Hi!

Not sure whether issue was discussed here. If not, take a look at the software here:

AntiSec disarms firewall and similar anti-intrusion programs while leaving the programs' icons in place as if protection was in force, thus allowing snooping programs access to computers without the owners knowing.

http://cryptome.org/dirty-antisec.htm

This issue is also currently being discussed under grc.security.software

Ahhhhhhhhhhhhhh emergency emergency panic panic Anarchy anarchy Blaze run around in circles.

I knew i wasnt triping the otheer day i went to a bad site and my zone alarm said true vector disabled and the za pro told me to reboot my system and the logo was a big red box with a yellow x.

but it was only temporary.

what your talking about is a ZA KILLER RIGHT

Panic panic=(

ughhhhhhhhhhh

Hi MRBLAZE!

The software not only disables ZA but the following firewalls/IDS programs as well:

Boshield.ico
Esafe.ico
cyberwall.ico
Atguard1.ico
Blackice.ico
zonealarm.ico
lockdown2000.ico
neverhack.ico
Jammer1.ico
eTrust Intrusion Detection.ico

well what are they doing about it gulp=(

Any news *any real feed back does that include the latest zone alarm pro 3020?

blaze grab WE Sim t shirt d.a.m.n it man tell me tell me hestiractly

I'd regard anything that's coming from Codex with a grain of salt until we get some hard info on the actual capabilities of the program. I'm heading over to GRC and DSL to catch up on what's been written. Later. Pete

spy 1 will sneak in and get the low dowen on those mofos good luck spy 1

I have not read it yet, so my thoughts might be premature (!), but I would be surprised if a good AT wouldn't protect you against such a thing....
Well, let's see.

lol that would suck you get za pro and all fire walls are obsolite caause some guy made that firewall killer.

{QUOTE-> Hi MRBLAZE!

The software not only disables ZA but the following firewalls/IDS programs as well:

Boshield.ico
Esafe.ico
cyberwall.ico
Atguard1.ico
Blackice.ico
zonealarm.ico
lockdown2000.ico
neverhack.ico
Jammer1.ico
eTrust Intrusion Detection.ico <-QUOTE}
I don't see SPF Pro 5 on that list - it has TerminateProcess protection.

A TerminateProcess API Call is IMHO not the smartest way to "deal" with security apps. There are far more sophisticated ways to put these out of business.

Nevertheless, these nasties should be databased - and are in the meanwhile.

regards.

paul

Blast it man we need insight

ring the bells all parionoyed newby head for the hills grab your woman and children.

Blaze shows up in kelt blue face and dress they may take are land but they will never take are freadom.

anybody else feel a cold breeze?=)

{QUOTE-> anybody else feel a cold breeze?=) <-QUOTE}

As a matter of fact: I do. It's the climate over here *:-[

Simply put, Sir Blaze: such an API call would terminate an app - and most apps will notice, thus so will you. No fun, but easily detectable. Scan and clean your system, and in principal your system should be clean. changing an app would be much more to fear: the icon could be up - although in reality it wouldn't run. For that reason, a MD5 checksum (or at least CRC32) is a necessaty: one would be alerted as soon as the checksum would be altered.

(sophisticated variants are possible - but let's stick to the essence).

regards.

paul

* * * * * * *I'll wait to see what the experts have to say.....right now this thing doesn't seem very impressive to be........a process ender?? * are so it would seem.

* * * * * * don't think I'll be lossing any sleep over this.






* * * * * * MR BLASE

* * * * * * * hope you are enjoying you very brand new firewall........there was a recent update....you are awear of it huh? *am not sure but I think it was a patch for the e mail feature.........not really sure

The general consensus on other forums seems to be that its' threat is minimal.

While the program claims to have shut down such-and-such a firewall when run, in many reported cases it actually hadn't - in the cases where it did, simply re-starting the app worked.

If you're running something like ZA, and using the DeskBand, it'll be instantly apparent if the icon's been replaced (you won't see activity on the bar while you're online anymore when you're surfing).

I wonder why more programs don't have a feature like that? And why it's seemingly so hard for the firewall manufacturers to include a feature that severs your Internet connection instantly if your firewall goes down while you're online? (it seems to me a small, separate program could be included which would constantly monitor two conditions - are you (a) online and (b) is the firewall up and running. If (a) is true and (b) is false, it would instantly cut your connection and throw up a box asking you to re-start your firewall. Pete

{QUOTE-> (it seems to me a small, separate program could be included which would constantly monitor two conditions - are you (a) online and (b) is the firewall up and running. If (a) is true and (b) is false, it would instantly cut your connection and throw up a box asking you to re-start your firewall. Pete <-QUOTE}

But that extra program could also be put out of control.
So it still would be a good idea to have a good resident running AT.

Resident running AT's are targeted by the same kinds of exploits. They should have the same feature included.

As I said, this small program would be separate from whatever the parent program is, and one of the requirements of using it would be to re-name it to something of your choice (thus making it secure from dis-abling - it can't be shut down if malware doesn't know what its' path is).

Where's javacool at - I bet he could design a program that would do this himself (you could have a 'fill-in-the-blank' feature for whatever program you're trying to cover with it). Pete

Sorry to say, but it's just a part of the Windows design. A TerminateProcess API Call is in use for ending all running apps - that call is used whenever you close any running program.

Thus, it can be called by any - in this case nasty - executable you will install, a trojanserver for example. No way around that.

regards,

paul

* * * * * TerminateProcess? *isn't that the same or very near the same as using *Alt+Ctrl+delete? *

* * * * on my os if/when using Alt+Ctrl+delete a warning window will automatically appear stating that all un-save information will be lost if I continue.......an then there is an option to make a choice.

* * * * *am not for certain but isn't this the same way with win2000 and xp?


* * * * *Pete we have near same os's.....is that how your's works?

* * * * *so as I don't have a false sense of security.....if this is not the case its appreciated if someone advised.


* * * * * * * thankingya all

{SNOWMAN} * hope you are enjoying you very brand new firewall........there was a recent update....you are awear of it huh? *am not sure but I think it was a patch for the e mail feature.........not really sure

WHERE IS THIS PATCH LOL

mr.blaze - Use the 'Check for Updates' feature in ZA.

Helpful hint - It's probably not a good idea to mock the way other people write - if it hasn't crossed your mind, that could, definitely, back-fire on you. Pete

LOL=) what on gods eareth are you talking about mock i use cut and pase lol i be the last person to mock someone ROTFL LMAO have you seen my spelling

im worst then any one here lol=)

i think you better go back and reads smomes posts ; lol

yes i look at updates already says there are none im have most current verstion=)

so where is patch or i dont need one

snowman - No, I think it refers to whatever happens when you close any program using the program itself, not C/A/D. Like clicking the 'x' in the upper right-hand corner of the screen while you're in your browser.

I'm not expressing myself well on my idea, apparently.

Last shot: I'm running Program X resident in SYSTRAY, and it's in my start-up.

Iwant to be instantly notified if Program X goes down - for whatever reason.

The makers of Program X (being the nice, customer-responsive guys that they are) , provide me with a small separate d/l (which is either tied into an existing process monitor on my computer or contains one of its' own). All that small program does is monitor the two conditions I noted before - (a) is the computer connected to the Internet (b) is Program X a running process. If the small program (or separate module) sees that the indicated program has shut down, and the computer is still on the Internet, it instantly throws up a screen asking you if you wish to re-start the program while at the same time cutting your Internet connection. As I said before, you would have to re-name the module with the name of your choice to keep it from being terminated by any outside source - and seeing as how it's a separate d/l (those who didn't wish to make use of it wouldn't have to d/l or use it.

I really do not understand why this wouldn't work, so someone please explain it to me. okay? pete

* * * * * * Pete

* * * * * * you explained yourself very well......an your idea sounds super great........I'll be watching to see if such a program is mage available.

* * * * * actually,, seems I mistakenly thought that a warning would be displayed if any process was being terminated by way of the terminate process feature....an I appreciated your guidence..thanks


* * * * *P.S.

* * * * * * if by chance it somehow appeared that it was me who was mocking how someone writes......I definitely did not intend to do so......an offer an apology
if it appeared as such............never would I intentionally do such a thing..........an Pete I am grateful to you for pointing this out . * * I type poorly.....an rarely check for mis-spelling......a bad combination.........

* * * http://www.edvicesecurity.com/ad02-02.htm




* * * * Mr Blase

* * * * the above url is the info i was referring to......an as Pete said......the updater should dl any patches...to be honest I may have spoken to soon an a patch has not been made as yet......my apology if such is the
case,,, * *from one of your other posts I was awear that you had un-checked "check for update" an I just wanted to make sure you was being fully potected.

Pete,

If I understand you correctly, your questions isn't that much about the TerminateProcess API call, but about how software should act in case such a call was made by a malicious nastie.

If my memory serves me well, ZA, BOClean and some others do have a module implemented doing exactly as you asked for, and TDS4 will have such a module. Ideally, such a module would not be related directly to the Windows kernel; nasties can run parallel to or under the Windows stack. If only MSoft would not declare the kernel totally "of limit" it would be much easier to cope with all this. Several requests have been made for that - with no avail.

Renaming such a module seems a technical impossibility to me at first glance.

Nevertheless, the ultimate conclusion stays up: in someting malicious would kill the .exe, one should be sure to clean one's system first.

Sophisticated nasties are capable to recreate themselves (trojanservers) within say a 5 second interval - or to "melt". This struggle is far from over yet IMHO.

Being noticed surely is a nice asset - nevertheless, fact remains one deals with an infected system at that time. Coping with the infection should have number 1 proirity.

regards.

paul

* * * Paul

* * * please excuse me.....I am rather struggling to fully comprehend the real danger of this particular exploitor....

* * * reason being......perhaps you may recall that ZA was a target of this type of exploit in the not so far past......an at the time a third party provided a patch....later za provided a new version that could not be exploited in this manner..............an here is where I am confused.........the first exploit (patched) was a remote terminate process.........the now exploit.....an correct me if I'm mistaken.....is a trogan type that would need to installed............nevertheless...the terminate process patch should work in either case.....

* * *

snowman,

This exploit is no more dangerous as an CTRL+ALT+DEL. It succesfully terminates the targetted running app - no more, no less. The app is not being put out of business for good at all.

Guess yor are referring to the ZA Mutex Patch - a nice and necessary patch - at least at that time. Many still aplly this patch.

I agree with your conclusion: in the end in comes down to this TP Call. As long as the fact such a call happens and the .exe is shut down will be known in any way to the system user, IMHO it's no big deal - on the contrary: I consider it (from a black hat side) a dumb move: alerting a system user something is fooling with his system is the best way to make sure to take care of it.

Bottom line: IMHO this one is kidd stuff. Anyone not being asleep (and keeping his security apps updated) should not worry that much.

regards.

paul

* * * * *Paul

* * * * * thank you....I realize the value of your time an appreciate your reply.


* * * * * yes the mutex patch was the one I had in mind....I didn't know it was still obtainable.

* * * * * I had a feeling that you might grade this exploit along the lines that you did......an its taken as a valued opinion........an again..thanks


* * * * * * * * *snowman

My pleasure, snowman *;).

regards.

paul

THXS snow man and Paul=)

now i can sleep tight cuddled with my rocket launcher

Some background here on the Author of Antisec, and other information.

http://forums.zdnet.com/group/zd.Security.Virus.Alerts/cnet/cnetnt.tpt/@thread@23733@F@1@D-,D@ALL/@article@mark@23733?EXP=ALL&VWM=&ROS=&OC=300

Blaze pull out 36mm 6 shot rotary multi launcher =)lock and load baby.

These mofo going dowen.

mass clicking sounds in back grounds=) =) =) =) =) =).

bunch of litle eyes begin to rise frome the shadows lol

Blaze, to paraphrase Bing Crosby:

Wiredniss becom yuo,
it go wiht you hiar...

:) :) :) ;)

I saw AntiSec is in the database of BOClean and TDS-3, and I just read in an update notice by Paul W. that it is also in the database of TrojanHunter.

Im protected im protected nah nah nah nah lol=)

http://www.gamingforyou.co.uk/mysmilies/contrib/tweetz/wiggle.gif
http://www.grillsportverein.de/smilies/otn/realhappy/luxhello.gif
http://www.gamingforyou.co.uk/mysmilies/contrib/tweetz/hump.gif


http://www.duhspot.com/users/smiley/s/contrib/tweetz/moon.gif

{QUOTE-> snowman,

This exploit is no more dangerous as an CTRL+ALT+DEL. It succesfully terminates the targetted running app - no more, no less. The app is not being put out of business for good at all.

Guess yor are referring to the ZA Mutex Patch - a nice and necessary patch - at least at that time. Many still aplly this patch.

I agree with your conclusion: in the end in comes down to this TP Call. As long as the fact such a call happens and the .exe is shut down will be known in any way to the system user, IMHO it's no big deal - on the contrary: I consider it (from a black hat side) a dumb move: alerting a system user something is fooling with his system is the best way to make sure to take care of it.

Bottom line: IMHO this one is kidd stuff. Anyone not being asleep (and keeping his security apps updated) should not worry that much.

regards.

paul <-QUOTE}
I believe that Bionet can corrupt and put security software out of business.

http://www.nsclean.com/psc-bionet.html

See SYNOPSIS:

Hi blacksheep,

If my memory serves me well, we did provide that first copy to PSC/BOClean *;).

IMHO it's not the question if a security app can be put out of business: many, many nastie do have sortalike abilities. Question is:

- can/will this be notified by design from the security software in question;

- if so, is it possible to clean a system and (if necessary start using the security software.

IMO that's a conformative in regard to both.

regards,

paul

Paul was talking about the TerminateProcess() function.
Kevin McAleavey (the creator of BOClean) made a very interesting posting at GRC.Security.Software in a thread called "Strange backdoor.trojan behavior".
https://grc.com/x/news.exe?cmd=article&group=grc.security.software&item=56531&utag=

-begin quote-

Let's fire up the wayback machine to March 22, 2001 when we posted a
report on our site regarding a specific trojan that exploited the
TerminateProcess() function on EVERY major antivirus and firewall in
existence ... please note in particular the THIRD paragraph down:

*http://www.nsclean.com/psc-bion.html * (Bionet 3.13)

and then the list beneath that of what it took out. You could also add to
the list if you knew the specific programs to target. VSMON would get
yanked first, then the ZA GUI. Same for "watchdogs" employed by other
software to protect the main program.

Since BioNet, hundreds of other trojans incorporated this "ability" to
take out all sorts of programs, most notably "MoSucker" which went beyond
the original "one-shot" of BioNet and would keep nailing the various
programs every second. Whereas with BioNet, you could restart the programs
affected (if they weren't rendered corrupt) and hopefully nail them.
MoSucker and a number of others however would keep whacking the security
software and take it out before it even had a chance to get started, much
less get to work. Fortunately, most of the hundreds of trojans designed to
take out security software are VERY poorly written and don't work. However
this OLD NEWS issue was what forced us to redesign BOClean 4.07 into
BOClean 4.08 last year in order to do as much as possible to prevent it
since our previous separate "watchdog" program was just as exposed as
BOClean itself was at the time.

What the DIRT thing shows is old news. Nailing security programs with
TerminateProcess actually goes back a couple of years now but BioNet
actually made it push button easy which is why we made note of it in the
report last year.

The REAL PROBLEM however isn't in the security programs, the problem is
Microsoft's DELIBERATE DESIGN. THERE IS NO SOLUTION FOR TERMINATEPROCESS other than having Microsoft put up a "Kill? Y/N" box before the kernel's TerminateProcess() function pulls the rug out. Nobody but Microsoft can fix this and they have consistently, irrevocably REFUSED to do so. We've been after them for years about this ourselves as have been many others to no avail.

========================
<snip>
========================

What's going on is a truly bad design and while the discussion has
centered on blaming the various security companies for the problem when
it's really Microsoft's fault (although all of us have done our utmost to
circumvent this as best as we can) there IS NO SOLUTION until Microsoft is
made to deal with this. I'd encourage folks to make the point to Microsoft
personally here.

<snip>

If Microsoft could be encouraged to do this, you could STILL hit YES on a
hung program to kill it, but more importantly if malware decided to kill
your firewall, you could let the box sit there while you determined WHY
the box appeared and then decide Yes or No to the box ... but in the
ongoing debate here, this whole point fo where the ACTUAL fault lies has
been completely ignored.

Needless to say, I've been getting squatola done on my end here with all
the questions pertaining to this dirtbag parlor trick. Real trojans today
have that capability and they have had it for well over two years now.
Anyone want to get Microsoft interested in fixing THIS hole? It's not like
it's not been noticed or is a new one.

-end quote-

As I posted on the 9th:

{QUOTE-> If only MSoft would not declare the kernel totally "of limit" it would be much easier to cope with all this. Several requests have been made for that - with no avail. <-QUOTE}

This is common knowledge btw; most security software designers in regard to these nasties fully agree on this for ages (and Kevin/PSC knows!).

For the record: the mentioned above analysis is not related to the last version from Bionet - although in the principal stays the same.

regards.

paul

* * * * * * * * * * The Principal Stays The Same*

* * * *although Paul *says it much better than I could ever hope to.....this was what I was pointing to when
making my inquiry......

* * * not being a programer/coder..nor a security expert..I would dare not be so foolish as to be judgemental of the capabilities of any virus/trogan...an would instead heed the advice/opinions of those who are really capable and knowledgeable in this field...

* * *there is evidence that this type of exploit has been around awhile (other like trogans) ......an my personal thoughts on this particular trogan is that its fourth rate...an isn't going to cause the sky to fall. *But what I think isn't important.....its what people in the security community who do their jobs to earn their livehood who's opinions should be taken seriously.

* * * *will I lose sleep over this exploit...hardly....will I tremble with fear when using my computer because this exploit is in the wilds.......the only trembles will be from not have my morning coffee.....none other.

* * * this issue has been in the face of M$ for years...one among many.

* * * countless hours are spent by computer users around the world trying to protect themselfs from exploits that should be the responsibility of M$.......an the people in the security community have sleepless nights trying to provide tools to assist users in their ongoing struggle........

* * *I am not going to keep a glass of water nearby to pour over my cpu/monitor in case this exploit should hit my computer.......in fact I consider Brilliant to be a far worse threat.....

* * * * * * * * * * * * * * my humble lil opnion

* * * * * * * * * * * * * * * * snowman

* * *

Thanks FanJ and Paul,

Yes I was aware the TerminateProcess problem is an OS flaw and old news. The trojan coder vs AT coder, virus coder vs AV coder = coder wars with not much help from MS.