Take the Content IQ Test!

In addition to being highly polymorphic and therefore immune to signature based security technologies, today's threats are hidden deep within the content that's handled by client applications, and are often not visible in the packets that are used to transport that content over the network. Many network security systems, like firewalls, "next-generation firewalls," intrusion prevention systems and network forensics systems, claim to be "content aware" and to offer visibility over the content that's flowing over the network. The Content IQ Test is an easy test you can run yourself that will help you judge how "content aware" your network security system really is.

Each of the Test Files listed below contains the string*: This is the "target string". It's a little piece of simulated malicious JavaScript. It is totally safe and does absolutely nothing at all.

The purpose of the test is to gauge the network security system's ability to find the actual target string in the content. In the real world, you would not know where the threats were coming from or what the exact delivery vehicle would be. The objective is to create a single content rule that fires on all of the Test Files but not on any of the Negative Control files. So triggering on the test files' URLs or HTTP headers or filenames or MD5 hashes and stuff like that is cheating and it doesn't count. If the teacher catches you, you're going to be in trouble!

* Note: In the test files where the target string is embedded in a Windows executable file (e.g. Test Files 20, 21, 26 and 27), the characters in the target string are separated by ASCII NULL characters. In PCRE syntax, the target string, when compiled into an exe file, would appear as e\x00v\x00a\x00l\x00(\x00u\x00n\x00e\x00s\x00c... So your rule should look for both the target string as depicted above in red and the NULL-separated version.

To test your network security system's Content IQ™:

• Set your network security system up to look for the target string (or some representative sub-string of the target string). Normally this involves creating a content rule that generates an alert when it sees the target string.
• Click on each of the Test Files below. This will cause the files to be downloaded across your network and through (or past) your network security system. Each Test File should generate an alert on your network security system.
• Check to see how many of the Test Files were identified by your network security system as containing the target string.
• For extra credit, see if you can recover the Test Files from your network security system's alert database or packet store.
• For extra extra credit, see if your network security system can prevent the Test Files from entering your network.
• Click on each of the Negative Control Files. They are the same as the corresponding Test Files above except that they do not contain the target string. Your network security system should not trigger on any of the Negative Control Files. If it does, it's a false positive.

 

Test Files

Set up your network security system and download the test files.

There are two ways to download the test files: manually or automatically.

If you want to do it manually, just click on each of the Test File links in the test groups below and the test files will be downloaded by your browser. This method takes a little longer, but you end up with all of the test files in your Downloads folder.

To download the test files automatically, just click on the link below. Note that it will take several seconds to download all the test files, more if your network connection is slow.

Click Here to Download All Test Files Automatically

 

Group A. Basic Content Test Files
The files in this group are basic content test files. They are meant to illustrate how common it is to have files that contain content which is not visible in the packets (other than Test File 1, which is a control file). These are the warm-up files.

Test File 1. Plain text file containing the target string surrounded by some "Lorem Ipsum" filler text. This is the "control file", and the text it contains is called the "control text".

Test File 2. Control text pasted into the body of a Microsoft Word 2011 document.

Test File 3. Control text pasted into the body of a Microsoft Excel 2011 document.

Test File 4. Control text pasted into the body of a Microsoft PowerPoint 2011 document.

Test File 5. Control text pasted into the body of a PDF document.

Test File 6. Control file "attached to" a PDF document.

Test File 7. Control file compressed with Zip.

Test File 8. Word test file sequentially compressed with Zip, Tar and Rar.

Test File 9. Target string embedded in metadata of Excel file as a custom property.

 

Group B. Test Files with Auto-Executing Embedded Active Content
These files contain embedded auto-executing active content, in this case either JavaScript in PDF or ActionScript in Flash. Active content embedded in desktop documents that auto-executes when the document is opened is a common attack mechanism because it enables the attacker to execute code on the victim's computer. Typically this code will exploit a vulnerability in the desktop application that opens the document (e.g. Adobe Reader or Adobe Flash Player or others). This was the case with the attack against RSA - the attack file was a Microsoft Office document that contained an embedded Flash object that contained ActionScript code that expolited a zero-day vulnerability in Adobe Flash player (CVE-2011-0609). If you download these files and open them under Windows, you should see them auto-execute (try Test Files 10 and 12, for example - remember: they are totally harmless).

Test File 10. Target string in an obfuscated, auto-executing JavaScript object embedded in a PDF file.

Test File 11. Target string in an obfuscated, auto-executing JavaScript object embedded in a PDF file compressed with Zip.

Test File 12. Target string in ActionScript code in an auto-executing Flash (SWF) file.

Test File 13. Target string in ActionScript code in an auto-executing Flash (SWF) file embedded in an Excel file.

Test File 14. Target string in ActionScript code in an auto-executing Flash (SWF) file embedded in an Excel file compressed with Zip.

Test File 15. Target string in ActionScript code in an auto-executing Flash (SWF) file embedded in a PowerPoint file.

Test File 16. Target string in ActionScript code in an auto-executing Flash (SWF) file embedded in a PDF file.

 

Group C. Polymorphic Test Files
These files are designed to illustrate the concept of polymorphism. The files are dynamically generated each time you click on them and are slightly different each time. So if you were to calculate, for example, an MD5 hash on one of these files, it would be different every time the file was downloaded. Polymorphism is often used in modern attacks because it defeats traditional signature based defenses.

Test File 17. Target string in a text object in a polymorphic Zip file.

Test File 18. Target string in a text object in a multi-level, polymorphic Zip file.

Test File 19. Target string in ActionScript in a Flash (SWF) file embedded in a polymorphic Zip file.

Test File 20. Target string contained in a recently compiled executable file.

Test File 21. Target string contained in a recently compiled executable file embedded in a polymorphic Zip file.

 

Group D. Test Files with VBA Content
These files contain Visual Basic for Applications (VBA) code embedded in Microsoft Office documents. VBA is an attacker's dream because it enables unrestricted file system and network operations. If the bad guy can get you to open a file like these with macros enabled, it's over. They don't need no stinkin' vulnerabilities or exploits - you're owned.

Test File 22. Target string contained in VBA embedded in a Powerpoint file.

Test File 23. Target string contained in VBA embedded in a Word file.

Test File 24. Target string contained in VBA embedded in an Excel file.

Test File 25. Target string contained in VBA embedded in a Powerpoint Show file.

 

Group W. Other Test Files

Test File 26 Target string contained in an executable file embedded in a PDF file.

Test File 27 Target string contained in an executable file embedded in a PDF file in a polymorphic Zip file.

 

Negative Control Files

These files are the same as the corresponding Test Files but do not contain the target string. Your network security system should not generate an alert for any of these files. You can download the negative control files manually by clicking on each of the Negative Control File links or download them all at once automatically by clicking on the link directly below.

Click Here to Download All Negative Control Files Automatically

1. Negative Control File 1
2. Negative Control File 2
3. Negative Control File 3
4. Negative Control File 4
5. Negative Control File 5
6. Negative Control File 6
7. Negative Control File 7
8. Negative Control File 8
9. Negative Control File 9
10. Negative Control File 10
11. Negative Control File 11
12. Negative Control File 12
13. Negative Control File 13
14. Negative Control File 14
15. Negative Control File 15
16. Negative Control File 16
17. Negative Control File 17
18. Negative Control File 18
19. Negative Control File 19
20. Negative Control File 20
21. Negative Control File 21
22. Negative Control File 22
23. Negative Control File 23
24. Negative Control File 24
25. Negative Control File 25
26. Negative Control File 26
27. Negative Control File 27

 

Video Demonstration

Click here to see a video demonstration of a Fidelis XPS system taking the Content IQ Test (5 minutes).

 

We'd love to hear how your Content IQ test turned out. Email us at info@fidelissecurity.com with any comments or questions.