http://www.isa-llc.com/
"About pcAudit™

pcAudit™ is a free security evaluation program, for personal computers, developed by Internet Security Alliance, Inc.

How it works

pcAudit™ is a program developed to simulate an attack by a "hacker". To determine the status of security on this computer, pcAudit™ will try to send data from this computer to Internet Security Alliance's server. If successful it means you either do not have a security program installed, or your present program was ineffective in blocking the data sent from your computer to Internet Security Alliance's server (which it absolutely should have). In either case you have a security problem.

A little more technical

Our research shows that ".dll" files sending and receiving data, to and from the Internet, outnumber ".exe" files by 2 to 1 margin.

Using a "dll" file as a "payload", pcAudit™ will test for vulnerabilities exploited by such notorious malicious programs as "Happy99" or recent "Sircam", overlooked by most personal and corporate firewalls.

System Requirements:

• Windows 95, 98, Millennium, NT/2000/XP;
• Intel Pentium 120 MHz or higher;
• 32 MB of RAM;
• 10 MB of available hard disk space;
• Internet Explorer 5 or higher;
• Active Internet connection"




This type of program represents a serious problem as no firewall that i know of is yet able to defeat this test.
The program uses a dll to inject code into any other process able to access the net and will fly right through without your firewall being able to defeat it.

However, there is a way to handle it. If your proxy ( you better start using one, if you don't already) is able to use HIDE SYSTEM INFORMATION (user agent ) then it will defeat the test from gathering info from your system and sending it out elsewhere. Naviscope does offer such protection.
This is how Naviscope handles the request/Send Headers:
http://mickeytheman.digitalrice.com/files/pcaudituseragent.png
I tested successfully against this test with Naviscope launched directly from the browser or linked to the pacfile (spyblocker) as well as both with a firewall running or not.
I tested on Win98SE and win2k platforms

I advised Frédéric ( LNS ) of my findings and rest assured that LNS will undoubtebly be the first firewall to incorporate measures to counteract such programs.

MTM, does Proxomitron has this same feature as Naviscope ?

Tks
SKA

I'm not sure about proxomitron and Webwasher !
As i don't use them but Naviscope, i'm waiting from users to confirm or not if the other 2 can handle that as well.

But it is a serious issue enough for everyone to start using a proxy than can immediately until firewalls can handle that type of exploit !

PC AUDIT is only the symptom of the type of exploits that could be used.
Until firewalls can handle this, i urge everyone to start using a proxy if you are not, and if the current one you use can't handle that test, then switch to Naviscope.

:PHello Mickey;

Just tried the test on a machine equipped with WW. Not 100% sure if the WW configurations are properly set, but one thing is for sure - I got hacked. :P

Seems the same themes are gonna come back again, i.e. the ones which surfaced when (very useful) tests like tooleaky, firehole et al. first hit the web some time ago.

The best defence just seems to stop mailcious kinds of such softwares to arrive on your machine in the first place [easier said than done!?].

However, SSM (first heard about this software from JacK... Link available on www.optimix.be.tf) is trying to tackle this kind of problems - but present versions are sometimes causing some configurations to freeze when harshly pushed. Seems to be on the right track, however.

Another good news (also got it from optimix) is that the next version of Kerio Personal Firewall is gonna put emphasis on efficiently stopping such 'calling home programs' from smoothly operating. Beta version just been released, so let's hope it's gonna get the job done as soon as possible.

Crockett 8)

Yeah well everyone's going to work hard on that over the next little while, but until anyone else's comes up with a solution, there is one working right now : Naviscope.
Why not use it until safeguards measures are built into firewalls or other apps you mentioned ?
It is so easy to setup with a browser that there is almost no excuse for not doing it NOW ! ;)

The feature in Naviscope that defeats PCAUDIT is
HIDE SYSTEM INFORMATION ( user agent )
See if your proxy has that feature.

Clearification Please....in my correctly understanding that its User Agent involded ????

Hi Snowman, Naviscope will strip the header from the request made by the server so it can't retieve any info back.

Mickey

thankya...so it is the User Agent then .

snowman

Naviscope ( until users of other proxies can confirm otherwise ) is the only known way to prevent PCAUDIT to succeed on one's machine.

