Re: Terrifying results from online test

From: Technobarbarian (randomcanyon-ztopzpam_at_hotmail.com)
Date: 12/10/04


Date: Fri, 10 Dec 2004 13:20:10 -0700

On 9 Dec 2004 18:15:16 -0800, spamme2@mailinator.com wrote:

> I did this test, which simulates an unknown Trojan attack on a windoze
> computer. The program successfully bypasses my beloved (and well
> configured) Kerio firewall. It also evades my universities hardware
> firewall, which is configured very well (the admins are the block all
> apart from port 80 type :-( )
> Check out PCAudit from http://[deliberately munged]pcinternetpatrol.com/page/view/49
> The program works by causing applications that have the privileges to
> connect to the internet to upload data to their server.
> I thought I would be safe because I configure kerio so it only permits
> outbound connections to IP addresses of the resources that I connect
> to, for example smtpserver:25, nntpserver:119, pop3server:110 and
> proxy:8080
> PCAudit appears to scan its way out. Even when I click deny it gets
> through!
> The company behind PCAudit have publicised a vulnerability that affects
> almost all firewalls. Their PCAudit program could easily be reverse
> engineered by crackers, and then a real and more malicious Trojan could
> be produced that bypasses almost all firewalls.
>
> What do you guys think of this? Did you pass the test (without
> unplugging your internet wire/blocking all traffic Lol)?

    It's called a dll injection attack. It's nothing new or a big secret.

http://securityresponse.symantec.com/avcenter/venc/data/spyware.pcaudit.html
http://www.pestpatrol.com/pestinfo/p/pcaudit.asp
http://www.zonelabs.com/store/content/support/techNote_10.jsp
http://www.google.com/search?hl=en&lr=&q=dll+injection&btnG=Search

    It sounds like an ugly bit of salesmanship. After reading the above
there's no way I would load that thing onto my machine. The only important
question here is: after you loaded this thing on your machine and gave it
permission to do pretty much as it pleased--did it *really* connect out
without your permission or did it just "appear" to connect out?

TB



Relevant Pages

  • Re: Terrifying results from online test
    ... The program successfully bypasses my beloved (and well ... > configured) Kerio firewall. ... > PCAudit appears to scan its way out. ...
    (alt.computer.security)
  • Re: Terrifying results from online test
    ... The program successfully bypasses my beloved (and well ... > configured) Kerio firewall. ... > PCAudit appears to scan its way out. ...
    (alt.computer.security)
  • Re: Terrifying results from online test
    ... > configured) Kerio firewall. ... > PCAudit appears to scan its way out. ... > unplugging your internet wire/blocking all traffic Lol)? ...
    (alt.computer.security)
  • Terrifying results from online test
    ... The program successfully bypasses my beloved (and well ... configured) Kerio firewall. ... PCAudit appears to scan its way out. ...
    (alt.computer.security)
  • Terrifying results from online test
    ... The program successfully bypasses my beloved (and well ... configured) Kerio firewall. ... PCAudit appears to scan its way out. ...
    (alt.computer.security)