Re: Recurrent question

On 17 Dec 2005 09:36:38 +0100, Volker Birk <bumens@xxxxxxxxxxx> wrote:

>Ric <me@xxxxxxxxxxx> wrote:
>> Obviously once bad code has executed it's too late, but even then
>> PFW's can still prevent some (dumb/old?) code from calling out. It may
>> not prevent changes to the OS but it's better than nothing, and can
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>> keep the problem local.
> ^^^^^^^^^^^^^^^^^^^^^^
>
>This is an oxymoron.
>
>> Some people have installed a PFW which has
>> then alerted them to trojans already running and connecting out.
>
>Yes. Which has alerted it. Like "acroread.exe wants to call out!!!11!!11" -
>"No, I don't want this!!!11!! This bad, bad phoning home!!111!!111"
>
>And no Adobe Reader updates any more, and the next Adobe Reader hole leads
>to thousands of extra 0wned boxes. And it's the fault of the "Personal
>Firewalls", all these thousands of extra 0wned boxes are there, because
>the concept of asking the user is b0rken.

I was referring to installed trojans not PDF reading software. That
would be the fault of the user not the PFW. What about an alert like
"donaldduck.exe wants to connect to the internet?" Are we not allowed
to control donaldduck and the like because some people don't know what
Adobe Reader is?

>> I had a look at breakout-en.c. At a guess it locates the IE window,
>> sends the url to it and whacks the return key for you. Is this roughly
>> correct?
>
>Yes.

Thanks.

>> While downloading http://www.dingens.org/breakout-en.exe AVG said:
>> Virus detected while opening file: C:\Documents and
>> Settings\#\Desktop\breakout-en.exe Trojan horse Clicker.XH
>> Ah. First it's a virus then it's a trojan :) The AVG database said:
>> Clicker - The exact description is not available. 1st catch to AVG.
>
>It is proof of concept code. You can download
>http://www.dingens.org/breakout-en.c and compile it yourself.
>
>Your AV solution outclasses itself here, because to classify POC code
>as "Virus / Trojan horse" is so ridiculous, that I'm happy to see the
>providers of "security" software are capitulating ;-)

I suspect AVG is programmed to recognize the breakout file itself
rather than evaluating the code as malicious.

>> I tried to run it in a sandbox and got an "access is denied" error as
>> expected. I had to disable the resident scanner and quit AVG to get
>> access to the file. 2nd catch to AVG.
>
>BTW: anti-virus software works, as I stated already.
>
>> As I use Firefox or Opera on this computer I have denied IE
>> all access using Outpost Pro (which I've been trying for a couple of
>> weeks now).
>
>No problem. This works with any browser. It's POC code. If you don't
>understand the idea of a proof-of-concept, you're testing is useless.

I understand. It's a few minutes work, simple code to prove a point.
It could be adapted to open the default browser, connect out, then
visit a remote site and download and run some code (which could have
been included in breakout anyway). Breakout as it stands would be
useful for "the user has to be tricked into visiting a malicious
website" type vulnerabilities, but can be adapted in many ways.

>POC code for firefox you're getting here:
>
>http://www.dingens.org/breakout-mozilla-firefox.c
>
>I did not write POC code for Opera, while this should be as easy as
>for Internet Explorer and Mozilla Firefox, because it's not the fault
>of the browsers what's going on here. You can try yourself.
>
>> So AVG caught it twice and Outpost caught it twice.
>
>AVG can catch it, as any AV program can - I stated this for times and
>times now, could you _please_ aknowledge this now?

Yes. Do you know how long it was from release of Breakout till the AV
programs had it added to their sigs?

>Outpost did not.

Yes it did. I had to change my firewall rules twice before Breakout/IE
got any packets out.

>Outpost just catched the IE, because you're not using IE as your default
>browser (unlike 80% of the users do),

Agreed.

> and you didn't try out the POC code
>for your browser: http://www.dingens.org/breakout-mozilla-firefox.c

I did try breakout-mozilla-firefox.exe but nothing happens when I
double-click it or run it from the command line. Nothing in the
sandbox, no traffic in ethereal and cpu stays 100% idle. So I had to
use breakout-en.exe and IE.

>> default browser only AVG would have stopped it.
>
>This exactly is what I'm saying. Outpost cannot stop such "phoning home"
>at all.
>
>> I don't know how long
>> AVG has been able to detect it but when breakout was written it
>> probably went undetected by anti-virus programs. So this seems to me
>> like a browser vulnerability that exploits the fact that a browser is
>> allowed through the firewall, rather than an actual firewall exploit.
>
>No. It has nothing to do with a browser vulnerability. Please read the
>source code.

I did. Like you said the coder needs know nothing about firewalls,
just send the url to the browser window. If it's not a browser
vulnerability why is a different version required for each browser,
yet both versions will bypass any firewall?

>And it's the declaration of bankruptcy for AVG to detect this completely
>harmless binary as "Virus / Trojan". There is no code at all, which could
>do harm in it, maybe with the exception of doing harm to the sales figures
>of "Personal Firewall" software, when people are realizing, that they were
>fooled of such manufacturers.

I'd guess that if you added a useless function and recompiled it, AVG
would not recognize it. Developers don't like to be seen to be
vulnerable to POC stuff.

