PDA

Ïðîñìîòð ïîëíîé âåðñèè : Different tests. Check your antivirus software!



Ultima Weapon
21.11.2007, 22:31
http://www.misec.net/images/logo.gif
Trojan Simulator;)

http://www.misec.net/images/ts_small.png For years you have been able to test your virus scanner with the harmless "Eicar" test file. Using the just released "Trojan Simulator" you can now test your trojan scanner in the same manner, using a harmless demonstration trojan. This is a risk-free way to see how your security software behaves in a real-world situation.
Download: TrojanSimulator.zip (http://www.misec.net/products/TrojanSimulator.zip)
Installation is simple: Simply unzip all files contained in TrojanSimulator.zip to any directory. To start, simply double-click TrojanSimulator.exe.
How it works

When you run Trojan Simulator, you will be presented with a screen showing some informational text about Trojan Simulator. Clicking the Install button will install the demo trojan on your system. The demo trojan simulates a real trojan server by hiding its main window and writing an autostart entry to the registry. Clicking the Uninstall button removes the autostart entry from the registry and then unloads the demo trojan server from memory. While the demo trojan is running, you get a chance to observe the behavior of any installed security software. Technical details

When run with the /install parameter, TSServ.exe loads into memory and adds an autostart entry to the registry. An information dialog will pop up notifying that the demo server was successfully installed along with the path to the server and its process ID. Most trojans don't really present a dialog saying they've successfully installed themselves in your system! (Although many will present a fake error message to make it look like the executable file was corrupt or that some other problem occured that prevented the file from being run. In reality the trojan server is already running in memory when this dialog is shown.) When run with the /uninstall parameter, TSServ.exe removes its autostart entry and then unloads all copies of itself from memory. If you run TSServ.exe without any parameters, nothing will happen - the program simply starts and exits.
Ways Trojan Simulator can be detected

When the Trojan Simulator server is installed, it will exist as an active process in memory. It will also have an autostart entry in the system registry. Most virus scanners are not that good at dealing with trojans, so it's likely that your virus scanner, if it detects the Trojan Simulator server, will neither be able to remove the process from memory nor be able to remove the registry entry. Any decent trojan scanner should take care of this if the server is detected. The demo trojan server can be detected on the system in the following ways:

By its file fingerprint. The demo trojan server file, named TSServ.exe, has a unique fingerprint that can be used by security software to detect its presence on a system. The file is packed with the executable packer UPX to reduce its size and to further simulate the behavior of a real trojan. Trojan servers are often packed to avoid detection by security software - see the note below for more information about this.
By its in-memory fingerprint. Once TSServ.exe gets loaded into memory, it has a unique fingerprint in its code section. This can be used by security software to detect its presence in memory. Even though the server file is packed with the UPX executable packer, it always exists in memory in unpacked form. This means the fingerprint won't be the same as for the file on disk, but it also means that this is the perfect opportunity to detect the server, should a file scan have missed it.
By the registry entry it creates TSServ.exe creates an autostart entry in the Windows registry, under the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run. The name of the entry is "TrojanSimulator" (without the quotes), and its value is the path to TSServ.exe, enclosed in quotes ("), and followed by the /install parameter. The type of the entry is REG_SZ (standard registry string value).



http://www.pcflank.com/img/toplogo.gif
PC FLANK TEST
" Test Your System"
Quick Test

This test shows how vulnerable your computer is to various Internet threats. The test also determines if a Trojan horse already infects your system and if your Web browser reveals personal info about you or your computer while you're web surfing.

The test takes less than five minutes, but provides the following:
Ports check

The test scans your system for open ports that can be used in attacks on your computer. Open ports let hackers access your system.

Trojan horse check

This test scans your system for any Trojan horses. If a Trojan is found on your computer the test recommends actions to take.

Privacy check

This checks if your browser reveals any of your personal information. This might be the sites you have visited, the region you live in, who your Internet Service Provider is, etc. The test will recommend specific settings of your browser for you to change.




http://www.pcflank.com/test.htm

Äîáàâëåíî ÷åðåç 27 ìèíóò


I tested it against Comodo's ( Advanced HIPS) It stop it all.
Kaspersky's Proactive defense and realtime protection stop it all too (Comodo HIPS off)
A-squared Anti-mallware's (Mallware-Intrusion Detection System) stopped it all too. (Comodo HIPS off & KIS disabled)

I will test it against nod32, Avira Premium, AVG Antispyware next time.

XP user
21.11.2007, 23:13
This is a risk-free way to see how your security software behaves in a real-world situation.
Download: TrojanSimulator.zip (http://www.misec.net/products/TrojanSimulator.zip) [SNIP]
I like this part - it's always nice to have a new toy to play with. I didn't like the 'download-30-day-trial-now' part for Trojan Hunter, by the way, which sounds like advertising, which is not the purpose of this forum. I would appreciate it if you removed that link. Security products may be discussed or compared, but not plainly advertised on this forum.


I tested it against Comodo's ( Advanced HIPS) It stop it all.
Kaspersky's Proactive defense and realtime protection stop it all too (Comodo HIPS off)
A-squared Anti-mallware's (Mallware-Intrusion Detection System) stopped it all too. (Comodo HIPS off & KIS disabled)
Nice to hear that you are well-protected. Keep up the good spirit! :)

Paul

Ultima Weapon
22.11.2007, 00:49
http://www.eicar.org/image/about_us/eicar_brochure.gif
EICAR FILE TEST!!

Test your Anti-Virus web protection by trying to download the following files.

Eicar file= is a standardized test file for signature based virus detection software. This file can be used to verify the correct operation of antivirus software
See below for more details.
http://www.eicar.org/anti_virus_test_file.htm

All files are NOT viruses, but they appear to be viruses, therefore your Anti-Virus should stop the downloads.

If you can download any of these files, then your Anti-Virus is NOT effective! Just delete any file downloaded and empty Recycle Bin.

TEST 1 (http://www.eicar.org/download/eicar.com)

TEST 2 (http://www.eicar.org/download/eicar.com.txt)

TEST 3 (http://www.eicar.org/download/eicar_com.zip)

TEST 4 (http://www.eicar.org/download/eicarcom2.zip)

Your Antivirus should pass all these test in order to be totally effective!!

NOTE:
ALL ANTIVIRUS SHOULD BE SET AT MAX SETTINGS FOR THIS TEST TO COMPLETE. IT SHOULD BE SET TO SCAN ALL ARCHIVES & SCAN ALL FILES.

For best results use Internet Explorer and disable any other security softwares with web guard, except for your real-time Anti-Virus software.

Note:

Disable any download manager like Internet download manager & Orbit & more.:P



COMPRESSED EICAR & NOISY BEAR((java applet based on eicar) FILE TESTS
http://www.attac.net/menu.gif


Homepage & Tests (http://www.attac.net/tester.html)



Äîáàâëåíî ÷åðåç 8 ÷àñîâ 53 ìèíóòû

http://images.gxware.org/upload/gallery/kaspersky.av.logo.jpg

A Kaspersky Lab test file that tests heuretics

KASPERSKY VIRUS TEST FILE
Kaspersky Test File (http://tav.kaspersky.fr/test/emul.zip)

Same with Eicar , Your Antivirus should stop the download!!



http://virscan.org/images/av/ikarus.gifhttp://www.ikarus.at/ika_images/onlineShopButton2.jpg
IKARUS VIRUS TEST FILE

IKARUS VIRUS TEST FILE (http://www.ikarus.at/downloadfiles/tools/dummyvir.com)

Same with Eicar , This is test is really for Ikarus Antivirus only & only Ikarus should stop the download!!


UNITYPRO AV TESTER
http://www.unitypro.com/images/avtester-m.jpg


UnityPro AV Tester to the rescue! This freeware program allows you to SAFELY test your realtime Anti-Virus protection with a simple click of the button. Using the EICAR test pattern, AV Tester decrypts the test pattern in memory and attempts to write a file to the same folder where AV Tester is installed. If your Anti-Virus solution is watching, it will almost immediately go off, proving it is functioning properly.

http://www.unitypro.com/avtester.php

Ultima Weapon
22.11.2007, 02:21
http://www.ghostsecurity.com/images/gsslogo.jpg
REGTEST:P
RegTest is a program which will allow you to test the effectiveness of your registry protection. RegTest simulates malicious software which infect computers all around the world millions of times a day. RegTest will not harm your computer like malicious software would however, but will allow you to see some of the techniques advanced spyware, viruses and trojans use to infect your system without any harm.:) RegTest works on all Windows versions:D
The registry can be misused by malicious software so it is essential you have some protection for it. RegDefend (http://ghostsecurity.com/regdefend/) protects against all attacks shown in this RegTest demonstration.
RegTest performs 2 series of tests which effectively determines how good your registry protections are.
Test 1 - This test works by modifying several autostart values in the registry then quickly rewriting the original contents. This test will determine whether or not the registry protection you have is quick enough to catch the change. If it is not then the fact is your registry can be modified without you knowing. Most registry programs simply poll/read the registry every few seconds which means they will never catch everything which is written. This can be abused by malware which simply keeps rewriting itself to the registry so that you every time your machine starts up, the worm/virus/trojan will start also. If your registry protection program is successful all registry items shown will not be able to be modified.
Test 2 - This test works by attempting to write itself to various autostart locations in the registry. It will then simulate a shutdown to show that it will appear the next time your machine starts. If the test fails to shutdown your computer, then manually shut it down to see the results for the next boot. If this test is successful after the reboot you should receive various messages stating that this test indeed managed to start itself on the next reboot. If the test is successful you are vulnerable to being infected with something which will continually start itself on your system. If your registry protection programs detects the changes AFTER the registry tester starts then it has failed. If this test can get itself to start up again next boot, what is stopping a malicious software doing the same thing?
RegTest Screenshots
http://ghostsecurity.com/images/regtest01.jpg (http://ghostsecurity.com/images/regtest01_large.jpg) http://ghostsecurity.com/images/regtest02.jpg (http://ghostsecurity.com/images/regtest02_large.jpg) http://ghostsecurity.com/images/regtest03.jpg (http://ghostsecurity.com/images/regtest03_large.jpg)

Download RegTest
REGTEST (http://www.ghostsecurity.com/downloads/regtest.zip)
Version: 1.000
Size: 460KB

RegTest is completely free for personal and corporate use

Ultima Weapon
22.11.2007, 02:29
http://img61.imageshack.us/img61/7084/scoundrelsimulatoriconqs7.jpghttp://img61.imageshack.us/img61/7366/scoundrelsimulatorew2.jpg

Scoundrel Simulator Geek Superhero is a program that's harder to see in action, protecting your computer. With a download manager (like GetRight (http://www.getright.com/)) you can download a file and see it work. Geek Superhero is more like a virus scanner--where it's hard to really see it work until the virus scanner pops up and says "Hey! I Found a Virus!" I simulate what a virus, trojan, or other malicious program can do to your computer. I'm Geek Superhero's Scoundrel Simulator. With a simple button, you can change (and then fix back!) settings that show some of the nasty things a scoundrel can do to your computer. The things I'll demonstrate:

Changing your browser's home page.
Disabling access to change your Internet Options.
Disabling the registry editing tools that come included in Windows.
Adding new items to start when Windows starts. These show quite well how Geek Superhero protects you (or if you don't have Geek Superhero, it shows how simple it is for these things to be changed without your knowledge).

Download Scoundrel Simulator:
Scoundrel Simulator (http://dl.filekicker.com/send/file/143719-YJTV/scoundrelsimulator.exe)

This 300kb file is the program itself, it doesn't need any installation. Just download and run. Silly, but McAfee says we could be a site that distributes software that makes questionable changes--because this demonstrates how easy it is to make changes! Copy that address to your web browser to download; hopefully this stops them flagging us as bad!


A Picture...
http://www.geeksuperhero.com/ssim.gif (javascript:HideBubble();) Printable version of this page (http://www.geeksuperhero.com/scoundrelsim.shtml?printer=yes) | Privacy Policy (http://www.geeksuperhero.com/privacy.shtml)

Ultima Weapon
22.11.2007, 05:06
Spycar= Anti-spyware Test http://img208.imageshack.us/img208/5976/spycarvu0.png


What does Spycar do?
The following links are Spycar. Clicking on each of the links will make Spycar try to take some benign action on your system. When you first run it, Spycar will ask you to name a test profile, a small file where we’ll store state information about a given series of Spycar tests you perform. Then, when you click on each link, Spycar works by pushing a Windows executable to your browser. Currently, Spycar runs only on Windows, and its browser-centric alterations focus on IE, although it can be triggered by any Windows browser (Firefox-altering Spycar modules will be released soon!).

Spycar does not include any exploits, so you must click “OK” in the message that appears in your browser to run the given Spycar function. If, after you click “OK”, your anti-spyware tool blocks the given Spycar action, good for you! If not, this benign alteration will occur. Then, when you have clicked each of these links, you can click on the Results/Clean-Up link to have the Spycar tool called TowTruck automatically measure how your anti-spyware tool did, and to restore your machine to the pre-Spycar settings.

Note that we designed Spycar as a series of different links and associated executables. We did not make it a monolithic one-click-to-conduct-all-actions programs, because an anti-spyware tool may shut down a given program early on in its cycle, without letting Spycar accurately test later modules. That’s why you have to click on each link, giving your anti-spyware tool a fair shot at stopping each individual action.

Intelguardians cannot be held responsible if these files and/or your anti-spyware tool in combination with these files cause any damage to your computer. You download and run these files at your own risk. Download and run these files only if you are sufficiently knowledgeable in the usage of your anti-spyware tool and operating system. Intelguardians cannot and will not provide any help to remove these files or the changes they cause from your computer. Please contact the manufacturer of your anti-spyware tool to seek such help.

You must agree to Spycar EULA (http://www.spycar.org/Spycar%20EULA.html) to use the downloads to run the tests.

• “Spycar change allowed” -- Sorry, but your anti-spyware tool did not block this test. You are not protected against this kind of behavior
• “Spycar change blocked” -- Your anti-spyware tool blocked this test. That’s a good thing.
• “Spycar test not performed” -- Either you did not run this element of Spycar, or your anti-spyware tool blocked it so thoroughly that Spycar cannot even determine that it was run. The former just means you need to do the test. The latter is a good thing.

Äîáàâëåíî ÷åðåç 43 ìèíóòû

http://www.winsite.com/images/logo_main.gif
UNDETECTABLE KEYLOGGER TEST

As the name states, its undetectable. Its a simple stay-on-top program with a
memo, that displays everything you type. It uses a special system of keylogging,
which is magnificent if i may say so myself, so dont be surprised if your anti-keylogging
software doesnt block it. If you want to test your pc and see if it is truly
protected against spyware, try this. Note to people who think slowly: This is
NOT spyware, it is only intended for testing if your computer is is really immune
to spyware.

Homepage (http://www.winsite.com/bin/Info?26000000037599)



ANTI-KEYLOGGER TESTER


What is Anti-Keylogger Tester ?

Some trojans includes keylogging functionalities, that can steal confidential information you are typing.

Homepage (http://www.firewallleaktester.com/aklt.htm)

PC tools Keylogger test
http://www.pctools.com/res/images/logo.gif
Download (http://www.pctools.com/forum/attachment.php?attachmentid=666&d=1195022672)

Ultima Weapon
22.11.2007, 08:35
Adware Popup (Anti-Adware Test) http://www.eset.com/msgs/imgs/adware9.jpg
Homepage (http://www.popup-killer-review.com/simplepop8.htm)
Adware is a program installed on your computer, that occasionally opens advertisement windows.

Usual pop-up ads are opened by browser. To imitate Adware popups we will use special program - Adware imitator. Adware imitator simulates pop-up ads created by non browser program.

If you want repeat this test on your computer, you should download Adware imitator. Click here to download Adware imitator. When you run Adware imitator it will open 2 pop-up windows every 6 seconds.

Adware imitator simulates 2 kinds of pop-up ads:
- pop-up from "unknown" domain and
- pop-up from "well known advertising" domain (fastclick.com)

Download Adware Popup
Click below to download Adware imitator. When you run Adware imitator it will open 2 pop-up windows every 6 seconds.

ADWARE IMITATOR (http://www.popup-killer-review.com/AdwareImitator.exe)
http://www.popup-killer-review.com/camouflaged-popup.htm for more tests
Adware is a program installed on your computer, that occasionally opens advertisement windows.

Usual pop-up ads are opened by browser. To imitate Adware popups we will use special program - Adware imitator. Adware imitator simulates pop-up ads created by non browser program.

If you want repeat this test on your computer, you should download Adware imitator. Click here to download Adware imitator. When you run Adware imitator it will open 2 pop-up windows every 6 seconds.

Adware imitator simulates 2 kinds of pop-up ads:
- pop-up from "unknown" domain and
- pop-up from "well known advertising" domain (fastclick.com)


A good pop-up blocker should successfully kill these pop-ups.

Äîáàâëåíî ÷åðåç 1 ìèíóòó


Popup Test

Popup Test to help you verify your ad blocking software is really capable of preventing ads.
Popup Test - Details

Normal popup test:
This test checks to see if your popup blocker can block normal popup windows, which are browser windows that do not have any toolbar, buttons or menus except for a simple titlebar. This test adds 20 points to your popup blocker quality score if this popup is blocked.

Full-screen popup test:
This checks your popup blocker's ability to block a special type of popup window. This window does not have any toolbars, button or menus and covers your entire screen. These are called "full-screen popups" are can only be seen with the Internet Explorer web browser. This test adds 10 points to your score if this popup is blocked.

Channel-opener popup test:
This type of popup launches a full-screen popup but contains a toolbar and can only be seen on the Internet Explorer. Other browsers will just open a normal popup. Adds 5 points to your popup test score.

Modeless dialog popup test:
This popup can only be launched in Internet Explorer and opens a dialog window, not a popup, that forces the user to close it in order to continue working on the web page that opened it. Adds 10 points to your popup test score.

Browser window popup test:
This popup is exactly the same as a normal browser window. Contains menubars, toolbars, and everything else that a normal browser has. This test adds 20 points to your popup test score.

User-launched HREF-method popup test:
The term "user-launched" refers to popup windows that are opened manually by the user. This test checks to see if your browser allows a popup window to be opened from clicking a link. It may think it's a popup and block it. Adds 10 points to your popup test score.

User-launched JavaScript-method popup test:
This test checks your popup blocker's ability to correctly allow popups that open when you click on a link. The popups being opened can be a popup or series of popups that are opened by an instruction called from JavaScript when you click on that link. Adds 10 points to your popup test score.

User-launched OnClick-method popup test:
This test checks if your popup blocker allows popups that open when you click on a HTML object, which usually is a link. Popup windows are opened by detecting when you click on that object. Adds 10 points to your popup test score.

User-launched Delayed-method popup test:
This test is the same as the JavaScript-method popup test, the only difference is that the popup being opened is delayed by a dialog box before it actually opens. Adds 5 points to your popup test score.
http://www.auditmypc.com/freescan/popup/popup-test.asp

Ultima Weapon
24.11.2007, 01:04
The Zapass Trojan Test
http://www.whirlywiryweb.com/articles/zapass1.gif

Download the ZIP file, and extract both the exe and dll to the same folder. No special installation is necessary.
A quick tour
Zapass Trojan Test (http://www.whirlywiryweb.com/articles/zapass.zip)

Zapass (ZoneAlarm Pass or more boldly zap-ass) requires Microsoft Windows NT4, 2000 or XP. We went for these platforms as people consider them the most secure. Trojan Implants are even easier on Windows 95, 98 or Me, but not implemented in Zapass.



Zapass consists of a Control Interface (zapass.exe) and an Implant dll (zapass.dll), that should be extracted in the same folder. Apart from these two files, absolutely nothing will be written to your system. At any time, you can completely remove Zapass from your system just by deleting these two files.


Zapass allows to pick whatever running process that qualifies as host. Basically, these are all processes that are not services. You may pick IE, Navigator, even ZoneAlarm, ...
Clicking 'Refresh List' will update the list of host candidates, matching the current open applications.
Clicking 'Inject Implant' will inject the Implant into the selected process. The Implant will respond as soon as it's operational.
Clicking 'Issue Download' will issue a download command to the Implant, downloading the http://www.google.com search page to your c: root folder. The download will occur under the credentials of whatever process that's hosting the Implant. At this point, Zapass accesses the Internet and writes to local resources. If you chose a trusted application as host, ZoneAlarm will not complain.

Try Notepad as host application, and see how ZoneAlarm identifies notepad.exe as the one who attempts to pass.

A real Trojan may automatically pick your default Web browser as host, and then unvisibly upload personal information or open a more permanent connection to a obscure server.
Clicking 'Issue Lifecheck' invokes a roundtrip to the Implant and back. A positive response proves that the Implant is ready and eager to execute commands.
Un-clicking 'Inject Implant' will eject the Implant from the host process, returning it to its unaffected state. (As you may expect, closing the host process will also unload the Implant.)




REGTICK Registry Test

http://www.boostware.com/os/windows/regtick-pro.jpg

Download
Regtick (http://woundedmoon.org/win32/regtickpro.zip)

Change registry values and then reset to originalHide "Run" in Start Menu [Current User]
Hide "Run" in Start Menu [Local Machine]
Disable Display Control Panel [Current User]
Disable Display Control Panel [Local Machine]
Disable MS Registry Tools [Current User]
Disable Task Manager [Current User]
Internet Explorer - hide General tab [HKCU]
Internet Explorer - hide Security tab
Internet Explorer - hide Advanced tab [HKCU][color=#3333FF]

Sjoeii
27.11.2007, 09:53
Nice tests.
It's a pitty for all those pictures on this forum. therefore the thread it is a crime to read

XP user
27.11.2007, 10:04
Nice tests.
It's a pitty for all those pictures on this forum. therefore the thread it is a crime to read
Hi, Sjoeii!

Nice to see you here. If you have Firefox, install the extension ImgLikeOpera and set the default policy to '4' (= don't load images). Then exclude sites where you really want to see the pictures. My policy here is '2' (= load images for this site only).
* First of all, you save a lot on traffic.
* Second, you don't have to see pictures that have nothing to do with the content being discussed. If you really want to see them, just right-click and choose 'Load Image'.

Paul

Ultima Weapon
27.11.2007, 11:00
http://www.threatexpert.com/resources/telogo.gif

ThreatExpert is an advanced automated threat analysis system designed to analyze and report the behavior of computer viruses, worms, trojans, adware, spyware, and other security-related risks in a fully automated mode.

In only a few minutes ThreatExpert can process a sample and generate a highly detailed threat report with the level of technical detail that matches or exceeds antivirus industry standards such as those normally found in online virus encyclopedias.

ThreatExpert: Introduction
ThreatExpert (patent pending) is an advanced automated threat analysis system (ATAS) designed to analyze and report the behavior of computer viruses, worms, trojans, adware, spyware, and other security-related risks in a fully automated mode.

The ThreatExpert system produces reports with the level of technical detail that matches or exceeds antivirus industry standards such as those found in online virus encyclopedias.

It only takes 2-3 minutes for an automation server to process a single threat, making it possible to generate up to 1,000 highly detailed threat descriptions per server, per day. Built on a distributed architecture the service can scale to a virtually unlimited amount of threat analysis servers, thereby allowing unlimited automated processing of threat samples.

The Problem
A typical threat outbreak scenario is illustrated below:


* A new threat slips through an Antivirus Product undetected and penetrates into the Customer's environment
* The customer submits the sample to its Antivirus Vendor for analysis
* It can take many hours for the Antivirus Vendor to provide a response
* Response #1: Antivirus Vendor rolls out definitions to update the Antivirus Product.
* Response #2 (optional): Antivirus Vendor provides the Customer with the threat description

Notes:

* Threat description response (such as a posted write-up) follows the updated detection a several hours (or even days) later
* Due to its complexity, threat description response is only provided for a small percentage of newly discovered threats, such as high-profile threats or threats that are submitted by VIP customers. Note: the majority of new threats are detected under generic names only with no specific description provided thereby removing the possibility of manual mitigation or prevention.

The Solution
Below is the illustration of a scenario when Customer uses ThreatExpert Automation directly:


* Being affected with a new threat, the customer submits the sample both to their current Antivirus Vendor and ThreatExpert
* ThreatExpert provides an immediate detailed threat description analysis
* Threat description can be used by the customer to undertake threat mitigation phase (e.g. automated or manual threat removal or prevention) hours before Antivirus Vendor responds

Below is the illustration of a scenario when Antivirus Vendor uses ThreatExpert Automation to accelerate and improve the quality of its response:


* As soon as the Antivirus Vendor receives a sample from the Customer, it engages ThreatExpert (which could be an in-house server or a hosted server)
* ThreatExpert provides an immediate threat description response
* The new threat description can now be immediately posted on the corporate website of the vendor, hours before other vendors are capable to do so
* Vendor's other Customers can now be immediately alerted about a new threat with the full threat description
* Vendor can use the detailed behavioral report to assist in the malware analysis for generating the detection signature.



http://www.threatexpert.com/


http://zedomax.com/blog/wp-content/uploads/2007/08/symantec_logo-705671.jpg

Symantec Computer Virus and Worm Simulation System


The VBSim program is a malware simulation that demonstrates how a computer virus or worm spreads inside and between corporations. The simulation relies upon user-specified parameters, probability functions, and random numbers to model the corporate environment. Because it is a simulation, different outcomes and different infection patterns are generated each time the program runs. The infection patterns can vary widely from one run of the program to another. Although the parameters that have been chosen and the mathematical models used within the simulation are not perfect, they do model the gross behavior of computer viruses and worms. Because this is a simulation governed entirely by random processes, its behavior may not always conform to your expectations. Over many runs of the simulation, however, trends and behaviors will emerge. VBSim was first demonstrated at the 1999 Virus Bulletin conference in Vancouver, Canada. The Symantec AntiVirus Research Center continues to update and work with models such as VBSim to help advance antivirus research.

Homepage & Download (http://vx.netlux.org/vx.php?id=ss02)

Symantec Worm Simulator

The new Symantec Worm Simulator visually demonstrates how worms spread through the Internet, and how they fare against a custom network and security policy.

The Worm Simulator is a substantially updated version of the VBSim program released in 1997. VBSim was the first program to “show” the spread of a virus to Symantec customers. The new Worm Simulator takes VBSim to another level, enabling custom configuration of new worm simulations, configuration of custom networks and protection policy, and incorporates impressive new three-dimensional graphics

Homepage & Download (http://vx.netlux.org/vx.php?id=ss01)




Rosenthal Virus Simulator

These Virus Simulator programs generate safe and sterile, controlled test suites of sample virus programs. Virus Simulator's ability to harmlessly compile and infect with safe viruses, is valuable for demonstrating and evaluating anti-virus security measures without harm or contamination of the system. The infected programs can be used as bait for virus detecting programs to gain practical virus protection experience.

Homepage (http://vx.netlux.org/vx.php?id=sr00)


SECURITY SOFTWARE SELF DEFENSE TEST


http://www.diamondcs.com.au/images/diamondcs.gif
Advanced Process Termination
Kernel-mode & User-mode termination


Are your security applications vulnerable to termination attacks? Security programs are useless if they aren't running, yet it's so easy for malicious software to terminate them unless they're protected by a kernel-level process protection system like ProcessGuard.

Advanced Process Termination (APT) is a tiny but powerful utility that provides 18 unique process attacks:
- 2 kernel-mode termination techniques
- 12 user-mode process termination techniques
- 2 suspension techniques
- 2 fatal crash techniques
This arsenal makes APT ideal for testing the resistance of software to termination attacks, testing the configuration of your own security programs, as well as allowing you to terminate stubborn software that simply refuses to die.

APT also has internal anti-hook capabilities which transparently enables it to bypass most user-mode hooks which may otherwise try to interfere with termination techniques.



HomePage (http://www.diamondcs.com.au/advancedseries/apt.php)



http://www.diamondcs.com.au/images/diamondcs.gif
Advanced Process Manipulation
Control from the inside

DiamondCS Advanced Process Manipulation (APM) is an advanced process/module viewer and manipulation utility that allows unique control over target processes by literally becoming a part of them.

Take control of a process by becoming a part of it ...
Unlike conventional process viewers, DiamondCS APM doesn't control processes by remotely sending them instructions. Instead, APM safely attaches a part of itself to the target process, essentially becoming a part of that process. Once 'inside', APM is free to perform actions on behalf of the target process. For example, if it calls the ExitProcess API function, the target process terminates.

Control processes in ways that aren't conventionally possible ...
Because of this 'insider' nature, APM is able to do some remarkable things that aren't otherwise possible. For example, it can unload and load DLLs into the target process (allowing you to make plugins for virtually any program). It can even determine which ports the target process is using. APM has even proven its unique anti-trojan capabilities here in our lab by disinfecting an explorer.exe-infecting usermode-rootkit trojan from a test machine. It also serves as a useful way to see which modules are loaded in each process!

Homepage (http://www.diamondcs.com.au/advancedseries/apm.php)


http://www.gentlesecurity.com/images/sp_tet1.gif
Gentle Security Intrusion Demo Test

The demo is a simulation of intrusion attacks, virus and mal-ware activity, including:

* Information Disclosure attacks, copying confidential files
* Infecting executables
* Deleting documents
* Code injection
* Sending control keystrokes to windows (shatter attacks)
* Process termination through implicit context of WMI service
* Installing a backdoor attacks

Homepage & Download (http://gentlesecurity.com/demo.html)


http://www.morgud.com/images/mlogo.jpg
DFK Threat Simulator version 2 (DFKTSv2)



Overview
Security is only as good as the measure of stress you apply to it. To this end the "DFK Threat Simulator" was created. Bundling a de-clawed collection of dropper, rootkit, exploit, virus, trojan, spyware, keylogger, leaktest, process termination, action automation, and alternate data stream technology, the updated version 2 of the DFK Threat Simulator is a serious representation of the modern dangers facing computer users today.
Because it is far easier to destroy than to build, the true victors in the digital arms race (and this simulation) are the white-hat men and women in the security industry tirelessly facing mounting odds and innumerable fronts to keep our computers safe. No effort is wasted - Keep up the good fight!



HOMEPAGE & DOWNLOAD (http://www.morgud.com/interests/security/dfk-threat-simulator-v2.asp)


http://www.israelseed.com/graphics/company_logos/finjan.jpg

The tools below let you test your Vital Security policy. Each of the tests below focuses on a specific security domain in the product’s security policy.
a) Anti Virus Security Engine Testing
b) Vulnerability Anti.Dote™ Security Engine Testing
c) Behavior Profile Security Engine Testing
d) URL Filtering Security Engine Testing


Homepage Tests (http://www.finjan.com/Content.aspx?id=577)


http://misweb.cob.sjsu.edu/bessentials/infraf01/images/biomet_logo.jpg
TRUSTWARE VULNERABILITY TEST FILE



Proof Of concept
Don’t Compromise – Virtualize!

Attention: By agreeing to perform the following PC vulnerability test, you will become subject to our “Cyber Attack”. This is only a demonstration and no actual damage will be caused to your PC or network.

We will, however, simulate a malicious file received, for example, via the Web, as an email attachment, from a memory stick, or from any other path by which an executable file can enter your system. We will attempt to prove that none of your security systems will identify or alert you to our intrusion attempt.

Step 1: Run our .exe Vulnerability Test File
As you run our .exe file, we will demonstrate how hackers can do as they like on your PC:

A. Launch your Windows Calculator

B. Abort your Internet Explorer

C. Access several sensitive files (no harm will actually be done), and scan your ‘My
Documents’ folder, where you probably keep your private information.

D. We will then place your sensitive file names (names only!) on our server. During the
process, your firewall may notify you of our demo trying to access the network; this means
that our demo has successfully accessed your system and is trying to report its findings to
our server.

Step 2: View your PC’s Vulnerability Test results
If you allow our Vulnerability Test File to connect to the Internet, you will receive a link that enables you to view your PC’s Vulnerability Test results. As soon as you refresh that Web page, the information we were able to collect from your PC will be immediately and automatically erased from our servers.

HOMEPAGE & DOWNLOAD (http://www.trustware.com/virtualization/Bufferzone_proof_of_concept.html)


http://www.invircible.com/images/titles/AVPL_T.gif
http://www.invircible.com/images/d_avpl_logo.gif

is a self contained tool that will let you practice virus attacks and recover from them, in a realistic yet safe environment. AVPL is the perfect tool for hands-on training for system administrators, security experts and power users with an interest in the field.

Download the Anti-Virus Practice Lab - AVPL here.

AVPL is designed to be used with InVircible. However, it can also be used to evaluate antivirus products in general.

AVPL is a significant contribution to the tools available to end-users who have previously been unable to evaluate the key features of an antivirus package.

In order for computer user's to appreciate the significant effectiveness of a generic, rule-based, expert system's approach, it is necessary for them to become familiar with how viruses operate in a computer. A major purpose of AVPL is to provide computer users with a near-real virus environment so that they may increase their familiarity with the types of actions that viruses perform.

AVPL allows an individual to "infect" selected computer programs in a virus like way, to install master boot sector (MBR) infectors to the hard disk, and to use the AV product of their choice to identify the simulated viruses and recover from them.

How "safe" is the AV Practice Lab?
Several points need to be emphasized. First, the "infections" produced by AVPL are ultimately harmless. The scenarios created by AVPL will not replicate. They can not spread through a process of spontaneous replication to other programs or disks. They will only affect the program files in a target directory selected by the user and the hard drive of the system on which AVPL is installed. Therefore, the user can be assured that only those programs and the hard disk of their system can be practiced upon with AVPL. AVPL will ONLY affect program files and the hard drive chosen by the user.

Programs that are affected by AVPL can be "cleaned" either through the use of the Uninstall option of AVPL, or through the DOS delete command.

MBR infections that were installed by AVPL can be removed as well by AVPL's Uninstall option, or through the use of the InVircible ResQ diskette.

Note: It's highly recommended to download, install InVircible and prepare its ResQ diskette before starting to practice with AVPL.

http://www.invircible.com/avpl.php

XP user
30.11.2007, 09:14
A. Launch your Windows Calculator
The test was not able to launch my calculator. Not found.

B. Abort your Internet Explorer
I had always dreamed that somebody would abort my Internet Explorer, but it is not available on my OS to anyone... So sorry...


C. Access several sensitive files (no harm will actually be done), and scan your ‘My
Documents’ folder, where you probably keep your private information.

D. We will then place your sensitive file names (names only!) on our server. During the process, your firewall may notify you of our demo trying to access the network; this means that our demo has successfully accessed your system and is trying to report its findings to our server.

Step 2: View your PC’s Vulnerability Test results
If you allow our Vulnerability Test File to connect to the Internet, you will receive a link that enables you to view your PC’s Vulnerability Test results. As soon as you refresh that Web page, the information we were able to collect from your PC will be immediately and automatically erased from our servers.
Well, ladies and gentlemen: Here are the results of my VEEEEEEERY private data on their server (see screen shot): a white page, even with scripts enabled for their domain...

This is FUD, nothing more. You see: no security installed and obviously not needed either against this kind of 'attacks'...
P.S.1: Judging by the ip-address, it got stuck somewhere and didn't even get home.
P.S.2: Never trust anything that has 'Trust' in its name... (Just kidding)

Paul

Ultima Weapon
14.03.2008, 14:47
Default Download real rootkit samples for testing
These rootkit downloads are being provided so you can test rootkit detection software in a controlled environment. Under no circumstances is it recommended that you try to run them on and production systems.

http://www.rootkitshield.com/forums/archive/index.php?t-20.html

RegHidehttp://www.gentlesecurity.com/blog/pix/0018.png

Link: http://www.sysinternals.com/files/reghide.zip

RegHide demonstrates how the Native API can be used to create object names that are inaccessible from the Win32 API. While there are many different ways to do this, the method used here it to include a terminating NULL that is explicitly made part of the key name. There is no way to describe this with the Win32 API, which treats a NULL as the end of the name string and will therefore chop it. Thus, Regedit and Regedt32 won't be able to access this key, though it will be visible

GeSWall prevents creation of this key if RegHide running isolated.

Link: http://www.sysinternals.com/files/reghide.zip

futo enhanced
rootkit:http://www.rootkit.com/vault/petersi...o_enhanced.zip

badrkdemo
https://www.rootkit.com/vault/cardmagic/badrkdemo.rar



fhide
http://rapidshare.de/files/24943411/fhide.rar.html

hide files and folders
http://www.softstack.com/download/hff.zip

Äîáàâëåíî ÷åðåç 9 ìèíóò

Cover
15.12.2008, 11:52
Thanks for these great posts.

KeyLogger Test Program
ScreenLogger Test Program
WebCamLogger Test Program
ClipboardLogger Test Program
SSL-Logger Test Program

http://www.zemana.com/list/list.asp?ktgr_id=413

Dont.care.a.f!g
04.08.2009, 23:06
RkU Test Rootkit - RkUnhooker test rootkit 1.2 de MP_ART © - août 2006
•Description :
◦''rkstart.exe'' est la partie utilisateur du rootkit.
◦Vous pouvez entendre le speaker du PC émettre des ''beeps'' lorsque le rootkit fonctionne.
◦''Rkdemo12.sys'' est le driver résident. Il simule des menaces (mais elles n'existent pas dans son cas).
◦Vous pouvez le voir avec -> DbgView de Mark Russinovich
◦Il ne cache aucun fichier et ne crée pas de clé dans le Registre.
•Notes
DarSpy le voit dans les [Processus] et l'interrompt par [Force Kill] mais le risque d'instabilité du système est élevé..
Pour l'arrêter, il suffit au choix ...
◦D'utiliser la procédure [Force Kill] sur le processus marqué ''Hiden from Windows API'' de RkUnhooker
◦De redémarrer le système
•Limites de ce rootkit
◦Comme ses « collègues » ''fhide.sys'' et ''ntqsi.sys'', ''RkU Test Rootkit'' n'essaie pas d'imposer le lancement de son driver au démarrage de Windows. Il attend gentiment que vous le sollicitiez.
Quand vous le lancez, il doit bien sûr crocheter le noyau du système pour atteindre son objectif de furtivité. Un utilitaire de défense activé avant lui et qui analyserait correctement les tables du noyau pour détecter en temps réel la moindre modification devrait logiquement le repérer à ce moment là. Le développement des bons H-IPS va dans ce sens.
La recherche des intrus par des outils utilisés après l'installation des rootkits (H-IDS) est encore plus complexe.
◦C'est surtout le principe qui compte. Imaginez ce qui arriverait si ce rootkit était malintentionné et se lançait prioritairement au démarrage du système. Imaginez aussi que son driver soit lancé par le DRM d'un DVD piégé ou tout autre programme à l'air innocent.
◦Ce rootkit, le plus ancien publié par l'équipe de Rootkit Unhooker, est maintenant un peu dépassé et tous les « bons » antirootkits devraient détecter le lancement de ce driver et l'empêcher.

http://img230.imageshack.us/my.php?image=rkudemodsprocess1gu7.jpg
http://img181.imageshack.us/my.php?image=rkudemorkuhpd3forcekillvi8.jpg
Téléchargement http://infomars.fr/txon/rku_demo_v12.zip


Rootkit « Unreal » version A (1.0.1.0) de e MP_ART © - janvier 2007 ...
•Description Unreal cache son processus dans les "ADS" (Alternate Data Stream) du disque système et le driver unreal.sys (C:\:unreal.sys) se cache lui-même à l'aide d'un "DKOM" (Direct Kernel Object Manipulation). Aucune crainte à l'utiliser, il est complètement inoffensif. Il ne sert aux utilisateurs qu'à tester les capacités de réaction de leurs défenses en cas de pénétration d'un rootkit comparable.
•Installation
Rien de plus simple ... lancez l'exécutable puis confirmez en cliquant sur [Install Rootkit]

http://img266.imageshack.us/my.php?image=unrealinstall6vo.png
http://img221.imageshack.us/my.php?image=unrealinstallii0eb.png

Limites ... Ce rootkit a été rendu public fin janvier 2007. Il est intéressant de voir quand les utilitaires disponibles sauront le détecter et le(s)quel(s) pourront l'éradiquer sans avoir à utiliser le désinstallateur fourni par l'équipe de Rootkit Unhooker...
Téléchargement http://infomars.fr/txon/Unreal_rootkit_1.0.1.0.zip


(ñ ñàéòà http://infomars.fr/forum/index.php?showtopic=280&st=0&p=1776&#entry1776)