If anyone else knows of another method, ( short of not letting it in the first place, which is no guarantee ) please step forward !

Again i urge everyone to use a proxy capable of handling this type of exploit that deals with the very weaknesses of your OS

Mickey;

To say the least, this is all very interesting.

Please tell us more about Naviscope general features !?

How did you get to know it and why do you like it so well beside the pcaudit matter ?

Crockett

-{ Quote: " quoting: Crockett link=board=23;threadid=2790;start=0#18844 date=1028358203]
Mickey;

To say the least, this is all very interesting.

Please tell us more about Naviscope general features !?

How did you get to know it and why do you like it so well beside the pcaudit matter ?

Crockett
" }-
Tried all 3 proxies at one point or another, and Naviscope is the easiest to configure mainly because it does not have all the bells and whistles of say Proxomitron. But at the same time, because of other proggies in use such as Spyblocker, i only needed this one mainly for the 2 features that i liked the most:
1. Hide System information (user agent)
2. Hide Last Page Visited (referer)
Little did i know at the time that this would become the only thing currently capable of stopping PCAUDIT

AFAIK i was in a sort of hot debate on this subject as everyone claimed missing the test, and i couldn't fail no matter how hard i tried. I even shut my firewall off and still passed.
I was even successful on the win2k platform, and some peole almost called me a liar.
So it had to be something on my sys, but what ?
I've spent the last 3 days working on this and by process of elimination to finally come up with Naviscope being the one. Then it was a matter of finding what in Naviscope prevented the test to succeed. By unchecking the option HIDE SYSTEM INFORMATION, i finally failed the test. As odd as it may seem, i was relieved to fail a test ! :D

http://mickeytheman.digitalrice.com/files/naviscopeblock.png
This is basically what Naviscope blocks. Nothing fancy. You check or uncheck an option.
I use it chained to the pacfile and browser, but you can just chain it to your browser.
Should you want to chain to pacfile and browser :
http://pages.infinit.net/carbo1/proxysetupwithpacfie.html
Just IE and Naviscope :
http://pages.infinit.net/carbo1/setiewithnaviscope.html

Snowman, where did you get these instructions ?
They will have no effect as the dll used is able to inject code into any app able to access the net, even your AT or AV's update features.

-{ Quote: " quoting: MickeyTheMan link=board=23;threadid=2790;start=0#18842 date=1028357980]
Naviscope ( until users of other proxies can confirm otherwise ) is the only known way to prevent PCAUDIT to succeed on one's machine.

If anyone else knows of another method, ( short of not letting it in the first place, which is no guarantee ) please step forward !

Again i urge everyone to use a proxy capable of handling this type of exploit that deals with the very weaknesses of your OS
" }-

Hi MTM ;)

I use System Safety Monitor which prevents the execution of any leaktest, like
PC Audit, Firehole, leaky, etc.... Firewall or no firewall.

I use it in conjunction with KPF.

I mentionned it in another test a few weeks ago :)
d/l http://maxcomputing.narod.ru/ssm.html?lang=en (very slow site)

Or http://www.optimix.be.tf/ssm.htm (with French explanations)

Best regards,

NOTE

Because my previous post on this topic appeared to be of no value in preventing the exploit....I deleted the post.

snowman

-{ Quote: " quoting: JacK link=board=23;threadid=2790;start=0#18857 date=1028367347]
I use System Safety Monitor which prevents the execution of any leaktest, like
PC Audit, Firehole, leaky, etc.... Firewall or no firewall.
" }-
Jack, you are talking about PCAUDIT, right ?
All the others, LNS can take care of but this one.

Has SSM improved much ? Was unstable as heck last i heard of it.

Hi guys! I do not wish to be a bearer of bad tidings but TomCat has confirmed that Naviscope 8.69 phones home! It sends the Windows product number to Naviscope. Please refer to this url.

http://www.tom-cat.com/cgi-bin/spybase/spybase.cgi?view_records=1&name=^N|^N&re=1&sb=4&so=ascend&nh=1&mh=1

I also have Javacool's IDBlaster, and it's yet to be confirmed if Naviscope sends the changed number. I still use Naviscope anyway. Lesser of two or more evils?

Mickey the Man informs me that this particular Naviscope site is no longer operating so then there are no worries! THANK YOU, Mickey!!! And, if you also use stuff like SpyBlocker it would be blocked.

BTW, I also use a proxy. So, everything's cool! 8)

-{ Quote: " quoting: MickeyTheMan link=board=23;threadid=2790;start=0#18859 date=1028368312]
Jack, you are talking about PCAUDIT, right ?
All the others, LNS can take care of but this one.
" }-

Hello Mickey,

Yes, I am but it prevents also all other leaktests whether you are running a FW or not. KPF takes care of the other to but Firehole (from memory, not sure) .

Cheers,

JacK

-{ Quote: " quoting: MickeyTheMan link=board=23;threadid=2790;start=0#18839 date=1028357030]
Hi Snowman, Naviscope will strip the header from the request made by the server so it can't retieve any info back.
" }-

Will Naviscope work together with Windows XP? :P

Ciao,

Smokey

-{ Quote: " quoting: JacK link=board=23;threadid=2790;start=15#18861 date=1028369397]
-{ Quote: " quoting: MickeyTheMan link=board=23;threadid=2790;start=0#18859 date=1028368312]
Jack, you are talking about PCAUDIT, right ?
All the others, LNS can take care of but this one.
" }-

Hello Mickey,

Yes, I am but it prevents also all other leaktests whether you are running a FW or not. KPF takes care of the other to but Firehole (from memory, not sure) .

Cheers,

JacK
" }-
Thanks Jack.
As for LNS not handling PCAUDIT, that's partly true as well.
If one is vigilant, then one could stop things like PCAUDIT as it does give you a prompt about Windows 32-bit VxD message server starting the following app which connects to internet, and all one has to do is block it, but that is also something too easily overlooked. Also gives more credit to the recommendation to never allow blanket authorization to any app.

-{ Quote: " quoting: Smokey link=board=23;threadid=2790;start=15#18864 date=1028370450]
Will Naviscope work together with Windows XP? :P
" }-
I have no idea about XP, but don't see why not.
It's a proxy that works with your browser.

-{ Quote: "-{ Quote: " quoting: Prince_Serendip BTW, I also use a proxy. So, everything's cool! 8)
" }-
Just take the test to make sure your proxy can effectively block it. It's not malicious in any way. The dll it installs will be removed upon reboot.
As for Naviscope it will become abandonware very soon. Their site is no longer operational.
As for it to call out, there were few reasons, one was the update feature, and there is also an option to keep your sys clock adjusted to NIST atomic time, therefore another reason to connect.
For the paranoia types, you can always block these 3 ip's ( i no longer recall what each ones refers to, and to lazy to check it out ;) )
212.100.224.102
202.84.198.59
216.157.91.36

Mickey - Guess I'm clueless (again! <g> ).

If user agent is all that's causing people to fail the test, won't the people who have Opera set to display as something else pass?

Has anyone checked?

(I won't be taking the pcflank test - sorry, I just don't believe in voluntarily d/l'ing something into my computer which is then going to tell me I have a 'vulnerability' of some kind - when it discloses a vulnerability that can get in and work by itself despite my defenses then I'll believe it - I could be totally wrong about that viewpoint, but time will tell).

Also, if Naviscope is going to be totally abandonware - will it still work at all? Is the program itself dependent on anything from an outside source? Pete

-{ Quote: " quoting: spy1 link=board=23;threadid=2790;start=15#18935 date=1028401387]
(I won't be taking the pcflank test - sorry, I just don't believe in voluntarily d/l'ing something into my computer which is then going to tell me I have a 'vulnerability' of some kind - when it discloses a vulnerability that can get in and work by itself despite my defenses then I'll believe it - I could be totally wrong about that viewpoint, but time will tell). " }-
BTW it's PCAUDIT, PCFLANK is Another one.

I don't blame you one bit. It is most likely that a user with your knowledge would not be subject to these vulnerabilities and should quickly recognize anything out of the ordinary.

The point of these tests is to to answer the question what if ?
What if anything managed to get in despite my precautionary measures ?
What would happen then ?
Would my sys prevent info from leaking out ?
How much of a risk is involved ?

There is no need for everyone to test these proof of concept ideas, but surely you will understand some better do it. This is the only ways that security vendors can then take steps to alter their products and install safeguards into them.

Most firewallls have already covered most of the previous tests that have been issued in the past 2 years, but would have done nothing if no one pushed the issues. Heck some are still reluctant to fix some of them despite being exposed at large.

PCAUDIT just happens to be the latest and surely not the last one for which a permanent cure will need to be implemented for.

As for what the future holds for Naviscope, it's a little early to tell. But for the time being, it manages to stop PCAUDIT dead in it's tracks, and that's good enough for me for now.
Simple proxy to setup and easy to use, ideal for most users which the same can't be said for SSM ,which as Jack mentioned , can also block PCAUDIT.

As yet its not been clearly stated what part User Agent is playing here. the comment about "stripping the headers" is simply not a full explanation.......by "stripping the headers" is this ment to imply that the information that User Agent displays about the os is removed?? the basic feature of User Agent is no more than displaying the os information.........
nor do I notice a reply to the question by Spy 1 as to would Opera defeat this exploit?
as for "stripping the headers" if in fact that does imply that the os information dosplayed by User Agent is "Changed" to reveal something other than the proper os in use......that can be accomplished with proxo...webwasher.....Opera......could someone offer alittle more specific information on what actual part User Agent plays here.
Like Spy 1....I never download such tests onto my computer.....in the past prior to a re-format I have taken a couple of these tests.....passing each one. Nevertheless..I believe such tests places the os at a complete disadvantage an therefore are not valid tests.....installing a known trojan onto a computer stacks the deck......may as well install a Sub-Seven...the results would be the same. By installing a "legally functioning program" that requires access to the internet...would result in the same results....if a firewall is set to make all programs request permission such firewall leak tests just don't....wont pass.
other contention is such tests are not actually firewall tests but better considered as tests of anti-virus and anti-trojan programs...or perhaps registry monitors
These comments are cast out for the sake of discussion not argument.
as for the part Naviscope plays......would not a program such as say...Multi-Proxy or like programs have the same results..........
if in fact...its the fact that User Agent has free passage outbound to display the information it delivers...than the exploit is depending on that "free passage" ....an by using a progran such as Naviscope..the information being sent "outbound" goes to another server....nevertheless the information is still leaving the os "outbound"...therefore the test is failed. imo this would be the manner that the test uses User Agent. until someone can provide a better explanation.
in complete honesty I just don't see the test as being firewall related.......not if User Agent is involded. injecting a dll into User Agent......an User Agent is part of what the broswer uses...its just naturally going to bypass the firewall if the broswer is used.......an if the broswer is connecting to a "middle man" server.....its still alowing the exploit out

snowman

Its been further said that the test exploit injects a dll in other programs such as anti-virus programs..etc...an that the exploit passes the firewall when such programs are updated...of course it does!! trojans can infect more than one program.....nothing new about this......
the post by Jack lends support to this theory....by using a registry monitor= "system safety monitor" = he passes such tests as this one.....in theory if this exploit was classified as a virus or trojan an its signature placed in such program it would be deleted or prevented

snowman

Snowman, you are asking legitimate questions to which an answer cannot be provided at this point as once the answers become known, then the solution will also become easier to deal with.
As Naviscope is no longer being developed and support no longer offered either, it is not possible to find from them exactly how the user agent is handled by the proggie and what part it handles either.
Opera does not defeat the test acording to some opera users.
Do other proxies defeat it ? Maybe, then again users will need to come forward and say so if they do.
James Grant (visnetic) and Frédéric ( LNS ) are both aware of problem and looking if the application filtering module could deal with this and how.

So for now i know of SSM and Naviscope that can defeat the test.
Sorry, as much as i'd like to be more specific, i can't.
Anything more would be speculation and until more is known on this i will leave it at that.

Mickey

most appreciate your having given of your time in replieing......an your forthright honesty admired.
no broswer imo will defeat this exploit.....since a hostile script is involded injecting dll.
I downloaded LnS yesterday....an will be interested in Fedderic's handling of this.....an since its been a few years since I last used a rule based firewall this post alerted me to needing to update my knowledge of rules......in the mean time I'll use the enhance rulesettings..I would want it set in such a way that "all" needs to ask for access.
wishing you a most pleasent night

snowman

-{ Quote: " quoting: snowy link=board=23;threadid=2790;start=15#18992 date=1028435635]

no broswer imo will defeat this exploit.....since a hostile script is involded injecting dll.
I downloaded LnS yesterday....an will be interested in Fedderic's handling of this.....an since its been a few years since I last used a rule based firewall this post alerted me to needing to update my knowledge of rules......in the mean time I'll use the enhance rulesettings..I would want it set in such a way that "all" needs to ask for access.
wishing you a most pleasent night

snowman
" }-
Which browser you use is irrelevant as the dll seems to be able to injects it's code into any app it can find that can access the net.

As for LNS, do not give blanket authorization to any app. Always answer this time only, except for browser and proxy which you will need to answer this session as browsing becomes almost impossible otherwise with multiple connections done at each site, as even a gif is considered a connection. Just coming to this site, would most likely get you to answer too many times for comfort.

Mickey....thanks.....will follow those instructions.....

snowman

Mickey

In case you drop by this thread.....if you care to do so...kick in Naviscope..then drop in on privacy .net for a scan (link in free services here) an see if User Agent is really being blocked......you may find it interesting


snowman

-{ Quote: " quoting: snowy link=board=23;threadid=2790;start=15#18985 date=1028425696]

Like Spy 1....I never download such tests onto my computer.....in the past prior to a re-format I have taken a couple of these tests.....passing each one. Nevertheless..I believe such tests places the os at a complete disadvantage an therefore are not valid tests.....installing a known trojan onto a computer stacks the deck......may as well install a Sub-Seven...the results would be the same.
>> Not at all : your firewall would prevent subseven to go out :)

By installing a "legally functioning program" that requires access to the internet...would result in the same results....if a firewall is set to make all programs request permission such firewall leak tests just don't....wont pass.
>> You cannot prevent PC Audit to access the web with your FW : it uses another allowed program, for instance, IE or Explorer : )

other contention is such tests are not actually firewall tests but better considered as tests of anti-virus and anti-trojan programs...or perhaps registry monitors.
>> Right. Basically it's not a FW problem but an OS problem, the most important is to stop it cold, with a FW, or something else :)



" }-

-{ Quote: " quoting: snowy link=board=23;threadid=2790;start=15#19014 date=1028457324]


Mickey

In case you drop by this thread.....if you care to do so...kick in Naviscope..then drop in on privacy .net for a scan (link in free services here) an see if User Agent is really being blocked......you may find it interesting


snowman
" }-
Hi, again i will not speculate as to what in Naviscope blocks PCAUDIT. The info has been given to both Frédéric and James for them to determine what it is and how to incorporate that in their products.
All i can tell you is that it's the feature HYDE SYSTEM INFORMATION (user agent).
http://mickeytheman.digitalrice.com/files/naviscopeblock.png
If that option is unchecked, then PCAUDIT succeeds. What exactly does it use and how, is for them to determine.
We now both know that you know what it's not, but if you can tell me what it is, then please do so

The Naviscope site of which TomCat referred as the "phone home" one for version 8.69 is still active, 216.157.91.36. They are still offering version 8.69 for download there. Mickey the Man is correct about support having been discontinued. The last posting on their Discussion Support site is dated 09/11/2001! However, I checked around and found links to download version 8.70. So far, there is no evidence of this one "phoning home." (Still Sniffing though.)

http://comunitel.tucows.com/preview/83.html

Thanks for that link.

BTW, i don't know if 8.69 could defeat PCAUDIT as i am using 8.70

SYGATE firewall can be added to the list of apps able to defeat PCAUDIT due to it's DLL AUTHENTIFICATION.
This option is not set by default, and should. I'm finishing my tests on that one, but every indication so far are that it is indeed successful, although a reboot seems to be needed to regain access to the net afterwards. .

Mike (VOP) a long term user of proxomitron confirmed it is not able to handle it.

I tested PC audit with

1. Kerio FW 2.1.4 + Internet Explorer 6 and this configuration failed the PC audit test!

2. Kerio FW 3.0.0 (the new Beta from Kerio) + Internet Explorer 6 and this configuration manage to catch the session.

I gave Ie6 full access to the net!

On both tests I'm behind my ISP's PROXY server but I have reconfigered my internet access so it not uses the PROXOMITRON. Whit proxo enabled I passes also with 2.1.4!

This is what I get from Kerio FW 3.0.0

Dst Addr: MY ISP's ADRESS
Src Port: 1085, Dst Port: 8080
Protocol: TCP

Application path: C:\WINDOWS\EXPLORER.EXE
Description: explorer
File version: 5.50.4134.100
Created: 2000/6/8, 15:00:00
Modified: 2000/6/8, 15:00:00
Accessed: 2002/8/3, 22:00:00

Afterwards the "bla, bla, bla You're well protected come up"

The funny thing is that I dont get prompted by the FW when starting the PCAUDIT.EXE but when it sets up the session via exlplorer.exe!

Mickey

Mic I have no idea "what it is" but if I were to speculate I would "guess" that its the Windows Operating System itself.............in fact...I would be highly interested in learning how a Linux system would re-act to the exploit
Mickey you have been relentlessly pursueing this for several days........my compliments.........
the posts by others have shown that prevention of the exploit itself is possible..........prevention of the exploit by a firewall.....perhaps I should say by ALL firewalls....is what appears to be the question. in recent months Fedderic has be on top of these issues...an no doubt will be again.
an like you...if you find an answer..please let me know. I am just as curious as anyone.


snowman

In consideration of my limited knowledge...the following is presented as a question to the more knowledgeable

by "protecting" the explorer.exe from being changed/altered........would this prevent ALL such exploits of such nature as the one in this thread?? Possibly include protecting iexplorer also

snowman

***Food For Thought***


Is it possible.....an I strongly suspect....that M$ uses an exploit just like this for "error reporting" at first glance this comment may appear off-topic......however, please consider the enormous leak provided by such an exploitation...a totally free ride outside.....if explorer is compromised

as stated...this is food for thought

snowman

snowman - Just thought I'd let you know - going to this page: http://www.gemal.dk/browserspy/basic.html will see right through Naviscope's blocking of UA.

Going to the privacy.net page you referred to: http://privacy.net/analyze/ didn't really specify what browser i was using, although it did pick up this: "Mozilla Default Plug-in - Default Plug-in - npnul32.dll" (I was using Mozilla for the check). The following fields there, though, looked just like this:

"You linked from here (if you linked from another web page):

Your Browser Type and Operating System: "

(No information). Pete

-{ Quote: " quoting: spy1 link=board=23;threadid=2790;start=30#19075 date=1028506499]
snowman - Just thought I'd let you know - going to this page: http://www.gemal.dk/browserspy/basic.html will see right through Naviscope's blocking of UA.

" }-

OK, I haven't tried PCAudit. I don't use Naviscope.
But I went to that site that Pete mentioned (gemal.dk).
Am I supposed that it shows info about my UA?
Am I understanding that right?
It does not show it (or I make a mistake).

Grrr!

Hey Pete,

On the other hand that other site (privacy net) showed my info at:
"Your Browser Type and Operating System".

-{ Quote: " quoting: FanJ link=board=23;threadid=2790;start=30#19082 date=1028511776]
Hey Pete,

On the other hand that other site (privacy net) showed my info at:
"Your Browser Type and Operating System".
" }-

Eh, changed a setting, and it is no longer displayed.

Pete

thank you very much..its alittle more difficult researching this issue without actually having the exploit.....which I wont install

my results were the same as FanJ....tryed all options....no info revealed
of further note.....I am of the belief that this is an os leak...my ounce of prevention at this point is to add all programs that require updating....plus all programs accessing the internet.....explorer.exe and ixeplore included...into file protection. "Before the Fact" protection instead of "After the Fact" protection......changes are prevented.....no questions asked...simply prevented.
this would only be workable on a system not already compromised. An really could only be fool-proof tested after the protection was added..... Personally I am satisfied . There may be other means of prevention but until they become known I have to go this route..........
as previously stated this is open to discussion....right now I am of the opinion that by protecting changes\alterations to certain os functions and programs with internet access.. such exploits can possibly be prevented.........I gladly and humbly bow to the more knowledgeable who can offer a better solution. Its already been stated by Jack that system safety monitor performs a like function.......
this does not plug the hole itself....the hole certainly should be the subject of some very serious discussion
Pete and FanJ..again thank you

snowman

it should also be noted that the adding of protection as stated above wont prevent an exploit from getting onto an os but simply prevent changes to the programs, etc listed or others added to protection.
If this theory is way off base than I offer an apology here and now.......so far I have not found any other.

Pete

Buddy your os was revealed!!! you can easily prevent that without the use of a proxy...recall the post I deleted yesterday??? You can make that info say: Jack and Jill went up the hill.......or whatever

snowman

Pete

just a real quick note.......if you had been using a branded version of a web broswer your isp name would have been revealed.

snowman

one further comment before I move on down the line.
as previously noted...a branded web browser can possibly reveal the name of the internet provider of the person using the branded broswer..... such information is sent to a remote web server.....an may be stored in the web server log files.....an possibly used to track branded versions of that web broswer.

further food for thought....the users of proxies may change the information User Agent reveals...however, lets for discussion say that information is changed to show FE: 123 456 789.......an then no further changes are ever made.......but the proxy user goes to a website....goes back again and again......has he not branded his own broswer?
imo he has done even worse....he is revealing who he is right down to the post name he uses
simply constantly changing the proxy to reveal something else would resolve this issue........an a group of people deciding to all use the same phony information works to confuse...............hummmm now who was that person

snowman

until the privacy leak that has been revealed in this thread is totally plugged......changing the broswer names...names of the os in use..etc., wont in any way prevent the leakage of other information....the information tha a broswer reveals when it contacts a website

snowman

One other interesting thing I noted yesterday was that a lot of the 'scanning' sites I went to could easily pick up the date and time your computer shows.

This (if nothing else) narrows your location down to a specific time zone.

Seems to me you could throw that off by at least however many time zones (possible locations) there are in your country by just changing your computer clock - if you wanted to get fancy, I suppose one could figure out how to change the date and the time to make it look like you were in a different country. (Of course, that wouldn't work if you let Naviscope - or any other program - do time automatic checks.

Snowman - yes, I thought about changing the OS info with that reg hack, to keep from having an identifying 'fingerprint' consisting of whatever information does get through every time you click to get a link, but (like you) I realized that all that stuff would have to be constantly changed to avoid winding up with the same fingerprint anyway!

Until/unless someone comes up with something that will accomplish that automatically (varying all the elements that can be read in a request), it's simply too time-consuming - although all the potential changes should be kept in mind for future use if needed. Pete

-{ Quote: " quoting: snowy link=board=23;threadid=2790;start=30#19070 date=1028503422]


In consideration of my limited knowledge...the following is presented as a question to the more knowledgeable

by "protecting" the explorer.exe from being changed/altered........would this prevent ALL such exploits of such nature as the one in this thread?? Possibly include protecting iexplorer also

snowman
" }-

Hello,

No, it does not :)

If IE is open, it tries to use IE first. IF it's not open the test is passed with flying colours IF Explorer is not allowed to access the W3, depending your OS
(on win98SE, if I am right, you may not disallow Explorer to access the W3 or you are not able to accesss through IE).
If IE is already open when you run the test, you fail.
Rgds,

JacK

Jack

the details you provided.........is that regarding an os ALREADY INFECTED?? on a NON-INFECTED os how would those results be possible? once explorer's files have been placed in protection.....that exploit just isn't going to be able to use it.
if what you are saying is true.......than file protection programs are useless........
Naturally on an already infected os it would be a waste of time to place any program into file protection...........
snowman

Pete

yes I certainly agree with you......the time spent changing info. etc would not make it a logical choice.

to tell you the truth Pete.....since the past couple of days I really don't think its worth the effort anymore.
......if anything the situation has grown considerability worse with the passage of time...........
the few that can or would make the changes to plug pravacy leaks are just a mere drop of water in a vast sea

snowman

JACK

I have been trying to understand the contents of your post........bear with me if you will please

ok......as I understand this exploit.....its nothing more than a "piggy-back".......an for it to function it has to alter a dll in Explorer.....
Now..if Explorer is placed in full protection.....which prevents any and all changes of any kind being made to the Explorer dll's..............then how is the Exploit going to mis-use the Explorer...an attach itself to it ???
Jack I am speaking here of protecting Explorer PRIOR to any infection.

