Author Topic: New ways to bypass firewalls  (Read 46648 times)

comicfan2000

  • Guest
Re: New ways to bypass firewalls
« Reply #30 on: November 10, 2006, 02:27:11 AM »
So I assume since I mentioned OLE a while back , this is not an issue? What about OLE remote code execution? Some OLE attacks will shut down anti-virus and firewall applications . Could it do this with hips? If a trusted OLE is allowed, caught, modified and attached with malicious code, couldn't it be allowed right back in or do the previously stated? Assuming it could shut down HIPS that is, then run the code? It is a sneaky way in but could be done without a doubt. And has in the past. I would think hijacking the OLE would be a better term in my opinion. Just a thought.

 Paul

Offline andyman35

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 1579
Re: New ways to bypass firewalls
« Reply #31 on: November 10, 2006, 07:57:02 AM »
So I assume since I mentioned OLE a while back , this is not an issue? What about OLE remote code execution? Some OLE attacks will shut down anti-virus and firewall applications . Could it do this with hips? If a trusted OLE is allowed, caught, modified and attached with malicious code, couldn't it be allowed right back in or do the previously stated? Assuming it could shut down HIPS that is, then run the code? It is a sneaky way in but could be done without a doubt. And has in the past. I would think hijacking the OLE would be a better term in my opinion. Just a thought.

 Paul

It could shut down certain HIPS by my understanding,but not the behavioural based DSA I mentioned before.Such an attack would undoubtedly be flagged up as activity outside the normal bassline.

Offline andyman35

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 1579
Re: New ways to bypass firewalls
« Reply #32 on: November 10, 2006, 07:59:51 AM »
Paul is there any chance you could email me the link to that site? I'd be most interested to run some tests.

p2u

  • Guest
Re: New ways to bypass firewalls
« Reply #33 on: November 10, 2006, 08:26:24 AM »
2 andyman35:
Assuming you were talking to me, and not my namesake, I sent a link to your PM. Be careful to go there with either java+javascripts+flash disabled, or in a sandbox environment!

Paul Wynant
Moscow, Russia

Offline andyman35

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 1579
Re: New ways to bypass firewalls
« Reply #34 on: November 10, 2006, 11:09:35 AM »
2 andyman35:
Assuming you were talking to me, and not my namesake, I sent a link to your PM. Be careful to go there with either java+javascripts+flash disabled, or in a sandbox environment!

Paul Wynant
Moscow, Russia

Hi Paul.
Thanks for sending the link and don't worry I only ever run suspect stuff from a secure isolated environment.I have a specific hard drive for the purpose which I restore to a clean image after each testing to avoid any residual contamination.

I have tried PC security test previously,I was using it to test Prevx at the time.I assumed that it bypassed the Prevx defences until I realised that the utility is in the Prevx safe/false positive list so the test was invalid.

Personally I'd never rely on just HIPS but I'm a touch obsessive about security since it's a large part of my work,I use something like 17 separate defences which took a while to configure I can tell you.Anyway thanks for the info,your inputs to the forum have been very informative.

I will say I'm very excited about the future development of CPF and CAVS,the team here have an unmatched desire to listen to their customers and provide constantly improving products. (B)

Offline andyman35

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 1579
Re: New ways to bypass firewalls
« Reply #35 on: November 10, 2006, 11:48:55 AM »
From my initial investigation this particular trojan variant has been around some time and is listed by the various AV vendors under different names.I wasn't actually able to initiate the malicious activity since I kept getting 404 errors.This may have been down to my bad URL filtering or an issue with the site itself.I know that many of these Russian crack/warez sites are riddled with malware and drive by downloads but rather than the specific trojan mentioned I find the potential delivery method most interesting.

What really amazes me is sites like this host cracked versions of retail security products!! Surely no one could be that stupid to install such a thing!
« Last Edit: November 10, 2006, 11:53:05 AM by andyman35 »

p2u

  • Guest
Re: New ways to bypass firewalls
« Reply #36 on: November 10, 2006, 12:19:00 PM »
I have tried PC security test previously,I was using it to test Prevx at the time.I assumed that it bypassed the Prevx defences until I realised that the utility is in the Prevx safe/false positive list so the test was invalid.
Those are tactics I don't like from certain security vendors: add the test applications to the black list instead of solving the problems it tests. I heard rumors, that pcflank.com is in ZoneAlarm's black list as a malicious site. If this is the way they think to bypass the pcflank leaktest, well, that's silly...

Personally I'd never rely on just HIPS but I'm a touch obsessive about security since it's a large part of my work,I use something like 17 separate defences which took a while to configure I can tell you.
In order for me not to invent the wheel again, could you share your info with me/us? How I'd like to see that list!

I will say I'm very excited about the future development of CPF and CAVS,the team here have an unmatched desire to listen to their customers and provide constantly improving products.
This is indeed remarkable. I hope they will never go the way of the competition...

Paul Wynant
Moscow, Russia
« Last Edit: November 10, 2006, 01:50:22 PM by p2u »

comicfan2000

  • Guest
Re: New ways to bypass firewalls
« Reply #37 on: November 10, 2006, 12:44:35 PM »
It could shut down certain HIPS by my understanding,but not the behavioural based DSA I mentioned before.Such an attack would undoubtedly be flagged up as activity outside the normal bassline.

Thanks for the reply. So what you are saying is, if an OLE send is controlled from an outside source, DSA will catch this and then prevent it? That would be great.

Paul

Offline andyman35

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 1579
Re: New ways to bypass firewalls
« Reply #38 on: November 10, 2006, 02:14:47 PM »
Thanks for the reply. So what you are saying is, if an OLE send is controlled from an outside source, DSA will catch this and then prevent it? That would be great.

Paul

From my understanding,yes it would but wish a slight proviso.Upon installation DSA goes into learning mode for a pre-determined length of time (I set 14 days to limit unnecessary pop ups).Of course any attack during this time wouldn't be spotted,hence the proviso.

I quote from the user guide:

"SYSTEM ANOMALY DETECTION                                                                       

The DSA System Anomaly Detection layer analyzes the normal use patterns of running applications and generates alerts as it detects unusual activity. The System Anomaly Detection Engine applies a sophisticated algorithm to establish a baseline of normal use based on several system variables such as CPU utilization, thread count, and others. These variables are monitored over a specific period of time, called the 'Training Period', which can be set to 7, 14, or 28 days within the Main Menu (the default period is 7 days). The 'Enable Detection' checkbox, must be selected for Training to be active. Upon installation, Training is enabled by default and commences immediately upon installation.

Sensitivity Threshold: The DSA System Anomaly Detection layer generates alerts as it detects system activity that deviates from normal. The sensitivity with which DSA applies to system anomaly detection can be tuned by adjusting the Sensitivity Threshold. Decreasing the threshold increases the sensitivity, meaning that smaller deviations will generate alerts. Increasing the threshold will allow greater variance from normal activity. By default, the System Anomaly Detection Sensitivity Threshold is set to 60%.  In simple terms, activity deviating more than 60% from normal will generate an alert. "

comicfan2000

  • Guest
Re: New ways to bypass firewalls
« Reply #39 on: November 10, 2006, 02:37:33 PM »
From my understanding,yes it would but wish a slight proviso.Upon installation DSA goes into learning mode for a pre-determined length of time (I set 14 days to limit unnecessary pop ups).Of course any attack during this time wouldn't be spotted,hence the proviso.

I quote from the user guide:

"SYSTEM ANOMALY DETECTION                                                                       

The DSA System Anomaly Detection layer analyzes the normal use patterns of running applications and generates alerts as it detects unusual activity. The System Anomaly Detection Engine applies a sophisticated algorithm to establish a baseline of normal use based on several system variables such as CPU utilization, thread count, and others. These variables are monitored over a specific period of time, called the 'Training Period', which can be set to 7, 14, or 28 days within the Main Menu (the default period is 7 days). The 'Enable Detection' checkbox, must be selected for Training to be active. Upon installation, Training is enabled by default and commences immediately upon installation.

Sensitivity Threshold: The DSA System Anomaly Detection layer generates alerts as it detects system activity that deviates from normal. The sensitivity with which DSA applies to system anomaly detection can be tuned by adjusting the Sensitivity Threshold. Decreasing the threshold increases the sensitivity, meaning that smaller deviations will generate alerts. Increasing the threshold will allow greater variance from normal activity. By default, the System Anomaly Detection Sensitivity Threshold is set to 60%.  In simple terms, activity deviating more than 60% from normal will generate an alert. "

Thanks for the reply andyman35, very informative! :) This is from the DSS then I assume?  I like the sensitivity threshold tuning ability along with the training period ability. Very nice! What about weak signatures though? Is there or wasn't there a 768 or 786, (something like it) bits or higher standard or it was then flawed? Or was that with DSS? This may be an old school question and no longer a concern. "IF I REMEMBER" lol, slight chance, the weak key or signature going under the 786\68 bits standard could be easily attacked which is why I ask if that was DSS or DSA has this\had this as well.

