Re: Recurrent question

Ric <me@xxxxxxxxxxx> wrote:
> Obviously once bad code has executed it's too late, but even then
> PFW's can still prevent some (dumb/old?) code from calling out. It may
> not prevent changes to the OS but it's better than nothing, and can
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> keep the problem local.
^^^^^^^^^^^^^^^^^^^^^^

This is an oxymoron.

> Some people have installed a PFW which has
> then alerted them to trojans already running and connecting out.

Yes. Which has alerted it. Like "acroread.exe wants to call out!!!11!!11" -
"No, I don't want this!!!11!! This bad, bad phoning home!!111!!111"

And no Adobe Reader updates any more, and the next Adobe Reader hole leads
to thousands of extra 0wned boxes. And it's the fault of the "Personal
Firewalls", all these thousands of extra 0wned boxes are there, because
the concept of asking the user is b0rken.

> I had a look at breakout-en.c. At a guess it locates the IE window,
> sends the url to it and whacks the return key for you. Is this roughly
> correct?

Yes.

> While downloading http://www.dingens.org/breakout-en.exe AVG said:
> Virus detected while opening file: C:\Documents and
> Settings\#\Desktop\breakout-en.exe Trojan horse Clicker.XH
> Ah. First it's a virus then it's a trojan :) The AVG database said:
> Clicker - The exact description is not available. 1st catch to AVG.

It is proof of concept code. You can download
http://www.dingens.org/breakout-en.c and compile it yourself.

Your AV solution outclasses itself here, because to classify POC code
as "Virus / Trojan horse" is so ridiculous, that I'm happy to see the
providers of "security" software are capitulating ;-)

> I tried to run it in a sandbox and got an "access is denied" error as
> expected. I had to disable the resident scanner and quit AVG to get
> access to the file. 2nd catch to AVG.

BTW: anti-virus software works, as I stated already.

> As I use Firefox or Opera on this computer I have denied IE
> all access using Outpost Pro (which I've been trying for a couple of
> weeks now).

No problem. This works with any browser. It's POC code. If you don't
understand the idea of a proof-of-concept, you're testing is useless.

POC code for firefox you're getting here:

http://www.dingens.org/breakout-mozilla-firefox.c

I did not write POC code for Opera, while this should be as easy as
for Internet Explorer and Mozilla Firefox, because it's not the fault
of the browsers what's going on here. You can try yourself.

> So AVG caught it twice and Outpost caught it twice.

AVG can catch it, as any AV program can - I stated this for times and
times now, could you _please_ aknowledge this now?

Outpost did not.

Outpost just catched the IE, because you're not using IE as your default
browser (unlike 80% of the users do), and you didn't try out the POC code
for your browser: http://www.dingens.org/breakout-mozilla-firefox.c

> default browser only AVG would have stopped it.

This exactly is what I'm saying. Outpost cannot stop such "phoning home"
at all.

> I don't know how long
> AVG has been able to detect it but when breakout was written it
> probably went undetected by anti-virus programs. So this seems to me
> like a browser vulnerability that exploits the fact that a browser is
> allowed through the firewall, rather than an actual firewall exploit.

No. It has nothing to do with a browser vulnerability. Please read the
source code.

And it's the declaration of bankruptcy for AVG to detect this completely
harmless binary as "Virus / Trojan". There is no code at all, which could
do harm in it, maybe with the exception of doing harm to the sales figures
of "Personal Firewall" software, when people are realizing, that they were
fooled of such manufacturers.

> More than that it is a user exploit because I forgot to use my brain
> and ran untrusted code.

*sigh* - we're _talking_ here about running untrusted code, aren't we?
"What is if malware already is running" is the _topic_.

> So once I ran it I was toast anyway, it could
> have wreaked havoc on my HD and left me with no firewall or OS.

Yes. The next reasons, why "Personal Firewalls" are useless. You can
fight this a little bit by not working as Administrator, so the "Personal
Firewall" software has more rights than the malware code.

But with Outpost, you're likely losing here, too, because Outpost installs
system services, which open Windows, and very likely Outpost itself will be
the software program, which makes your computer unsecure in this scenario.

> Breakout can do me no harm from the outside, I have to download it and
> run it. Therefore it can't negate the fact that some PFW's are useful
> for external protection.

No. You can use the Windows-Firewall for example, and it is sensible to do
so, as I stated.

> It also needs to latch on to a program which
> is allowed through the firewall. Therefore if I had no PFW installed
> Breakout should be able to latch on to any program I have installed
> and have full remote access with programs I have currently blocked
> access to. With a PFW installed it can only call out through programs
> that already have access through the firewall.

Yes. And the default Webbrowser, what do you think, the default Webbrowser,
has it access to the web or not?

> On the subject of the XP firewall, as that blocks no outbound it is
> inferior in that respect to firewalls that can block some outbound and
> therefore not as useful.

It is not inferior. Windows-Firewall cannot block this communication.
Outpost cannot do so. No "Personal Firewall" can block such communication.

So they're all identical in this matter.

> What, svchost.exe?. ZoneAlarm calls it "Generic Host Process for Win32
> Services", which it got from the file description. Get
> http://www.sysinternals.com/utilities/processexplorer.html
> run it and look for svchost.exe. I have two instances running, the
> others I had previously closed. The first says:
> C:\WINDOWS\system32\svchost -k rpcss
> I don't want RPC accessing the internet.

Yes. You know what svchost.exe is. I know it.

And, please tell me: how many of the _home_ _users_ know such things?
I'd guess the number to 0% of the home users, rounded to .1%.

> I know. But it's theirs now.

What is "theirs"? The TCP/IP network protocol familiy? IBTD.

Yours,
VB.
--
"Ich bin ein freier Mensch und werde jetzt von meinen Freiheitsrechten
Gebrauch machen - und zwar ausgiebig - natürlich nur in dem Rahmen, den
Otto Schily mir noch zur Verfügung stellt."
Wolfgang Clement am 10.10.05 als Noch-Superminister
.

Relevant Pages

  • Re: Recurrent question
    ... First it's a virus then it's a trojan:) The AVG database said: ... This works with any browser. ... > So AVG caught it twice and Outpost caught it twice. ... > allowed through the firewall, rather than an actual firewall exploit. ...
    (comp.security.firewalls)
  • Re: Recurrent question
    ... 1st catch to AVG. ... This works with any browser. ... >> So AVG caught it twice and Outpost caught it twice. ... I had to change my firewall rules twice before Breakout/IE ...
    (comp.security.firewalls)
  • Re: Making Outpost work
    ... >I am finding it quite hard configuring this firewall. ... >my Opera browser gets blocked whenever my third-party clipboard ... >worse i don't know how to prevent Outpost blocking the browser at ...
    (comp.security.misc)
  • Re: Making Outpost work
    ... >I am finding it quite hard configuring this firewall. ... >my Opera browser gets blocked whenever my third-party clipboard ... >worse i don't know how to prevent Outpost blocking the browser at ...
    (comp.security.firewalls)
  • Re: Making Outpost work
    ... >I am finding it quite hard configuring this firewall. ... >my Opera browser gets blocked whenever my third-party clipboard ... >worse i don't know how to prevent Outpost blocking the browser at ...
    (alt.computer.security)
Loading