{"id":664,"date":"2010-12-28T15:15:15","date_gmt":"2010-12-28T20:15:15","guid":{"rendered":"http:\/\/it.thelibrarie.com\/weblog\/?p=664"},"modified":"2011-01-03T09:08:38","modified_gmt":"2011-01-03T14:08:38","slug":"exploit-testing","status":"publish","type":"post","link":"https:\/\/it.thelibrarie.com\/weblog\/2010\/12\/exploit-testing\/","title":{"rendered":"Exploit Testing"},"content":{"rendered":"

The last few weeks of the year are usually the best to start testing systems at my current job. We currently have the following security measures in place:<\/p>\n

Cisco Firewalls
\nJuniper Firewalls
\nCisco IPS
\nCisco Switches with ACLs on each VLAN
\nSecured Syslog Server
\nSecured Snort (IDS) Server
\nMcAfee Antivirus
\nWindows Updates*<\/p><\/blockquote>\n

*Windows Updates are not forced on the Dev Team or Server Farms – Those updates are installed manually usually once a quarter (after testing).<\/p>\n

Seeing as it’s Tuesday December 28th, I had some free time to test out the Antivirus installed on each system. Most exploits today are not actually against the OS (Microsoft has done a pretty decent job lately with security issues, even with that huge DLL issue) and are instead targeting 3rd party applications.<\/p>\n

What do you consider a 3rd party application? The biggest two are:<\/p>\n

Adobe (PDF Reader, Flash Player)
\nSun (Java)<\/p><\/blockquote>\n

So I decided to test in my VMWare environment using the latest and greatest updates for Windows XP. Why did I choose XP over 7? Looking over my log files I see that most visitors to my site include XP users. XP has also been around long enough to get all the kinks worked out. And finally, I chose to use PDF\/Java exploits, so the OS doesn’t really matter as much.<\/p>\n

Please don’t visit these websites unless you know what you’re doing. And I used smartscan\/quickscan whenever possible.<\/p>\n

Test 1 (Nod32\/Threatfire):<\/strong><\/p>\n

Windows XP Pro SP3
\nFully Updated 12.28.2010
\nInternet Explorer 8.0.6001.18702
\nNod32 Antivirus 4.2.67.10 5739
\nThreatfire 4.7.0.17
\nSecunia PSI 2.0.0.1002 100%
\nAdobe Flash Player 10 ActiveX 10.1.102.64
\nJava 6 Update 23 6.0.230
\nMalwarebytes Anti-Malware 1.50.1.1100 5408<\/p>\n

cryyahoo.info\/tre\/boba.exe
\nBlocked by Nod – Downloaded Java (c:\\doc and set\\Administratorupdate665744669.exe) **PDF\/Java\/Trojan**<\/em><\/p>\n

expa82.co.cc\/bl2\/
\nBlocked by Nod **Trojan**<\/em><\/p>\n

1.oresmir.co.cc\/1\/load.php?spl=mdac
\nIE labeled download as unsafe, Cleaned by Nod **Trojan**<\/em><\/p>\n

marinada3.com\/77\/throatnut.php
\nBlocked by IE – Java exploit blocked by Nod (Freezes IE) **Java\/Trojan**<\/em><\/p>\n

Malwarebytes:<\/strong>
\nObjects infected: 3 (3 are non-infection related)<\/p>\n

Verdict:<\/strong>
\nClean system, difficult to infect on accident.
\nPerformed scan by Nod32\/Threatfire – nothing found.
\n\"\"<\/a><\/p><\/blockquote>\n

Test 2 (McAfee):<\/strong><\/p>\n

Windows XP Pro SP3
\nFully Updated 12.28.2010
\nInternet Explorer 8.0.6001.18702
\nMcAfee VirusScan Enterprise 8.7i 6210.0000
\nAdobe Flash Player 10 ActiveX 10.1.102.64
\nJava 6 Update 23 6.0.230
\nMalwarebytes Anti-Malware 1.50.1.1100 5408<\/p>\n

cryyahoo.info\/tre\/boba.exe
\nAllowed to download – no extra processes<\/em><\/p>\n

expa82.co.cc\/bl2\/
\nAllowed to load page – no extra processes<\/em><\/p>\n

1.oresmir.co.cc\/1\/load.php?spl=mdac
\nIE labeled download as unsafe, allowed to install (load.exe, csrss in temp folder)<\/em><\/p>\n

marinada3.com\/77\/throatnut.php
\nBlocked by IE – no extra processes<\/em><\/p>\n

Malwarebytes:<\/strong>
\nObjects infected: 14 (3 are non-infection related)<\/p>\n

Verdict:<\/strong>
\nCSRSS.EXE running as SYSTEM and Administrator. Infected system.
\nPerformed scan by McAfee – nothing found.
\n\"\"<\/a><\/p><\/blockquote>\n

