News from SecuObs.com

Hi there,

Look at [WiShMaster - partie 7] Résultat de RConnect avec des firewalls personnels et conclusion SecuObs - L'observatoire de la sécurite internet - Site d'informations professionnelles francophone sur la sécurité informatique and enjoy !

For no-french speaking people (in a few word) :
This site is specialized in security purpose. This article is about using Rconnect and C shellcoding (via WiShMaster) in order to use a backdoor engine on Windows Xp like PCs.
After a very detailled explanation, the author (Benjamin Caillat) show us the result of what shellcoding can do (really very interesting …).
At the end, we can read only one personal firewall has passed the test : CPF.

(V)

(R)

Hi Alg,

Interesting. Can you translate or at least tell us how the test works? :slight_smile:

Thank you very much,
Egemen

translate.google.com helped me to understand the test. This is a real world example guys. These shellcode generators are used widely by malware writers to quicly produce and change their virus/trojan codes.

Thank you very much for bringing this article to our notice.

Egemen

Translation from ‘translate.google.com’ in English

[b]WiShMaster - part 7] Result of RConnect with personal firewalls and conclusion

By Benjamin Caillat, Mastère Specialized Safety ESIEA
16/09/2006[/b]


Tests of RConnect with traditional personal firewalls

The following following part summarizes the results obtained by testing some firewalls personal. I recall that these results aim by no means to draw up a classification of best the firewalls personal, study which would deserve tests much more exhaustive, but simply to evaluate the detectability of RConnect shellcodized.

The platform of tests used consists of a machine Windows XP Professionnel on which the process waiter is carried out (netcat) and VMware in which Windows XP Professionnel representing is carried out the target.

The backdoor used is the version of RConnect carrying out the injection of the process “explorer.exe”. The test is carried out while directly launching the achievable one in a session restricted user.

The firewalls were installed with the default options. The field “Modification of the configuration” specifies the possible modifications made to this configuration.

The field “Result with RConnect” specifies the result of the test.

The “not-detected” term indicates that no alarm was gone up; green equivalence on the table with the graphic format.

The “pseudo-detected” term indicates that a popup was posted, but that this one contains a message which does not correspond to a true detection of an attack (confirmation of launching of a process for example); orange equivalence on the table with the graphic format.

The “detected” term indicates that the backdoor was really recognized like a malicious code and that the user had an explicit message indicating that an attempt at attack took place; red equivalence on the table with the graphic format.

As an indication, the field “backdoor Result without cmd.exe” indicates the result with a backdoor a little more advanced integrating its own Shell, and not launching a process “cmd.exe”.

Firewall - Kaspersky Internet Security
Version - 6.0 -
Modification of the configuration - Proactive Defense very activated Fire wall learning mode -
Result with RConnect - Pseudo-detected (1)
Backdoor result without cmd.exe - Not detected

Firewall - Tiny Firewall 2005
Version - 6.5.126
Modification of the configuration - None
Result with RCconnect - Pseudo detected (2)
Backdoor result without cmd.exe - Not detected

Firewall - Look’ Stop
Version - 2.05
Modification of the configuration - None
Result with RConnect - Not detected
Backdoor result without cmd.exe - Not detected

Firewall - Kerio (advanced mode installation)
Version - 4.3
Modification of the configuration - Choice “automatic Authorization” during the launching of a process
Result with Rconnect - Not detected
Backdoor result without cmd.exe - Not detected

Firewall - Norton
Version - 2006
Modification of the configuration - Activation monitoring components and the launched programs
Result with RConnect - Not detected
Backdoor result without cmd.exe - Not detected

Firewall - Comodo
Version - 2.3.4.45
Modification of the configuration; None
Result with RConnect - Detected
Backdoor result without cmd.exe - [color=red]Detected

Firewal- SecurePoint FW & VPN Customer
Version - 3.6.1
Modification of the configuration: None
Result with RConnect - Not detected
Backdoor result without cmd.exe - Not detected

Firewall - Sygate Personal Firewall
Version - 5.6
Modification of the configuration Of the options are not activables in the version of evaluation
Result with RConnect - Not detected
Backdoor result without cmd.exe - Not detected

Firewall - ZoneAlarm Pro
Version - 6.1
Modification of the configuration; None
Result with RConnect - Pseudo-detected (3)
Backdoor result without cmd.exe - Pseudo-detected (3)

(1) The injection is possible by using the modified injector patchant the beginning of the function. Only the launching of the process “cmd.exe” by the navigator is detected. A backdoor implementing its own Shell will thus not be detected.

(2) Only the launching of the process cmd.exe by the navigator is detected. A backdoor implementing its own Shell will thus not be detected.

(3) The firewall detects a communication with smss.exe which corresponds to the listing of the processes.

In its new form, only one firewall is able really to detect RConnect. The others generally detect the launching of the navigator. Techniques of social engineering could then be used not to wake up the suspicions of the user.

Conclusion

This document made it possible to show that on the basis of a developed backdoor very quickly and comprising many limitations, it was possible to obtain in some clicks via WiShMaster a tool much more powerful, very malleable and able to circumvent the majority of the personal firewalls.

The use of programs as WiShMaster makes it possible to relatively quickly develop tools based on the injection of thread.

The backdoors are only one example; there are quantities of attacks which can rest on this technique: modification of the behavior of the navigator to intercept private communications, flight of password,…

In an environment which one wishes protected, it thus will become really essential to equip the user stations with a software of protection able to block of such attacks by carrying out a true behavioral analysis of the applications.

Other resources in this same file:

[WiShMaster - Part 1] Introduction to the writing of shellcodes out of C

[WiShMaster - Part 2] Principle of shellcodisation with WiShMaster (1)

[WiShMaster - Part 3] Principle of shellcodisation with WiShMaster (2)

[WiShMaster - Part 4] Principle and Operation - RConnect/WiShMaster Vs firewalls personal (1)

[WiShMaster - Part 5] Principle and Fontionnement - RConnect/WiShMaster Vs firewalls personal (2)

[WiShMaster - Part 6] Principle and Operation - RConnect/WiShMaster Vs firewalls personal (3)

Thanks,
rki.

This is yet another proof of Comodo’s superiority in the field of Personal Firewalls!

What virus is to Anti-Virus products is Leaks to personal firewalls!
you have to protect against as many leaks as possible just like AV products protect against as many viruses as possible.

Once again we are seeing a third party proof of how good CPF is when it comes to leaks!

(R)

Melih

Here (http://www.secuobs.com/images/WiShMaster_Presentation_Fig24.PNG) is the graphic from their site… i don’t think it requires any language at all :slight_smile:

[attachment deleted by admin]