Re: Malicious code could trick ZoneAlarm firewall

[John LaCour <johnlacour () gmail com>]

This particular poc used ShellExecute() to launch a trusted program
such as a web
browser which would theoretically communicate off-host on behalf of
the untrusted
program by sending data in a URL or similar.

There's a pretty good whitepaper about this and similar methods that
was published by Chris Ries over at VigilantMinds:
http://www.vigilantminds.com/files/defeating_windows_personal_firewalls.pdf

-John

On 9/30/05, Jordan Wiens <numatrix () ufl edu> wrote:
> On Fri, 30 Sep 2005, Fergie (Paul Ferguson) wrote:
>
> > [snip]
> >
> > An attacker could trick the firewall by linking a malicious program, such as a keystroke logger, to another 
> > application, for example, Internet Explorer. When the keystroke logger subsequently sends its captured data out, 
> > the firewall would see IE accessing the Internet, not the spyware, and allow the connection.
> >
> > [snip]
> >
> > http://news.com.com/Malicious+code+could+trick+ZoneAlarm+firewall/2100-1002_3-5886488.html
>
> Not exactly news, is it?  Malware has been loading dynamic libraries into
> known applications for a while now.  Heck, there are toolkits that will
> automatically slip one program into another for you (if memory serves,
> we've even seen the tool to do it loaded up on compromised machines on
> campus).  Unless I'm missing something and this is something different?
>
> --
> Jordan Wiens, CISSP
> UF Network Security Engineer
> (352)392-2061
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.