 Thanks agian,

 Paul

Offline andyman35

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 1579
Re: New ways to bypass firewalls
« Reply #40 on: November 10, 2006, 03:11:01 PM »

In order for me not to invent the wheel again, could you share your info with me/us? How I'd like to see that list!


Paul Wynant
Moscow, Russia

Ok here's the list as it stands now (always evolving though)

Antivirus: NOD32(realtime scanner) , Bitdefender free,ClamAV (on demand)
Firewall:   Comodo Personal Firewall

HIPS/Monitoring apps: Prevx1,Processguard,Dynamic Security Agent,Scriptdefender,Samurai
System hardening: HardenIT
Process scanning: Assassin,hijackthis,Integrit.

Anti-spyware: Spybot,Superantispyware,Spyware Terminator,Spyware Blaster,A-squared,Ewido
Anti-Rootkit: Blacklight Beta,Icesword.

Browser for extra security: VMware Browser Appliance (based on Firefox)
Standard browser: Opera

Ok I mentioned more than the 17 but a couple of them are more about  viewing system processes than actual security apps.
Ok tha

Offline andyman35

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 1579
Re: New ways to bypass firewalls
« Reply #41 on: November 10, 2006, 03:19:35 PM »
Thanks for the reply andyman35, very informative! :) This is from the DSS then I assume?  I like the sensitivity threshold tuning ability along with the training period ability. Very nice! What about weak signatures though? Is there or wasn't there a 768 or 786, (something like it) bits or higher standard or it was then flawed? Or was that with DSS? This may be an old school question and no longer a concern. "IF I REMEMBER" lol, slight chance, the weak key or signature going under the 786\68 bits standard could be easily attacked which is why I ask if that was DSS or DSA has this\had this as well.

 Thanks agian,

 Paul

I'll try and look into that for you (Wilder's forum should have some info,since that's where I discovered this software).
One thing that interested me particularly is that it is soon to be integrated with their upcoming firewall,perhaps something similar could be developed for CPF?

all the best,Andy. (V)


Offline andyman35

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 1579
Re: New ways to bypass firewalls
« Reply #42 on: November 10, 2006, 03:30:39 PM »
COSMICFAN
My understanding of how the protection would work (vastly inferior to you guys I hasten to add) would be that once the OLE exploit attempted remote code execution then the vehicle for this attack would show a significant variance from 'normal' usage? I'm basing this on an hour's research between jobs so I'm sure you'll correct me if I'm way off track here. (:LGH)

Offline pandlouk

  • I love Comodo
  • Comodo's Hero
  • *****
  • Posts: 2240
  • Retired Mod
Re: New ways to bypass firewalls
« Reply #43 on: November 10, 2006, 03:44:56 PM »
Ok here's the list as it stands now (always evolving though)

Antivirus: NOD32(realtime scanner) , Bitdefender free,ClamAV (on demand)
Firewall:   Comodo Personal Firewall

HIPS/Monitoring apps: Prevx1,Processguard,Dynamic Security Agent,Scriptdefender,Samurai
System hardening: HardenIT
Process scanning: Assassin,hijackthis,Integrit.

Anti-spyware: Spybot,Superantispyware,Spyware Terminator,Spyware Blaster,A-squared,Ewido
Anti-Rootkit: Blacklight Beta,Icesword.

Browser for extra security: VMware Browser Appliance (based on Firefox)
Standard browser: Opera

Ok I mentioned more than the 17 but a couple of them are more about  viewing system processes than actual security apps.
Ok tha
Andy from the programs I see you have it seems that you are going to the paranoid site of the security. But having all this apps won't help in a chase of a really new threat type.

I would suggest to you to use a virtual machine if you want to go in "underground" sites. You will be much more protected than having all those security apps in your main OS. ;)

comicfan2000

  • Guest
Re: New ways to bypass firewalls
« Reply #44 on: November 10, 2006, 03:54:01 PM »
COSMICFAN
My understanding of how the protection would work (vastly inferior to you guys I hasten to add) would be that once the OLE exploit attempted remote code execution then the vehicle for this attack would show a significant variance from 'normal' usage? I'm basing this on an hour's research between jobs so I'm sure you'll correct me if I'm way off track here. (:LGH)

 That was my understanding as well. "COSMICFAN"? lol I kind of like that. Ewen calls me (Shifter)  :D Anyway, thanks again. Well, that's exactly what I was wondering, if executed below the bit level, will DSA still be able to detect this. 60% must be a higher amount but if it has adjustments, shouldn't be a problem to lower the percentage then. I would think this solves this issue but not sure.

 Thanks again,

 Paul

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek