Re: Bypassing Personal Firewalls

["Darwin" <darwin () netmadeira com>]

----- Original Message -----
From: "xenophi1e" <oliver.lavery () sympatico ca>

> This allows PFWs to be bypassed, as well as making it very easy to hide
> running malicious code on a system. The example is a 'sploit that makes a
> connection from within IE, and slips under the radar of all PFWs I've
> tested.

I'm currently using Kerio Personal Firewall v2.1.4 in Win XP SP1 and this
firewall, at least, seems to block the connection.
I had IE running, disabled all the firewall rules, and that's what showed in
the log:

23/Feb/2003 03:16:49   Internet Explorer   blocked; Out TCP;
localhost:3332->205.206.231.12:80; Owner: C:\PROGRAM FILES\INTERNET
EXPLORER\IEXPLORE.EXE

Then it displayed a msgbox saying it can´t connect to security focus.

Indeed the connection appeared to come from IE, but apparently the firewall
sucessfully blocked it.
This really improved my impressions about Kerio firewall, that were already
good as this version is free for home use,
suggesting that the company has a concern with the Internet community that
is becoming rare nowadays.

This subject is of major importance for me as yesterday my IDS, Snort 1.9,
detected unusual traffic going out from one of my computers.

I gracefully could detect it because they were using unusual ports,
myhost:2629, registered as sitaraserver, and 216.40.244.202:19638.
All the traffic was securely encrypted, so I can´t have an ideia of what
actually was sent to them.
I went to 216.40.244.202:80 that redirected me to a secure administration
site with a login form.
> From the logs I could read a repeated string that was sent at the beggining
of each connection, that was a close match to the one I catched when trying
to login as user:test password:test and domain:test, so I'm almost sure it's
the login info.

Further investigation on my machine revealed the following spyware
installed:

* Brilliant Digital Entertainment;
* Commonname;
* Cydoor;
* Downloadware;
* Firstlook;
* New.net;
* Gator.

It seems that all the pack is being delivered at once now.

This spyware was revealled by Adaware. I had run Adaware earlier on the day,
so the system was clean.
No message showed asking for a permission to install this stuff , so I guess
it was automatically installed from some nasty site the user went
inadvertedlly.

So it was installed with no permission, has no running processes showing,
and almost surely hijacked IE for the connections (I detected a rule on the
user machine allowing all connections from and to all ports owned by IE),
and actually sent unknown stuff to this server.

I reported the case to a legal counsellor and informed Everyone´s Internet
(that didn't said nothing to date, but this is weekend days, anyway.)

What I can guess from all this is:

1) This spyware is already using this kind of exploit
2) This can be prevented using Kerios PF v2.1.4

I have all the IDS logs,the spyware actually installed, and registers of all
the registry keys and objects used, so if someone wants to investigate this
case furtherly I can send this material.
Also would appreciate comments on the subject (darwin () netmadeira com).

Cheers,

Paulo