Test 3 (McAfee\/Threatfire):<\/strong><\/p>\n

Windows XP Pro SP3
\nFully Updated 12.28.2010
\nInternet Explorer 8.0.6001.18702
\nMcAfee VirusScan Enterprise 8.7i 6210.0000
\nThreatfire 4.7.0.17
\nAdobe Flash Player 10 ActiveX 10.1.102.64
\nJava 6 Update 23 6.0.230
\nMalwarebytes Anti-Malware 1.50.1.1100 5408<\/p>\n

cryyahoo.info\/tre\/boba.exe
\nAllowed to load page – file would not download<\/em><\/p>\n

expa82.co.cc\/bl2\/
\nAllowed to load page – no extra processes<\/em><\/p>\n

1.oresmir.co.cc\/1\/load.php?spl=mdac
\nIE labeled download as unsafe, Threatfire detected and blocked the installation, then found and blocked load.exe<\/em><\/p>\n

marinada3.com\/77\/throatnut.php
\nBlocked by IE – no extra processes<\/em><\/p>\n

Malwarebytes:<\/strong>
\nObjects infected: 4 (3 are non-infection related)<\/p>\n

Verdict:<\/strong>
\nOnly infection file was located as a temporary internet file download and was not referenced in the registry. “Clean” system.
\nPerformed scan by McAfee and Threatfire – nothing found.
\n\"\"<\/a><\/p><\/blockquote>\n

Test 4 (Nod32):<\/strong><\/p>\n

Windows XP Pro SP3
\nFully Updated 12.28.2010
\nInternet Explorer 8.0.6001.18702
\nNod32 Antivirus 4.2.67.10 5739
\nAdobe Flash Player 10 ActiveX 10.1.102.64
\nJava 6 Update 23 6.0.230
\nMalwarebytes Anti-Malware 1.50.1.1100 5408<\/p>\n

cryyahoo.info\/tre\/boba.exe
\nBlocked by Nod<\/em><\/p>\n

expa82.co.cc\/bl2\/
\nBlocked by Nod<\/em><\/p>\n

1.oresmir.co.cc\/1\/load.php?spl=mdac
\nIE labeled download as unsafe – Not found by Nod32<\/em><\/p>\n

marinada3.com\/77\/throatnut.php
\nBlocked by IE – Java exploit blocked by Nod32<\/em><\/p>\n

Malwarebytes:<\/strong>
\nObjects infected: 13 (3 are non-infection related)<\/p>\n

Verdict:<\/strong>
\nInfected system, somewhat hard to infect on accident, but a definite possibility. CSRSS.exe is loading.
\nPerformed scan by Nod32 – nothing found.
\n\"\"<\/a>\n<\/p><\/blockquote>\n

Test 5 (No AV):<\/strong><\/p>\n

Windows XP Pro SP3
\nFully Updated 12.28.2010
\nInternet Explorer 8.0.6001.18702
\nAdobe Flash Player 10 ActiveX 10.1.102.64
\nJava 6 Update 23 6.0.230
\nMalwarebytes Anti-Malware 1.50.1.1100 5408<\/p>\n

cryyahoo.info\/tre\/boba.exe
\nIE reported this site as BAD – File not found to download<\/em><\/p>\n

expa82.co.cc\/bl2\/
\nSite loaded fine – no extra processes<\/em><\/p>\n

1.oresmir.co.cc\/1\/load.php?spl=mdac
\nIE labeled download as unsafe – Saved and run successfully<\/em><\/p>\n

marinada3.com\/77\/throatnut.php
\nBlocked by IE – Java exploit allowed to load – no additional processes<\/em><\/p>\n

Malwarebytes:<\/strong> (google searches redirected to other websites, had to kill load.exe)
\nObjects infected: 14 (3 are non-infection related)<\/p>\n

Verdict:<\/strong>
\nIt’s always better to have some sort of antivirus software installed. So I can’t recommend this at all.
\n\"\"<\/a>\n<\/p><\/blockquote>\n

Test 6 (Microsoft Security Essentials MSE):<\/strong><\/p>\n

Windows XP Pro SP3
\nFully Updated 12.28.2010
\nInternet Explorer 8.0.6001.18702
\nAdobe Flash Player 10 ActiveX 10.1.102.64
\nJava 6 Update 23 6.0.230
\nMalwarebytes Anti-Malware 1.50.1.1100 5408<\/p>\n

cryyahoo.info\/tre\/boba.exe
\nIE reported this site as BAD – File not found to download<\/em><\/p>\n

expa82.co.cc\/bl2\/
\nSite loaded fine – no extra processes<\/em><\/p>\n

1.oresmir.co.cc\/1\/load.php?spl=mdac
\nIE labeled download as unsafe – Saved and run successfully<\/em><\/p>\n

marinada3.com\/77\/throatnut.php
\nBlocked by IE – Java exploit allowed to load – no additional processes<\/em><\/p>\n

MSE found a few files it needed to send in for verification, but did not block anything.<\/p>\n

Malwarebytes:<\/strong>
\nObjects infected: 12 (3 are non-infection related)<\/p>\n

Verdict:<\/strong>
\nMSE didn’t actively block anything – it only found the files when I scanned the computer using MSE. I prefer a more active participant.
\n\"\"<\/a>\n<\/p><\/blockquote>\n

Test 7 (Microsoft Security Essentials MSE with TF):<\/strong><\/p>\n

Windows XP Pro SP3
\nFully Updated 12.28.2010
\nInternet Explorer 8.0.6001.18702
\nAdobe Flash Player 10 ActiveX 10.1.102.64
\nJava 6 Update 23 6.0.230
\nMalwarebytes Anti-Malware 1.50.1.1100 5408
\nThreatfire 4.7.0.17<\/p>\n

cryyahoo.info\/tre\/boba.exe
\nIE reported this site as BAD – File not found to download<\/em><\/p>\n

expa82.co.cc\/bl2\/
\nSite loaded fine – no extra processes<\/em><\/p>\n

1.oresmir.co.cc\/1\/load.php?spl=mdac
\nIE labeled download as unsafe – Threatfire blocked the installation<\/em><\/p>\n

marinada3.com\/77\/throatnut.php
\nBlocked by IE – Threatfire blocked the java exploit from running<\/em><\/p>\n

MSE, like in the previous test, did not block anything.<\/p>\n

Malwarebytes:<\/strong>
\nObjects infected: 3 (3 are non-infection related)<\/p>\n

Verdict:<\/strong>
\nMSE didn’t actively block anything – it only worked well with TF in finding new problem programs. I still prefer a more active participant, but MSE and TF worked well.
\n\"\"<\/a>\n<\/p><\/blockquote>\n

Final Results:<\/strong>
\nSo it appears as though Threatfire really does help out. It also appears that Nod32 is only slightly better than McAfee and MSE edged them both out. McAfee did not find the infections on access or during a scan. Nod32 blocked only one file on access, but found nothing during a scan. MSE blocked nothing during on access, but found a couple files with issues during a scan.
\nI also realize that I didn’t include Adobe Reader as part of the package. Since I’ve already disposed of the virtual machines I don’t think I’ll go back and correct this error.<\/p>\n

No AV – 11 infections
\nMcAfee – 11 infections
\nNod32 – 10 infections
\nMSE – 9 infections
\nMcAfee with Threatfire – 1 infection
\nNod32 with Threatfire – 0 infections
\nMSE with Threatfire – 0 infections<\/p>\n

Final recommendation:
\nWhile I will continue to use Nod32 alongside Threatfire (I pay for the Nod32 subscription), and will continue to recommend it to my peers\/clients, I must say that for the average home user MSE has come through with flying colors. However, when utilizing MSE you MUST scan your system after each download or on regular scanning intervals. Their lack of on-access scanning is my major gripe at this time.<\/p>\n","protected":false},"excerpt":{"rendered":"

The last few weeks of the year are usually the best to start testing systems at my current job. We currently have the following security measures in place: Cisco Firewalls Juniper Firewalls Cisco IPS Cisco Switches with ACLs on each VLAN Secured Syslog Server Secured Snort (IDS) Server McAfee Antivirus Windows Updates* *Windows Updates are … Continue reading Exploit Testing<\/span> →<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[],"class_list":["post-664","post","type-post","status-publish","format-standard","hentry","category-microsoft"],"_links":{"self":[{"href":"https:\/\/it.thelibrarie.com\/weblog\/wp-json\/wp\/v2\/posts\/664","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/it.thelibrarie.com\/weblog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/it.thelibrarie.com\/weblog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/it.thelibrarie.com\/weblog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/it.thelibrarie.com\/weblog\/wp-json\/wp\/v2\/comments?post=664"}],"version-history":[{"count":9,"href":"https:\/\/it.thelibrarie.com\/weblog\/wp-json\/wp\/v2\/posts\/664\/revisions"}],"predecessor-version":[{"id":669,"href":"https:\/\/it.thelibrarie.com\/weblog\/wp-json\/wp\/v2\/posts\/664\/revisions\/669"}],"wp:attachment":[{"href":"https:\/\/it.thelibrarie.com\/weblog\/wp-json\/wp\/v2\/media?parent=664"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/it.thelibrarie.com\/weblog\/wp-json\/wp\/v2\/categories?post=664"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/it.thelibrarie.com\/weblog\/wp-json\/wp\/v2\/tags?post=664"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}