Cenzic 232 Patent
Paid Advertising
web application security lab

Download An .HTA File to Test Your Security - No Really

Someone sent me this link today to GreenBorder’s online desktop testing platform. While it’s a great idea to give people the tools necessary to test for the relative security of their system I always find it amusing that we tell people “Download an executable from the internet and run it to test if you’re secure or not.” Not only that, the site doesn’t use SSL, and they aren’t exactly the best known website in the world.

Then if you look at the source of the HTA file you find this tidbit:

// Be informed that the only reason that the source code is compressed is to easily get through AVs.
// You can retrieve the whole uncompressed source code at http://www.greenborder.com/test/gbtest.zip

Getting around AV? Are these the words of a security company? Because people know how to compare the two to make sure they are running the same thing?

Yes, they are a real security company, and no, this isn’t malicious. I’m just always amazed at how security people think consumers are dumb for clicking through security boxes when we ask them to do it all the time. How hard do you think it would be to create a site that did the exact same thing? I bet the phisher’s version of the site would end up with a lot more excitement as your bank account gets siphoned. Just think of it as the Internet Roller coaster.

9 Responses to “Download An .HTA File to Test Your Security - No Really”

  1. tx Says:

    You can trust them, just read their Privacy Policy: https://store6.esellerate.net/store/checkout/CustomLayout.aspx?s=STR4183444086&pc=');alert('xss&page=OnePageCart.htm

    ;)

  2. RSnake Says:

    Oh you naughty boy you….

    Fixed the string so it works ‘ isn’t a ' in WordPress.

  3. Matt Says:

    Oooohh Crap, i think i have some holes to plug. was not expecting the results i got.

  4. tx Says:

    @rsnake actually the ' seems to break it (for ie7, not for ff) how about this: https://store6.esellerate.net/store/checkout/CustomLayout.aspx?s=STR4183444086&pc=%27%29%3B%61%6C%65%72%74%28%27%78%73%73&page=OnePageCatalog.htm

    *sigh* I should get back to _actual_ work…

  5. RSnake Says:

    Weird… both work for me! Oh well, yes… back to the grind. ;)

  6. Finnur Says:

    I work for GreenBorder and even though I have only been slightly involved in this project, I think I can provide some background information that would help explain the things as they stand now.

    We went live with the security test using an .HTA file so that people could easily verify that the script was not malicious before running it (which you did, I might point out).

    Then - when somebody freaked out because his Anti-Virus wasn’t “protecting” him from this “attack vector” (something the test was in fact designed to show) - some of the Anti-Virus vendors started monitoring our site and adding signatures for the script (which erroneously showed it as malicious when in fact it was not).

    That’s when we started compressing the .HTA, which (I’m told) seems to render all but 2 Anti-Virus script scanners useless and really gives you the warm fuzzy feeling, doesn’t it? :)

    And yes, we have received feedback about the fact that making people download an HTA and run it is not a valid security test because people won’t do that under normal circumstances. We also debated this same point rigorously in-house before developing the test and we came to the conclusion that it is irrelevant. Why? Because:

    a) You can leverage 0-day exploits in for example IE to deliver the same code to the user without *any* user interaction. Best example is the old jpeg exploit, which used a buffer overflow in the jpeg rendering to take control of machines. That one only required the attacker to manage to get a popular site to show his carefully crafted jpg as an advertisement on the site and he becomes the owner of all computers that are unfortunate enough to be shown the ad, until a patch is issued and all computers become up-to-date.

    b) The test is designed to show what attackers can do *after* they exploit some hole in IE and that regular scanning software (Anti-Virus and Anti-Spam, for example) doesn’t pick it up.

    Yes, it would certainly make the test much more effective to exploit some unpatched 0-day exploit in IE. The problem is that it is very expensive for us to play the constant cat-and-mouse game, where we would have to find a new exploit every time MS (or any other vendor) plug their holes. Then we’d have to leverage another exploit for FireFox and another for Opera. We didn’t feel it was necessary to collect or come up with 0-day holes in 3rd party software since it is a lot of effort. The whole point of GreenBorder, in fact, is that it provides security without depending on scanning for malware-signatures.

    Yes, I agree – I think we should be using SSL; I don’t know why we don’t. I’ll follow up on that.

    The Privacy Policy link posted in this forum is not correct.
    If you want read our privacy policy here is a direct link: http://www.greenborder.com/privacy/

    Anyway, I hope my comments sheds some lights on why our security test is the way it is.

    Best regards,
    Finnur

    The views and opinions expressed in this comment are strictly my personal opinions and not necessarily those of my employer. The contents of this comments has not been reviewed or approved by GreenBorder.

  7. enigma13 Says:

    ı love you

  8. id Says:

    Thanks for the explanation Finnur.

  9. id Says:

    All Turks love RSnake, this is a known fact.