>> More than that it is a user exploit because I forgot to use my brain
>> and ran untrusted code.
>
>*sigh* - we're _talking_ here about running untrusted code, aren't we?
>"What is if malware already is running" is the _topic_.

Then who ran it if not me? If it comes in through the usual
malware/spyware channels then things like AdAware and Spybot can help.
Process Explorer will show you what's running and HijackThis will
allow you to control what runs at startup.

>> So once I ran it I was toast anyway, it could
>> have wreaked havoc on my HD and left me with no firewall or OS.
>
>Yes. The next reasons, why "Personal Firewalls" are useless. You can
>fight this a little bit by not working as Administrator, so the "Personal
>Firewall" software has more rights than the malware code.

Good advice. I should follow it myself one day. It seems second nature
to do this with Debian, but I never get round to it with XP.

"Amongst the many things this malware does, all of which require admin
rights, are:

* Creating files in the system32 directory.
* Terminating various processes.
* Disabling the Windows Firewall.
* Downloading and writing files to the system32 directory.
* Deletes registry values in HKLM.

All these fail if the user running the e-mail client is not an
administrator."

That's from:
"Browsing the Web and Reading E-mail Safely as an Administrator"
<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure11152004.asp>
where the more stubborn ones can download
DropMyRights.msi to help offset the problems of running as admin.

>But with Outpost, you're likely losing here, too, because Outpost installs
>system services, which open Windows, and very likely Outpost itself will be
>the software program, which makes your computer unsecure in this scenario.

Yes, I don't like Outpost and it won't last long on this computer. It
does have ok logging though.

According to http://secunia.com/product/2841/
"Currently, 0 out of 3 Secunia advisories, are marked as "Unpatched"
in the Secunia database."

>> Breakout can do me no harm from the outside, I have to download it and
>> run it. Therefore it can't negate the fact that some PFW's are useful
>> for external protection.
>
>No. You can use the Windows-Firewall for example, and it is sensible to do
>so, as I stated.

See below.

>> It also needs to latch on to a program which
>> is allowed through the firewall. Therefore if I had no PFW installed
>> Breakout should be able to latch on to any program I have installed
>> and have full remote access with programs I have currently blocked
>> access to. With a PFW installed it can only call out through programs
>> that already have access through the firewall.
>
>Yes. And the default Webbrowser, what do you think, the default Webbrowser,
>has it access to the web or not?
>
>> On the subject of the XP firewall, as that blocks no outbound it is
>> inferior in that respect to firewalls that can block some outbound and
>> therefore not as useful.
>
>It is not inferior. Windows-Firewall cannot block this communication.
>Outpost cannot do so. No "Personal Firewall" can block such communication.

They can. Mine did until I changed the rules. This only works with
programs that already have access. What Breakout does do is pose the
question, what good is application control if programs can be so
easily manipulated? But it doesn't bypass packet filter rules.

>So they're all identical in this matter.
>
>> What, svchost.exe?. ZoneAlarm calls it "Generic Host Process for Win32
>> Services", which it got from the file description. Get
>> http://www.sysinternals.com/utilities/processexplorer.html
>> run it and look for svchost.exe. I have two instances running, the
>> others I had previously closed. The first says:
>> C:\WINDOWS\system32\svchost -k rpcss
>> I don't want RPC accessing the internet.
>
>Yes. You know what svchost.exe is. I know it.
>
>And, please tell me: how many of the _home_ _users_ know such things?
>I'd guess the number to 0% of the home users, rounded to .1%.

I don't know. But my firewall isn't useless because some people don't
know how to use theirs.

>> I know. But it's theirs now.
>
>What is "theirs"? The TCP/IP network protocol familiy? IBTD.

If I had said I don't use any microsoft networking protocols someone
would have said "what about TCP/IP?" :)

Ric

>Yours,
>VB.


.

Relevant Pages

  • Re: Recurrent question
    ... First it's a virus then it's a trojan:) The AVG database said: ... This works with any browser. ... > So AVG caught it twice and Outpost caught it twice. ... > allowed through the firewall, rather than an actual firewall exploit. ...
    (comp.security.firewalls)
  • Re: Recurrent question
    ... First it's a virus then it's a trojan:) The AVG database said: ... This works with any browser. ... > So AVG caught it twice and Outpost caught it twice. ... > allowed through the firewall, rather than an actual firewall exploit. ...
    (comp.security.firewalls)
  • Re: Making Outpost work
    ... >I am finding it quite hard configuring this firewall. ... >my Opera browser gets blocked whenever my third-party clipboard ... >worse i don't know how to prevent Outpost blocking the browser at ...
    (comp.security.firewalls)
  • Re: Making Outpost work
    ... >I am finding it quite hard configuring this firewall. ... >my Opera browser gets blocked whenever my third-party clipboard ... >worse i don't know how to prevent Outpost blocking the browser at ...
    (alt.computer.security)
  • Re: Making Outpost work
    ... >I am finding it quite hard configuring this firewall. ... >my Opera browser gets blocked whenever my third-party clipboard ... >worse i don't know how to prevent Outpost blocking the browser at ...
    (comp.security.misc)
Loading