Re: Microsoft Windows XP SP2 Firewall issue

["Thor (Hammer of God)" <thor () hammerofgod com>]

If you're going to get someone to run the mytrojan.exe file, why not just
have it add itself to the exception list for you?  I've said it a million
times, and here is a million-and-one: When a statement starts off with "If I
get someone to run X on their their system, I can," then it doesn't matter
how it ends. 

t


On 3/24/06 2:34 AM, "edubp2002 () hotmail com" <edubp2002 () hotmail com> wrote:

> Windows XP firewall had improvements after SP2 and it display alerts about
> programs trying to listen on a port (acting as a 'server') to the users. It
> doesnt display the path for the file nor the last extension, instead, it only
> displays its description or name without the final extension.
>
> if u place a trojan with 'no name' in some dir, windows firewall will
> mistakenly alert about a 'folder name\', this can be misused to trick people
> into giving access to a malicious application thinking it is a legitim one.
> example below will make people think Internet Explorer is asking for access,
> when actually,it is not! :
>
> ==============example============================
> in a cmd prompt:
> copy mytrojan.exe "\program files\Internet Explorer\.exe"
> cd \program files\internet explorer
> start .exe 
> =================================================
> An alert will show up saying 'Internet Explorer\' has been blocked and will
> ask if you want unblock it when it should alert about '.exe'.This could trick
> most people into thinking the firewall alerted about a well known legitim
> application.
>
> another issue with the firewall is using NTFS alternate data streams. if u
> execute a file that is 'forked' to another one, no alerts will show up, not at
> all, but I dont think this is a security issue since on the computers I tested
> I wasnt able to direct connect.
> example:
>
> ===============================================
> in a cmd prompt:
> type c:\mytrojan c:\windows\notepad.exe:mytrojan.exe
> start c:\windows\notepad.exe:mytrojan.exe
> ===============================================
> no alerts ;)
>
> ps: every exploit code or details about a vulnerability here in Securityfocus
> are not found.
> when you click in the exploit menu of any vulnerability and there is some kind
> of exploit code attached it will return an error such as 'the document you are
> looking for cannot be found' ... just like a broken link. and this issue is
> happening for some weeks. is this an error ?... waiting feedback on this
> issue.
> cheers,
> Edu