Re: Terrifying results from online test

From: Technobarbarian (
Date: 12/10/04

Date: Fri, 10 Dec 2004 13:20:10 -0700

On 9 Dec 2004 18:15:16 -0800, wrote:

> I did this test, which simulates an unknown Trojan attack on a windoze
> computer. The program successfully bypasses my beloved (and well
> configured) Kerio firewall. It also evades my universities hardware
> firewall, which is configured very well (the admins are the block all
> apart from port 80 type :-( )
> Check out PCAudit from http://[deliberately munged]
> The program works by causing applications that have the privileges to
> connect to the internet to upload data to their server.
> I thought I would be safe because I configure kerio so it only permits
> outbound connections to IP addresses of the resources that I connect
> to, for example smtpserver:25, nntpserver:119, pop3server:110 and
> proxy:8080
> PCAudit appears to scan its way out. Even when I click deny it gets
> through!
> The company behind PCAudit have publicised a vulnerability that affects
> almost all firewalls. Their PCAudit program could easily be reverse
> engineered by crackers, and then a real and more malicious Trojan could
> be produced that bypasses almost all firewalls.
> What do you guys think of this? Did you pass the test (without
> unplugging your internet wire/blocking all traffic Lol)?

    It's called a dll injection attack. It's nothing new or a big secret.

    It sounds like an ugly bit of salesmanship. After reading the above
there's no way I would load that thing onto my machine. The only important
question here is: after you loaded this thing on your machine and gave it
permission to do pretty much as it pleased--did it *really* connect out
without your permission or did it just "appear" to connect out?