Author Topic: New ways to bypass firewalls  (Read 46649 times)

Offline kail

  • Randomly Appearing
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11361
  • The future is much like the present, only longer.
    • COMODO's free software!
Re: New ways to bypass firewalls
« Reply #15 on: November 08, 2006, 10:04:58 AM »
Hi

It has been announced that the CPF beta 2.4, due next week, will have BO protection.
My System Details: W10Px64 with CIS 10 Beta, Firefox & Becky!
Forum Policy.
____
The problem is not the problems, the problem is people's attitude towards those problems.

Offline kail

  • Randomly Appearing
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11361
  • The future is much like the present, only longer.
    • COMODO's free software!
Re: New ways to bypass firewalls
« Reply #16 on: November 08, 2006, 11:17:53 AM »
Nice to know that :).  On a related question, doesn't XP SP2's Data Exceution Prevention currently protect against BO or is it insufficient?

To be honest, I don't know. But, I guess not.. unless Comodo really do love me & are releasing it just for me (I'm on W2k).  ;)

PS I'm sure someone will post a sensible answer.
My System Details: W10Px64 with CIS 10 Beta, Firefox & Becky!
Forum Policy.
____
The problem is not the problems, the problem is people's attitude towards those problems.

comicfan2000

  • Guest
Re: New ways to bypass firewalls
« Reply #17 on: November 08, 2006, 11:21:12 AM »
Hi

It has been announced that the CPF beta 2.4, due next week, will have BO protection.

BO protection? Are you SURE? Is this the RIGHT GUARD for our computers? What DEGREE of BO protection is this? Will it allow our SPEED to STICK or will it slow down our connection? I say let it ROLL ON. How will it effect DIAL up or is it fairly SUAVE? This is obviously no SECRET and if you are wrong, I don't want to have to BAN you.  ;D

Paul

Offline kail

  • Randomly Appearing
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11361
  • The future is much like the present, only longer.
    • COMODO's free software!
Re: New ways to bypass firewalls
« Reply #18 on: November 08, 2006, 12:14:03 PM »
BO protection? Are you SURE? Is this the RIGHT GUARD for our computers? What DEGREE of BO protection is this? Will it allow our SPEED to STICK or will it slow down our connection? I say let it ROLL ON. How will it effect DIAL up or is it fairly SUAVE? This is obviously no SECRET and if you are wrong, I don't want to have to BAN you.  ;D
Yes, I'm sure. No idea to all your other questions. I could have sworn I typed "sensible answer". ;)

[EDITED on 7th Nov, 2006]
Sorry to inform that we are delaying release of BETA to 16th Nov, 2006.
BETA will have Buffer Overflow Protection with multilanguage capabilities.
« Last Edit: November 08, 2006, 12:15:47 PM by kail »
My System Details: W10Px64 with CIS 10 Beta, Firefox & Becky!
Forum Policy.
____
The problem is not the problems, the problem is people's attitude towards those problems.

Offline egemen

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 3380
Re: New ways to bypass firewalls
« Reply #19 on: November 08, 2006, 12:23:46 PM »
Nice to know that :).  On a related question, doesn't XP SP2's Data Exceution Prevention currently protect against BO or is it insufficient?

It is a good defense. But it lacks behavioral analysis, flexibility, compatibility and it sometimes fails to detect the attack appropriately.

In our tests, we have successfully exploited many BOs although DEP is enabled(It sometimes detected sometimes failed).

Also CFW operates quite differently in BO detection. It patrols in critical points as a guardian with the help of behavior analysis so that if in the future some sort of unknown threat is present, the vulnerability window will still be very very small.

Egemen

Offline egemen

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 3380
Re: New ways to bypass firewalls
« Reply #20 on: November 08, 2006, 12:27:15 PM »
BO protection? Are you SURE? Is this the RIGHT GUARD for our computers? What DEGREE of BO protection is this? Will it allow our SPEED to STICK or will it slow down our connection? I say let it ROLL ON. How will it effect DIAL up or is it fairly SUAVE? This is obviously no SECRET and if you are wrong, I don't want to have to BAN you.  ;D

Paul

No overhead in network throughput at all. Yet additional checks could add some sort of delays negligible. We will see more during the beta testing.
« Last Edit: November 08, 2006, 12:55:45 PM by egemen »

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14692
    • Video Blog
Re: New ways to bypass firewalls
« Reply #21 on: November 08, 2006, 02:06:16 PM »
The answer to this particular problem would be twofold in my humble opinion:

1/ Run a SECURE browser in the first place such as Opera or Mozilla,these exploits are almost exclusively designed to compromise IE.
2/ Dynamic Security Agent would presumably flag this BO up,since it would trigger the anomoly detection monitor if configured correctly.Also PrevX would surely spot this with it's inbuilt heap/stack BO monitoring,or if not then,when the malware itself tried to execute?

