View Full Version : LnS & LSP Trojans
October 3rd, 2003, 02:52 PM
Currently, a lot of trojan coders try to develop an LSP trojan.
LSP trojans are trojans which work as a Winsock LSP (layered service provider). See here ( http://air.knu.ac.kr/reference/COM/layeredservicetop.htm ) for background information.
The idea is to tunnel firewalls. Can this work? I thought most modern firewalls would already support the filtering of low level drivers. Will LnS stop LSP trojans?
Thx for any information.
October 5th, 2003, 07:07 AM
Look ‘n’ Stop Personal Firewall (Pro) version has NDIS & TDI level filtering; so to answer your question, Yes Look ‘n’ Stop has capabilities to stop LSP Trojans… ;D
October 6th, 2003, 01:43 PM
Article from Eyal Dotan (VB, June 2003), excerpt:
"Another way of performing PIDF [Ann.: Process ID Falsification] is through a layer called WinSock's Service Provider Interface (SPI). SPI, also called LSP (Layered Service Provider), is an interface for hooking all socket operations within the system. In other words, whenever any program accesses the Internet, the SPI hook (the Trojan's DLL in this case) is called as if it were loaded by that program. Any I/O request that is performed from within the SPI hook will be seen by the system (and by the personal firewall) as having come from the legitimate program that initiated an Internet operation. So, in addition to falsifying process IDs, SPI allows the Trojan to be launched at the machine?s startup, with no easily detectable traces. Neither does SPI execute any process ? SPI is merely a DLL that is loaded by any and all trusted Internet programs on the machine. Hence, it is not visible in the task list either."
I would guess that's something System Safety Monitor or Tiny Personal Firewall's sandbox will have to take care of ...
vBulletin® Copyright ©2000-2013, Jelsoft Enterprises Ltd.
Copyright ©2002 - 2013, Wilders Security Forums