Results 1 to 2 of 2

Thread: Process infection risk?

  1. #1
    no_fear Guest

    Default Process infection risk?

    Hello there fellow form members and staff,

    While reading up upon some IT info I had stumbled upon something very concerning. It would seem that the application control function of certain Zone Labs products is vulnerable to process injection. Being previously advised and reading this article (http://www.neworder.box.sk/news/15192) I have to question how susceptible my Zone Alarm fire wall is and if something has been done/ is being done about this. If any additional configuration is need, feel free to provide instructions.

    Operating System:Windows XP Home Edition
    Product Name:ZoneAlarm Internet Security Suite
    Software Version:7.0

  2. #2
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Process infection risk?

    Hi No_Fear

    The ZA does offer .dll injection protection, startup control and new installs control and some vital regions of both the registry and the services. Certain aspects of the actual memory are watched by the ZA.

    A better source of vulnerabilities for the ZA, actually for many software, is found at securityfocus or here:

    http://www.securityfocus.com/bid

    This site is well recognized and well established with a respectable name.

    There is mention of the API hooking, but the ZA is deeply connected to the lower kernel of the OS, not just API hooking. Some fw's with a hook into the API can be easily avoided by more sophisticated trojans/malware. In general only simple packet filters operate with just an API or a hook into the actual stack.

    As far as checksums are concerned, the ZA does do the MD-5 and SHA256. Almost any worthwhile firewall in the past has perfromed MD-5. The correct checksums perfromed by any fw does prevent process infections and the subsequent "Hi-Jack" of the infected application to actual internet access.

    The winstack inspection should be part of a regular security "check up" for any user. Some security applications list the LSP as pasrt of their regular features- SSM, AutoRuns and Ewido are some that I know of. Plus the LSP is easily seen in the System information of the windows OS. Just running a simple scan from LSP Repair can help. In the past trojan/malware such as newdotcom inserted itself into the stack and thwarted very scanner that was used at the time. The actual winsock .dll 's should be checked from time to time as part of a good maintenace. This can also be done in the System Information of the OS or just by checking the usual locations.

    The author's report is somewhat out-dated, by at least two years or so. The best I can see is that the vulnerabilities are too crude or "have been" and no longer exist for a sophisticated firewall such as the ZA or Outpost or others. But users do take chances with any of the freeware versions from a vendor or by using the freebies offered from companies. The free software never reaches the expectation of the free offering of that companies or can offer the same security of the paid versions offered by the vendors.

    There are more sophisticated methods of defeating firewalls.

    Toolbars installed in browser have free range/access to the internet- inthappens if the user just allows the internet access for the browser or has never limited the outbound IP's allowed for the browser. In some ways a simple packet filter and just a basic list of allowed external IP's will beat this vulnerability.

    Trojans / malware that insert their own driver into the winstack can often beat firewalls. But the AV will ususlly detect some associated abnormalities and the scan results will show there is an infection and the removal of the infections will include cleaning the winstack.

    Virtual drivers created by trojans/rootkits are a serious threat. Very hard to detect and very hard to remove. The firewall never sees these and they easily avoid any control of the software firewall. Any type of hooking into the lower kernel by malware is a very serious threat. Rootkit scanners from sysinternals (now microsoft) or the freeware versions from the AV vendors are recommended. Plus some AV such as Kaspersky or AntiVir or Symantec or NOD32 or F-SEcure and others offer rootkit detection or scanning in their usual AV security software.
    There are more sophisticated detectors and "fixers" such as RKU and GMER- both very intense and time consuming.

    Virtual winstack created by trojans/rootkits are a serious threat. Very hard to detect and very hard to remove. The firewall never sees these and they easily avoid any control of the software firewall. Again the security approach for the virtual drivers applies to this problem.

    But as an aside, it is hard for a user to get a rootkit installed in the PC in the first place. Most times it does happen, the user must actual go out of the usual path to get one of these.

    Safe hex, a software firewall, an updated antivirus and uodated OS will prevent and stop almost every form of malware.

    Oldsod

    Message Edited by Oldsod on 06-03-2007 08:12 AM
    Best regards.
    oldsod

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •