Results 1 to 9 of 9

Thread: Firewall Vunerbality

  1. #1
    bradgm Guest

    Default Firewall Vunerbality

    I was told by someone that any invader can get through the firewall by pretending to be an already trusted program.
    For example:
    I currently use Norton Antivirus and allow it through the firewall.
    The
    invader pretends to be Norton Anti-virus and thus gets through the
    firewall.
    Is this true?
    If not, please explain how the firewall is able to tell that the invader is not Norton Antivirus?
    Thanks,
    Brad


    Operating System:Windows XP Pro
    Product Name:ZoneAlarm (Free)
    Software Version:6.0

  2. #2
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Firewall Vunerbality

    Hi Lets see what really is going on here. First the invader or the very poor choice of download/opened bad choice of spam has to be opened. Then it has to be installed- in many cases only by the user's permission. Then it installs-either silently (malware) or with user's awareness. Then it has to access the internet- now the ZA will ask for permission. In your example the malware would be Norton or possible norton.exe/norton.dll to be used. Okay this would be hard to accomplish.(how to copy those ones?). The ZA Pro would ask the user for the malware to be actually installed- would any user simply agree for strange installations? Chances of this happening is very small plus it needs the users approvals. Are you safe with the ZA or not? You are stealthed. hackerproof, amd secure. That is what the ZA is all about- whether it is the FREE or PAID versions. I always remember the pure and simple fact that the makers of Zone Alarm care very much to have pc/internet users completely safe. Take care Oldsod
    Best regards.
    oldsod

  3. #3
    Join Date
    Mar 2004
    Location
    Brisbane, Australia
    Posts
    645

    Default Re: Firewall Vunerbality

    The problem is NOT Zone Alarm, the problem is WINDOWS. Windows is so inherently insecure that no matter how good Zone Alarm is, it cannot overcome the inherent security issues that exist in Windows itself.

    You can't build a trusted system (ie Zone Alarm) on an untrusted base (ie Windows). Basically, if you can compromise the depths of the operating system (or even the BIOS), you can prevent the programs running on it from operating correctly. This is exactly what a 'rootkit' can do.

    As an example, say you were able to write a program but you also included a rootkit which patched the operating system to bypass Zone Alarm's security checks. Zone Alarm could still run on the victims PC and would even appear that it was doing its job. Yet underneath, there would be a massive hole which ZA would never know about, and your computer would leak like a sieve all the while you think you are protected. The moral of the story is that WHAT YOU SEE IS NOT NECESSARILY WHAT YOU GET.

    Windows Vista will bring in a new level of security by preventing this from happening. Until then, you should NEVER think that ZA makes you safe. All it does is make you SAFER and in the process, gives you a false sense of security.

  4. #4
    kkken Guest

    Default Re: Firewall Vulnerability

    <div align="left">I'm not sure Brad's question is getting answered. (Brad, tell us if it is.)<div align="left">
    <div align="left">First, Brad, are you talking about invaders trying to sneak in through the firewall,
    or programs that already invaded and are now trying to sneak
    out?
    Or both?
    Are you talking about trojan horses?<div align="left">
    <div align="left">You said:<div align="left">&gt;
    I currently use Norton Antivirus and allow it through the firewall.
    <div align="left">
    <div align="left">Okay, that's outbound.<div align="left">
    <div align="left">&gt;
    (Suppose) the
    invader pretends to be Norton Anti-virus and thus gets through
    <div align="left">&gt;
    the
    firewall.
    <div align="left">
    <div align="left">So you mean a malicious program on your PC
    tries to pretend it's NAV so it can go out to play?


    &gt;
    Is this true?
    If not, please explain how the firewall is able to tell
    <div align="left">&gt;
    that the invader is not Norton Antivirus?
    <div align="left">
    NAV actually comprises several different programs, so let's pick one, CCAPP.EXE, the &quot;common client application.&quot;
    Your ZA Program Control panel says something like, &quot;C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE&quot;.
    As I understand it, for starters, the impostor would have to have replaced the original, keeping the same file name,
    in the same
    location, or else it's not the ccapp.exe that ZA program control knows.
    That's a minimum requirement.
    I don't know about ZAP, but In ZASS there's a program-by-program
    option to skip any further authentication for programs that you trust, if you know they change often.
    Otherwise, ZAP looks deeper.
    I don't know how exactly.
    Does it just store a checksum and the last-modified date, and hit the alarm if they're different for the
    imposter?
    Or does it do something with digital certificates too?
    I don't know how certificates work.
    Since that's as much as I know, let's just say that for outbound programs, the theoretical answer to your question is: it's almost impossible for a program to pass a thorough inspection if it's an imposter, but slightly more possible with ZA than with ZASS, because ZASS has enough component and advanced program control to choke a horse.

  5. #5
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Firewall Vunerbality

    Hi Once again a great reason to have more than one antispy or some HIP protection. Rootkits apperantly are the way of future malware attacks on pc's. Micrososft Malicious Software Removal Tool, Sysinternals Rootkit Revealer, F-Secure Blacklight. Lavasoft Aries and the Tenebril Spycatcher Express are all good for rootkits scanning and removal (and/or removal help) and are absolutely free. Spysweeper and SpywareDoctor are some of the paid versions that are good rootkit scanners and removers. Take care Oldsod
    Best regards.
    oldsod

  6. #6
    Join Date
    Mar 2004
    Location
    Brisbane, Australia
    Posts
    645

    Default Re: Firewall Vulnerability

    <blockquote><hr>Kkken wrote:
    ...As I understand it, for starters, the impostor would have to have replaced the original, keeping the same file name, in the same location, or else it's not the ccapp.exe that ZA program control knows.
    <hr></blockquote>

    The authentication is more complex than that. ZA keeps a record of the MD5 hash of each program component. The MD5 hash is like a very advanced checksum and is unique for any string of characters. Altering the string (eg a new version of a program or program component) will result in a different MD5 hash for that program or component and ZA will pick up the change. Hence the alerts that a program component has changed since last used.

    There are ways to hijack existing programs and these methods are used by rogue programs to access the internet undetected.

    A common method is .dll injection where a program 'inserts' itself into the code of a program component (ie a .dll file) that is currently running in memory. The existing program component is of course legitimate, but the injected code is not and it will try to access the internet via another program, usually a web browser on Port 80.

    ZA Pro MAY pick up .dll injection and alert you that a new program component (ie the compromised .dll) is trying to use another program to access the internet. It will only do this if the chosen .dll has not tried to do this before and has NOT previously been approved. If however the rogue program is lucky enough to pick a .dll that HAS been given permission, you will probably not get asked, your computer security will be compromised, and you will be none the wiser!

    To see examples of .dll injection and test your AV, antispyware and firewall programs you can try:-
    <blockquote>[*]Wallbreaker[*]PCAudit[*]PCAudit2[/list]</blockquote>
    from Firewall Leak Tester.

    NOTE:- USE THESE AT YOUR OWN RISK!.

  7. #7
    bradgm Guest

    Default Re: Firewall Vulnerability



    Well, I got several answers here, but none of them seem definitive.
    I am more concerned about incoming threats, because of the risk of worms or rootkits being installed without my knowledge and my computer being used as a zombie by some hacker.
    With NAV, for example, I use Live Update every day, so if some traffic comes in with the same ID as NAV Live Update how does Zone Alarm know it's not really from Symantec?
    Some have mentioned checksums, but it seems like an expert hacker could easily find the real checksum and duplicate it.

    Also, Spyware is downloaded to our computers every day and ZA never complains.
    Even such a banal site as TV Guide puts 2 or 3 pieces of spyware on my computer without my permission or knowledge.
    I've also heard that you don't even have to visit a web site or open an e-mail to get hit with a virus or worm.
    I use AdAware and Spybot Search &amp; Destroy both and remove a lot of junk every day.
    I also tried the Microsoft one, but it doesn't seem to catch as much as the free ones.

    When I get a program update from NAV I am asked to re-boot and then when NAV accesses the Internet the next time ZA tells me that it has changed and I allow the new version.
    If someone was watching my traffic for a while they might sneak in before the real NAV update and put a modified version in place.

    One reply suggested 3 sites to try to check my computer for malware, but it was labeled &quot;Use at your own Risk&quot;.
    Gosh, it seems that being on the net is risky enough - I don't need anymore risks.
    Does anyone know any trusted sites that will check my computer without risk to me?

    I'm about ready to give up the Internet&lt;Arrrrgh&gt;.

    Thanks for the help.

    Brad



  8. #8
    kkken Guest

    Default Re: Firewall Vulnerability

    <div align="left"><div align="left">&gt;I am more concerned about incoming threats<div align="left">
    <div align="left">Okay, that clarifies things.
    I thought it was worth asking, because the example of NAV is largely outbound activity, the way I see it.
    (The LiveUpdate modules open a port connection to an IP address at Symantec, send their ID and status, and ask for data--which isn't a lot different than your Web browser getting words and graphics to display from a Web site--and of course you trust Symantec's programs and data.)
    <div align="left">
    <div align="left">FrereOP's last reply is a good read.
    In that light, the embedded help on the ZASS Program Control &gt;
    Custom dialog box says that component control and Advanced Program Control are designed to prevent malicious programs from hijacking trusted programs.
    So, bradgm, coming back to your original question, your friend is probably right as far as basic firewalls go--but I think your friend was talking about outbound activity--and that would explain why Zone Labs paid its researchers and programmers to come up with ZASS.<div align="left">
    <div align="left">This would be a good place for a forum guru to pick up where FrereOP left off, and explain whether the classic firewall concept is nothing but a false sense of security nowadays.
    If, as bradgm supposes, someone can monitor your computer, detect an open port connected to Symantec, and do some other Hollywood tricks, can he/she masquerade as Symantec and break in?

    Message Edited by Kkken on 02-22-200608:45 AM

  9. #9
    Join Date
    Mar 2004
    Location
    Brisbane, Australia
    Posts
    645

    Default Re: Firewall Vulnerability

    Just because a port is open doesn't mean anybody can get inside your computer. An open port in itself is NOT a security risk, just more of a security risk.

    The biggest problem with downloading updates is that they can get compromised between Symantec and your PC ie the downloads could be substituted en route with malicious update code (remember the movie &quot;The Sting&quot;? Its exactly the same principle). Hopefully the connection to the Symantec server is encrypted, and the MD5 hash of the downloaded component calculated after receival is checked against the MD5 hash stored at Symantec for that component. Even then thats no guarantee.

    For a REALLY good read on just this sort of &quot;substitution&quot; risk, check out the background information that comes in the PGP package.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •