Re: Trojan Horses Popular To The Malicious Hackers

From: DaveK (DaveK@dontspamme.petitmorte.noireallydontlikethepinkstuff.net)
Date: 12/28/02 

From: "DaveK" <DaveK@dontspamme.petitmorte.noireallydontlikethepinkstuff.net>
Date: Sat, 28 Dec 2002 15:48:38 -0000

"LIVEBYTHEWORDDDIEBYTHE SWORD" <000@NETSCAPE.NET> wrote in message
news:3E0B737B.18A680CA@NETSCAPE.NET...
>
>[SMACK]

  *** off Debbie. I want to talk to Me.

> Me wrote:
>
> > On Tue, 19 Nov 2002 21:10:05 +1100, "S. Pidgorny [MVP]"
> > <slavickp@yahoo.com> wrote:
> >
> > >...and personal firewall offers reasonable protection against all of
the
> > >below, isn't it?
> >
> > Yes, against those listed, but a properly coded custom bug will waltz
> > right past a software firewall without a hiccup.

  Among the techniques I know (or have grounds to think might work but
haven't tried) are:

1) inject the code that makes an outgoing connection into a process that
already has rights to access the net.
2) bung a keypress into the 'let this exe connect?' window a la zadodge
3) at least some fwalls don't seem to properly monitor/intercept when
additional ndis protocol drivers are added.
4) kill the fwall process (although IIUIC, ZA for one will fail-close when
this happens)
5) perhaps some clever api hooking on the ndis.sys and lower level drivers
might work too.
6) add an ndis filter driver at a lower level than the firewall (if
possible) that could replace the occasional IP packet that the fwall has
already approved and passed down to the lower network drivers with a packet
of its own.

Most of these will require admin or system privs, and although M$ have
patched quite a few local-priv-elevation bugs lately, more must surely
remain (all suggestions gratefully accepted for investigation, btw).... and
of course, most XP users are going to be running as admin most of the time
anyway.....

Has anyone got any other ideas they could add to that list? I'm pretty sure
that no fwall worth considering is fooled by the 'rename your exe to match a
permitted one' trick anymore, although of course if any of them are dumb
enough to use CRCs to check the identity of exes instead of crypto hashes,
spoofing a known CRC is an easy problem, so a self modifying exe that alters
a few garbage bytes in its data section until it has the correct CRC ought
to work for them....

        DaveK 

--
moderator of
alt.talk.rec.soc.biz.news.comp.humanities.meow.misc.moderated.meow
Burn your ID card!  http://www.optional-identity.org.uk/
Help support the campaign, copy this into your .sig!
Proud Member of the Exclusive "I have been plonked by Davee because he
thinks I'm interesting" List Member #<insert number here>
Master of Many Meowing Minions
Holder of the exhalted PF Chang's Crab Wonton Award for kook spankage above
and beyond the call of hilarity.
PGP Key-ID: 0x0FB504D1 Fingerprint 04B7 2E8C 0245 680E  6484 C441 CEC7 D2BD