16 replies to this topic

[devilxd]

can someone tell me wha to do .
i resent found out that zone alarm does not stop the outbound.
i tryed to set all to highest but still this code i ran did go through my wall ..
tell me wha to do helppppppppp


an i bet this 1 will go thorugh most the firewalls out there

Edited by devilxd, 05 June 2004 - 06:11 PM.

[cnm]

Try running some of the tests recommended here:
http://forums.spywar...?showtopic=2423

I don't know what test you ran, but some of them are essentially cheats designed to get you to buy their firewall.

[lonewolf]

I would be interested to know what that test was. Could you provide abit more info Devilxd on what the test was?

[devilxd]

yea i did some searchin on the net for firewall tests
an i found this guy in a forum ,who wrote a code to show that no firewall with outbound protection would stop .. an i tryed it too an this get right through my wall an thats with all settings high , name of this file is toolaky i have em both so if anyone wants em tell me an ill put it on a site for download / or ill mail it /im.
you are abel to make this program show the info u get ,right on your site
there is some settings inside this file u can change to get it to get diff info files

Edited by devilxd, 06 June 2004 - 12:22 PM.

[cnm]

TooLeaky is an old friend. What is sort of bogus about it is that you have to deliberately install it on your PC.

Very few firewalls stop installed stuff from calling home. The installed prgram can just launch IE and IE is allowed through your firewall.

The later versions of Kerio include protection against a program launching another program, but I don't feel the need myself.

You should have protection against things installing themselves on your PC without your consent.

Here are my standard recommendations.

SpywareBlaster doesn't scan and clean for spyware - it prevents it from ever being installed.
http://www.wildersse...areblaster.html

IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
http://www.staff.uiu...rce.htm#IESPYAD

Both are very small free programs that you run once, and then just occasionally to check for updates.

And also see TonyKlein's good advice
So how did I get infected in the first place?

[lonewolf]

Here's a good article on the different firewall leaktests http://www.pcflank.com/art21.htm it is a bit dated, but not much has changed since then and most (if not all) of the firewalls will still fail these leaktests even today.

I use System Safety Monitor (a free program) to block applications (such as IE) from accessing the internet without my permission. I believe it would also stop most of these leak tests or a program (i.e. a trojan)designed on them. You can get it here: http://www.snapfiles...stemsafety.html

Also Diamondcs Process Guard (costs $29.95 for a single license) will stop most if not all of these so-called leaktests cold. http://www.diamondcs.com.au

But to be honest their really aren't many, if any, trojans based on the design of these leak tests in the wild today. And your chances are minimal of ever encountering one. Just be careful what you download. Follow the advice given by Cnm. Keep your firewall & anti-virus software up to date. Always pratice safe hex. And you should be ok.

A word of caution:
It is not recommended that you try any of the leaktests (mentioned in the Pcflank article) on your firewall unless you really know what you are doing. Some of them can make changes to your firewall that would compromise your security defenses! And unless you know how to revert those changes it is ill advised to fool around with them. Though a safe leaktest to try is the one at http://www.grc.com/lt/leaktest.htm called 'leaktest'. All the others should not be used by inexperienced users.

Edited by lonewolf, 06 June 2004 - 05:36 PM.

[Paranoid]

TooLeaky is an old friend. What is sort of bogus about it is that you have to deliberately install it on your PC.

Very few firewalls stop installed stuff from calling home. The installed prgram can just launch IE and IE is allowed through your firewall.

The later versions of Kerio include protection against a program launching another program, but I don't feel the need myself.

You should have protection against things installing themselves on your PC without your consent.

Here are my standard recommendations.

SpywareBlaster doesn't scan and clean for spyware - it prevents it from ever being installed.
http://www.wildersse...areblaster.html

IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
http://www.staff.uiu...rce.htm#IESPYAD

Both are very small free programs that you run once, and then just occasionally to check for updates.

And also see TonyKlein's good advice
So how did I get infected in the first place?

TooLeaky is an old friend.  What is sort of bogus about it is that you have to deliberately install it on your PC.

Welcome to the class of malware known as trojans my friend.

Very few firewalls stop installed stuff from calling home.  The installed prgram can just launch IE and IE is allowed through your firewall.

Tell that to the thousands of GRC fans who have being convinced by Steve Gibson into thinking that a firewall without outbound protection is useless.

I think it's more accurate to say that firewalls can stop things from calling home, but if it's trying to be sneaky, it's very very hard to stop something once it's inside your system. Application monitoring is one way, but even then there are leak tests that are designed to work in very ingenious ways that have little to do with using trusted applications like IE to piggyback on.

http://www.firewallleaktester.com/ has a description of most of the known ones (14 at last count)

There is no perfect defence once you let something in, but you can still try....

[lonewolf]

Thanks Paranoid for that link. Very interesting stuff.

I would just like to add for those who don't yet understand much about these so-called leak tests, that there is a big difference between a leak test and an actual trojan/ malware program based on one of these leak tests. If there were programs like this in the wild they would be found. And definitions would be added to most security apps to help detect them.

But if you did happen to get one on your system, it would most likely be found (provided you have a top of the line anti-virus/anti-trojan with current updates.) because of the fact that it's an actual running program, and not just some dummy test that does little more than show ways your firewall can be bypassed.

These leak tests are simply made to show us and the firewall manufacturers ways that can be used to get around firewall security and should not be confused with the way an actual malware program would behave once on your system.

[Paranoid]

Thanks Paranoid for that link. Very interesting stuff.

I would just like to add for those who don't yet understand much about these so-called leak tests, that there is a big difference between a leak test and an actual trojan/ malware program based on one of these leak tests. If there were programs like this in the wild they would be found. And definitions would be added to most security apps to help detect them.

But if you did happen to get one on your system, it would most likely be found (provided you have a top of the line anti-virus/anti-trojan with current updates.) because of the fact that it's an actual running program, and not just some dummy test that does little more than show ways your firewall can be bypassed.

These leak tests are simply made to show us and the firewall manufacturers ways that can be used to get around firewall security and should not be confused with the way an actual malware program would behave once on your system.

I would just like to add for those who don't yet understand much about these so-called leak tests, that there is a big difference between a leak test and an actual trojan/ malware program based on one of these leak tests. If there were programs like this in the wild they would be found. And definitions would be added to most security apps to help detect them.

I think that's too strong a statement.

If it's a wide fast spreading in the wild worm which advertises it's presence sure. But unfortunately there are quite a few trojans, backdoors and rootkits that are fairly wide spread. Since they don't tend to draw any attention to themselves many of them are probably not on most common antivirus or even trojans llists. In theory some of them might be using the leaking techniques we see in this thread to bypass your firewall.

That said, of course those leak tests are harmless, they are merely a proof of concept.

Interestingly, you can see that some malware detectors do alert on these harmless leak tests as "web downloaders" for example. Probably detecting them heuristically...

[cnm]

The major difference between the tests and real trojans is that you install the fake trojan yourself, which naturally gives it an advantage.

[lonewolf]

Yes Paranoid, i stand corrected. That was a glaring mistake on my part. Thanks for pointing that out. I wouldn't want to mislead anyone.

It probably should have said, " If there were programs like this in the wild they would probably be found."

There will always be some forms of malware that won't be found by the AV/AT makers or reported to them by others. But even those that wouldn't be found are not as common and therefore are not something most users have to overly worry about as long as they're following the guidelines posted above.

I guess the original intent of my post was not to scare any newbies into a state of frenzy thinking that their current defenses (AT/AV/FW) were useless against these forms of malware. Because in all likelihood they will probably not run into any of them.

Edited by lonewolf, 11 June 2004 - 06:32 PM.

[Paranoid]

The major difference between the tests and real trojans is that you install the fake trojan yourself, which naturally gives it an advantage.

That's the very defintion of a trojan, something you are tricked into installing...

[cnm]

Exactly. The test does it up front, a real trojan has to trick you.

[Swami]

The best software firewall against outbound traffic in my opinion is Agnitum's Outpost Pro firewall ... they also have a product designed specifically for stopping outbound traffic called Jammer... http://agnitum.com/products/outpost/ ... http://agnitum.com/p...r/features.html

As far as scripts go ... try using Robin Kier's script trap (its small & free) and see if that code still gets through its an older program but may prove effective ...http://keir.net/scriptrap.html

Edited by Swami, 11 June 2004 - 11:40 AM.

[Paranoid]

As far as scripts go ... try using Robin Kier's script trap (its small & free) and see if that code still gets through its an older program but may prove effective ...http://keir.net/scriptrap.html

[

I don't believe scriptrap has any relevance at all to outbound filtering.

Edited by Paranoid, 12 June 2004 - 11:07 AM.

[Swami]

i found this guy in a forum ,who wrote a code to show that no firewall with outbound protection would stop .. an i tryed it too an this get right through my wall an thats with all settings high , name of this file is toolaky

(PARANOID) I don't believe scriptrap has any relevance at all to outbound filtering.

i never stated script trap would help with outbound filtering ... i thought he was using some kind of script written in a forum by some would-be hacker ... and that was how it was referenced (As Far As Scripts Go) ... not as outbound protection. Why do you think i started off with mentioning Outpost and Jammer as rock solid outbound application protection?? read a little closer next time PARANOID

Edited by Swami, 13 June 2004 - 02:57 PM.

[Paranoid]

My apologies.

never stated script trap would help with outbound filtering ... i thought he was using some kind of script written in a forum by some would-be hacker ... and that was how it was referenced (As Far As Scripts Go) ... not as outbound protection.

Sorry, even in such a situtation, scriptrap won't work