Of course once the wonderful CAVS is finally released I fully expect all such threats to be a thing of the past  (:WIN)

actually BO protection will be built into our firewall first by the end of the year.

Melih

p2u

  • Guest
Re: New ways to bypass firewalls
« Reply #22 on: November 09, 2006, 06:03:27 AM »
Hi Melih, hi egemen, hi everybody!

When I think of bypassing a firewall, I would use FlashPlayer. The attack vector is huge, because almost every user in the world has it. It is actually already being done: Some sites load small pieces of crap through it, and afterwards a new version of Pinch (password-stealing and self-destructing Trojan) is created on the user's computer without the firewall, or the anti-virus heuristics, or the HIPS ever noticing it. Will COMODO flag FlashPlayer in the future? I have never seen any alerts from any firewall about it, but still it is used to show banners and ads almost every other page. Of course I blocked it in my Firefox browser with the NoScript extension [Options - Advanced - 'Forbid MacroMedia Flash' and 'Forbid other plugins']. If I want to have it for a certain site, I can allow it with a simple click for only that site (not its third parties), but BY DEFAULT it is denied...

Paul Wynant
Moscow, Russia
« Last Edit: November 09, 2006, 07:18:44 AM by p2u »

comicfan2000

  • Guest
Re: New ways to bypass firewalls
« Reply #23 on: November 09, 2006, 06:13:25 AM »
Yes, I'm sure. No idea to all your other questions. I could have sworn I typed "sensible answer". ;)


 You did, sorry that was my sad attempt at BO(body odor) and under arm brands. However egemen did answer a question inadvertently  that I was going to ask, so thanks egemen. lol. All in all, sounds like a good plan so far. I have  in the past seen Java attacks get through many securities. Also, many viruses end up in sys restore which anti virus can't access and disabling sys restore and emptying it is one of the only ways to terminate the virus. Will Comodo's HIPS prevent such a thing from entering itself into the restore?

 Paul

Offline andyman35

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 1579
Re: New ways to bypass firewalls
« Reply #24 on: November 09, 2006, 11:04:56 AM »
Hi Melih, hi egemen, hi everybody!

When I think of bypassing a firewall, I would use FlashPlayer. The attack vector is huge, because almost every user in the world has it. It is actually already being done: Some sites load small pieces of crap through it, and afterwards a new version of Pinch (password-stealing and self-destructing Trojan) is created on the user's computer without the firewall, or the anti-virus heuristics, or the HIPS ever noticing it. Will COMODO flag FlashPlayer in the future? I have never seen any alerts from any firewall about it, but still it is used to show banners and ads almost every other page. Of course I blocked it in my Firefox browser with the NoScript extension [Options - Advanced - 'Forbid MacroMedia Flash' and 'Forbid other plugins']. If I want to have it for a certain site, I can allow it with a simple click for only that site (not its third parties), but BY DEFAULT it is denied...

Paul Wynant
Moscow, Russia

I'm not entirely sure that I follow you here.You state that malicious code is able to install itself through Flashplayer and no security utility would detect this? I'm extremely doubtful that this is the case and can in fact think of at least 2 utilities that would immediately warn of suspicious activity.

Processguard monitors all the running processes on a system and since you wouldn't allow any unknown process unfettered access to vital system resources,any attempt to create a registry key or modify security settings would set alarm bells ringing.Dynamic Seciurity Agent would also spot this unusual behaviour and warn the user.

Any trojan,no matter how potentially damaging is nothing more than a piece of code unless it can actually DO something.A correctly configured security set up will prevent 99.9% of all malware.Even a simple utility such as Sandboxie would render this type of threat vector impotent.

One point I do agree entirely with you on is that an alternative browser such as Mozilla Firefox or Opera offer far greater security against many web borne threats than IE.
« Last Edit: November 09, 2006, 11:10:29 AM by andyman35 »

p2u

  • Guest
Re: New ways to bypass firewalls
« Reply #25 on: November 09, 2006, 12:36:36 PM »
2 andyman35:

It's against the rules of this forum, I guess, to give links to malicious sites, but I'm more than sure that Process Guard doesn't catch Pinch before it's already too late because it uses amazing stealth techniques. Even the often praised Kapsersky Internet Security that passes all tests you throw at it was easily caught off guard by this Trojan. The issue was posted on the Kaspersky forum. If you know Russian, I can give you the link to that thread. First a malicious php script was loaded into the browser, a script that any anti-virus program would be able to detect. But this was actually just a distracting manoeuvre. The components for the actual Pinch came through the banners of the site's third-parties. The source of the Trojan turned out to be a simple .txt file! The browser in question was Opera, but the clue was that java+javascripts+flashplayer were allowed. As soon as KIS noticed what was going on, the passwords had already gone to Pinch's master...

