----- Original Message ----- From: "xenophi1e" <oliver.laveryat_private> > This allows PFWs to be bypassed, as well as making it very easy to hide > running malicious code on a system. The example is a 'sploit that makes a > connection from within IE, and slips under the radar of all PFWs I've > tested. I'm currently using Kerio Personal Firewall v2.1.4 in Win XP SP1 and this firewall, at least, seems to block the connection. I had IE running, disabled all the firewall rules, and that's what showed in the log: 23/Feb/2003 03:16:49 Internet Explorer blocked; Out TCP; localhost:3332->205.206.231.12:80; Owner: C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE Then it displayed a msgbox saying it can´t connect to security focus. Indeed the connection appeared to come from IE, but apparently the firewall sucessfully blocked it. This really improved my impressions about Kerio firewall, that were already good as this version is free for home use, suggesting that the company has a concern with the Internet community that is becoming rare nowadays. This subject is of major importance for me as yesterday my IDS, Snort 1.9, detected unusual traffic going out from one of my computers. I gracefully could detect it because they were using unusual ports, myhost:2629, registered as sitaraserver, and 216.40.244.202:19638. All the traffic was securely encrypted, so I can´t have an ideia of what actually was sent to them. I went to 216.40.244.202:80 that redirected me to a secure administration site with a login form. From the logs I could read a repeated string that was sent at the beggining of each connection, that was a close match to the one I catched when trying to login as user:test password:test and domain:test, so I'm almost sure it's the login info. Further investigation on my machine revealed the following spyware installed: * Brilliant Digital Entertainment; * Commonname; * Cydoor; * Downloadware; * Firstlook; * New.net; * Gator. It seems that all the pack is being delivered at once now. This spyware was revealled by Adaware. I had run Adaware earlier on the day, so the system was clean. No message showed asking for a permission to install this stuff , so I guess it was automatically installed from some nasty site the user went inadvertedlly. So it was installed with no permission, has no running processes showing, and almost surely hijacked IE for the connections (I detected a rule on the user machine allowing all connections from and to all ports owned by IE), and actually sent unknown stuff to this server. I reported the case to a legal counsellor and informed Everyone´s Internet (that didn't said nothing to date, but this is weekend days, anyway.) What I can guess from all this is: 1) This spyware is already using this kind of exploit 2) This can be prevented using Kerios PF v2.1.4 I have all the IDS logs,the spyware actually installed, and registers of all the registry keys and objects used, so if someone wants to investigate this case furtherly I can send this material. Also would appreciate comments on the subject (darwinat_private). Cheers, Paulo
This archive was generated by hypermail 2b30 : Fri Feb 28 2003 - 15:20:32 PST