23

Back to top Go down

Excel exploit testing Empty Re: Excel exploit testing

Post by noorismail 11/10/2010, 00:56

PS#

Another side note on the above malware,is that like the scans of rouge anti-virus programs,within the browser,this seems JavaScript dependent.

With JavaScript enabled,simply doing a "mouse over" of the download links prompted a download box for the fake "update".

With Java Script disabled,the links became "unclickable".

This seems even more justification for either NoScript add-on,or at least default disable of JavaScript within the browser.

While rouges are like the Australian Death Adder,a great threat in potential,
but no problem if you are careful,they still cause grief to untold numbers of users.

I wish conventional Anti-Virus programs were able to detect them better.

regards,
noor
noorismail
noorismail
Moderator
Moderator

Posts : 193
Join date : 2010-06-23

Back to top Go down

Excel exploit testing Empty Re: Excel exploit testing

Post by ssj100 11/10/2010, 08:58

Yes, I've become so used to running NoScript that I don't feel right without it. However, probably the only reason I use it is to prevent scripting key-loggers (if they even exist) from monitoring my keystrokes while I'm using a sandboxed web browser that hasn't been deleted yet. As we know, even software like Prevx SafeOnline is powerless against this type of logging malware.
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

Excel exploit testing Empty Re: Excel exploit testing

Post by aigle 2/11/2010, 19:12

Hi, I tried it with MS Office 2003. Sadly it doesn,t work for me. MS Excel just crashes and nothing else.
Just wonder if it will work with MS Office 2007 or later.

aigle
aigle
Member
Member

Posts : 21
Join date : 2010-07-25

Back to top Go down

Excel exploit testing Empty Re: Excel exploit testing

Post by ssj100 2/11/2010, 22:16

I tested it on MS Office 2003. What version of Windows did you test it on?
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

Excel exploit testing Empty Re: Excel exploit testing

Post by aigle 2/11/2010, 23:01

XP SP2, unpatched
aigle
aigle
Member
Member

Posts : 21
Join date : 2010-07-25

Back to top Go down

Excel exploit testing Empty Re: Excel exploit testing

Post by ssj100 3/11/2010, 06:59

Mine was XP, SP3, patched up to around middle 2009. Anyway, pity you couldn't reproduce it.
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

Excel exploit testing Empty Re: Excel exploit testing

Post by aigle 3/11/2010, 10:47

Hi! Can you check exact version build no etc of your office?

Thanks
aigle
aigle
Member
Member

Posts : 21
Join date : 2010-07-25

Back to top Go down

Excel exploit testing Empty Re: Excel exploit testing

Post by ssj100 3/11/2010, 10:53

Microsoft Excel 2003 version 11.6560.6568 SP2
Part of Microsoft Office Professional Edition 2003.

Come to think about it, my VM Windows is updated to SP3, but the Office version still isn't (hence why it's SP2). Not sure how much help that is.
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

Excel exploit testing Empty Re: Excel exploit testing

Post by Stephen2 3/11/2010, 13:42

The exploit as presented relies on advapi32.dll that comes with XP SP2, but has no restriction on the Office version...

Any version should work.

Stephen2
Member
Member

Posts : 34
Join date : 2010-10-18
Location : Melbourne, Australia

Back to top Go down

Excel exploit testing Empty Re: Excel exploit testing

Post by aigle 4/11/2010, 22:18

Ok, i am happy as I just found a variant of it that works with my XP.

Thanks for help.
aigle
aigle
Member
Member

Posts : 21
Join date : 2010-07-25

Back to top Go down

Excel exploit testing Empty Re: Excel exploit testing

Post by Sponsored content


Sponsored content


Back to top Go down

Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum