> I suppose a simple defense for "personal firewall" vendors against this sort > of thing would be to use hard-to-guess window titles for their popups... Hello, This simple defense may not be enough, as there are ways to find out the names of all "child" windows belonging to specific process. Regards, Andrzej Internet Mail Message Received from host: [205.206.231.26] From: Michael Wojcik <Michael.Wojcikat_private> on 08/11/2003 07:24 PM GMT Michael Wojcik To: vuln-devat_private <Michael.Wojcikat_private> Cc: (bcc: Andrzej Nowak-A/PGI) Subject: RE: Bug in Norton FireWall 2003 08/11/2003 03:24 PM > From: Boy Bear [mailto:eyal067at_private] > Sent: Saturday, August 09, 2003 4:12 AM > > > The Bug factor so lamb Firewall "ignored" from Trojan. > > The Trojan than himself in Firewall and so the actually Trojan worker > without disturbance the of Firewall. Ah, machine translation. A cursory glance through the VB source [see original message] suggests that the proposed exploit is to have a trojan recognize the firewall pop-up asking if the trojan should be permitted network access, and spoofing the user input to grant it. Simple enough. There appears to be a bug in the included source: > Private Sub wHideShow(HideShow As Boolean) > > Dim hwnd As Long > hwnd = FindWindow(vbNullString, "Norton Personal Firewall") > 'if not found then.. > If hwnd = 0 Then > Exit Sub > End If > 'if not hidden - hide, else - show > If HideShow Then > ShowWindow hwnd, SW_SHOW > Else > ShowWindow hwnd, SW_SHOW > End If > > End Sub Presumably one of "SW_SHOW" should be "SW_HIDE". Since wHideShow is never used by the program, and "HideShow" is not exactly a meaningful parameter name, it's hard to guess which. Then again, since wHideShow is never used, it doesn't really matter. I suppose a simple defense for "personal firewall" vendors against this sort of thing would be to use hard-to-guess window titles for their popups... -- Michael Wojcik Principal Software Systems Developer, Micro Focus
This archive was generated by hypermail 2b30 : Mon Aug 11 2003 - 15:08:38 PDT