To understand how this could happen, let's do a little test:
Please, open Notepad, paste this line and save:
Quote
X5O!P% [ at ] AP[4\PZX54(P^)7
No reaction from your AV.

Now open Notepad again, paste this on the next line and save:
Quote
CC)7}$EICAR-STANDARD-A

Still no reaction from your AV.

Now the final part: paste, and make one line of all three statements and save.
Quote
NTIVIRUS-TEST-FILE!$H+H*

Now your AV should react, because this is the code for the EICAR 'virus' test file.

That's basically how this Trojan gets on your computer and is not noticed by anybody. Now generating the actual Trojan and make it do its dirty work goes so fast that it is only noticed when it's already too late.

One general remark about HIPS: as soon as the user allows to install a driver on the kernel level, the game is over for ANY kind of protection. This may sound like a cliche, but one should prevent malicious stuff from getting into the computer. As soon as it manages to get into your machine, your protection is pretty helpless...

Paul Wynant
Moscow, Russia
« Last Edit: November 09, 2006, 12:52:26 PM by p2u »

Offline andyman35

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 1579
Re: New ways to bypass firewalls
« Reply #26 on: November 09, 2006, 12:56:22 PM »
I agree that once a malicious utility has kernel level access it becomes extremely difficult to defend against.I'll be reading up on the stuff you mentioned and which,if any defences are available.I'd be extremely surprised if it could bypass Dynamic Security agent since it uses an extremely advanced range of methods to determine malicious activity,since after it's initial period of baselining it monitors for variables such as  CPU utilization, thread count, and others.Processguard would certainly prevent Kernel level driver installation as would DSA or samurai.

Thanks for  the interesting comments though,it's always good to hear of new potential threats (or should that be bad?)

p2u

  • Guest
Re: New ways to bypass firewalls
« Reply #27 on: November 09, 2006, 01:04:20 PM »
I'm just as sad as you are about this.

DefaultDeny seems to be the only principle that works in security. You have to know the attack vectors and disable as much as possible of the AllowAll settings ('Intuitive approach', I believe Bill Gates called this) in Windows. It's the default settings in ALL programs and in Windows that get attacked, ALWAYS. It makes no sense to try to defend what cannot be defended without turning it off.

P.S.: If you want to know more about stealth malware, you could consider contacting Joanna Rutkowska (you remember the lady with the Blue Pill, who hacked Vista before the very eyes of the makers?). She knows a lot about the subject and answers all e-mails (except for SPAM, of course). Here's her site:
invisiblethings.org

Paul Wynant
Moscow, Russia
« Last Edit: November 10, 2006, 05:27:01 AM by p2u »

Offline egemen

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 3380
Re: New ways to bypass firewalls
« Reply #28 on: November 09, 2006, 10:39:18 PM »
Hi Melih, hi egemen, hi everybody!

When I think of bypassing a firewall, I would use FlashPlayer. The attack vector is huge, because almost every user in the world has it. It is actually already being done: Some sites load small pieces of crap through it, and afterwards a new version of Pinch (password-stealing and self-destructing Trojan) is created on the user's computer without the firewall, or the anti-virus heuristics, or the HIPS ever noticing it. Will COMODO flag FlashPlayer in the future? I have never seen any alerts from any firewall about it, but still it is used to show banners and ads almost every other page. Of course I blocked it in my Firefox browser with the NoScript extension [Options - Advanced - 'Forbid MacroMedia Flash' and 'Forbid other plugins']. If I want to have it for a certain site, I can allow it with a simple click for only that site (not its third parties), but BY DEFAULT it is denied...

Paul Wynant
Moscow, Russia

Hi Paul,

The reason of this thread is to analyze and discuss such techniques. A good case indeed. I will try to find that pinch trojan and see what it does. Or alternatively i would really appreciate if you PM its link if you have.

Thx,
Egemen

p2u

  • Guest
Re: New ways to bypass firewalls
« Reply #29 on: November 10, 2006, 02:03:49 AM »
2 egemen:
Done!

Paul Wynant

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek