SoftSphere Technologies, the official site of the DefenseWall HIPS - Host Intrusion Prevention System - Sandbox, Virtualization, Anti-Spyware, Anti-Rootkit, Anti-Malware, Anti-Keylogger, Anti-Virus. DefencePlus - Buffer Overflow protection. Security software just for you! Virus Prevention proactive protection!| Articles

	Company news
	Products
	Downloads
	Support
	Forum
	Registration
	Articles
	Press-Releases
	About us

Home | Articles

DefenseWall HIPS protection under the real intrusion conditions

When I heard about .wmf 0-day Internet Explorer exploit, I decided to test DefenseWall Host-based Intrusion Prevention System under real conditions with the real malware threat. Using WinXP SP2 and DefenseWall HIPS, I typed the URL with the .wmf exploit file into my Internet Explorer bar (IE was running as untrusted) and pressed "Enter". The exploit began - I saw "Windows Pictures and Fax viewer" window and the DefenseWall icon became red. Many malware modules were running, some of them generated errors during their work because of the DefenseWall restrictions. Next I opened the "Trusted and Untrusted Processes Details" window and saw untrusted processes which I did not recognize. I closed all of them with the "big red button" and restarted my computer. After the reboot I found none of the malware processes running within my computer, So I started to search my hard disk for the new malware files. This is the list of malware modules:
C:\winstall.exe
C:\secure32.html
C:\boot.inx
F:\windows\soft.exe F:\WINDOWS\system32\z12.exe
F:\WINDOWS\system32\paytime.exe F:\WINDOWS\system32\z11.exe
F:\WINDOWS\system32\z13.exe F:\WINDOWS\system32\z14.exe
F:\WINDOWS\system32\z15.exe F:\WINDOWS\system32\z16.exe
F:\WINDOWS\system32\exeha2.exe F:\WINDOWS\system32\exeha3.exe
F:\WINDOWS\system32\efsdfgxg.exe F:\WINDOWS\system32\cmd32.exe
F:\WINDOWS\system32\paradise.raw.exe
F:\WINDOWS\system32\dial32.exe
F:\WINDOWS\system32\sywsvcs.exe
F:\WINDOWS\inet20099\services.exe
F:\WINDOWS\inet20099\winlogon.exe
F:\Documents and Settings\Ilya\Local Settings\Temp\a.exe

Naturally, all of them have been erased from my hard disk. According the log, malware modules tried to change my wallpaper, IE start and search pages, default URL's, WinXP Firewall settings, BHO, make themselves autostart and so on, which is typical of malware. All of these attempts failed. The only thing the exploit was able to do was to put nonsense onto my Desktop which I simply deleted.

The In-The-Wild intrusion test passed - 100%!

Ilya Rabinovich, CEO, SoftSphere Technologies, 01.01.2006.