Thanks
snowman

I feel extremely humble after reading this thread. I'm more computer illiterate than I ever imagined. I assume that no one here has any problems with the Naviscope software? Will Naviscope conflict with ZoneAlarm? I'm using both at the moment and the jury is still out. MSIE 6 doesn't like to load with both running and some minor glitches with other web page loading. Would appreciate some of you dropping down to my level for a moment and providing me with some insight on Naviscope and ZoneAlarm (free version). Opinions, good or bad or indifferent would be appreciated.

Pretender

Hey my friend don't ever....not ever feel left out........I have got to be the most computer dumb person on earth.....heck, I can't turn the darn thing off....

You should not experience any problems using Naviscope and zone alarm.....never heard of anyone having any. Naviscope will need to be config......be sure to look at the "readme" instructions. I don't personally use naviscope......I did give it a brief try a few years ago....

snowman

Pretender

I don't use IE 6 so can't comment there..sorry.

snowman

I would like to quote (and I hope that I’m allowed and that he doesn’t mind me doing so) a part of an old posting from Joseph V. Morris at:

https://grc.com/x/news.exe?cmd=article&group=grc.security.software&item=33708&utag=


grc.security.software “Subject: Re: ???????????”


---begin quote---

All of the application control firewalls (with or without file authentication) currently on the market do _not_ authenticate in any manner the DLLs, SYSs, OCXs, VXDs, etc., that may be critical to the actual functioning of the application. Given the physical implementation of MSIE (in particular), authenticating the iexplore.exe executable (and only that executable) does very little -- it's little more than a stub program that calls enabling DLLs.

---end quote---



Please remember, this was an old posting!
In the meantime some firewalls has improved.

Now what I’m wondering myself is this:
I thought that for example ZAPro has improved in this way that it also in some way checks not only the exe file that wants access but also the other files like the dll files that that exe file calls.
Am I right here?
Did anyone tried it with ZAPro?

-{ Quote: "the dll seems to be able to injects it's code into any app it can find that can access the net." }- [i]Mickey[/]

..and the statement from JacK (in essence the same) is IMHO the essence here. PCAudit has used a concept which can be circurmvented, as Mickey pointed out: let's call it a "coincidence". The principle matters.

ZAPro will fail the test - providing one runs the test while on line.

regards.

paul

-{ Quote: " quoting: Forum Admin link=board=23;threadid=2790;start=45#19166 date=1028594243]
-{ Quote: "the dll seems to be able to injects it's code into any app it can find that can access the net." }- [i]Mickey[/]

..and the statement from JacK (in essence the same) is IMHO the essence here. PCAudit has used a concept which can be circurmvented, as Mickey pointed out: let's call it a "coincidence". The principle matters.

ZAPro will fail the test - providing one runs the test while on line.

regards.

paul


" }-

Let's assume that you have a firewall that is capable to not only "check" the exe file (by using for example MD5-checksums), but also all the dll, vxd etc. files that it possible could call.
Then first of all that firewall has to make a database of all those exe, dll, vxd etc. files.
Now PC Audit, or any malware that works that way, injects its code in a dll file.
Now that exe file wants for some reason access to the outside world; then that firewall checks that exe file and all of the dll files that it calls. If that firewall is doing its job, it should warn you: hey, one of the dll files has changed, what do you want: give it permission or not?

So what is the point? Where is it going wrong?
Is it the fact that that dll file is already in RAM? (and Joseph already pointed at that too in that GRC thread).

Paul

what I am at odds of understanding...is how can any program dll be exploited once its been protected ?
I understand that some firewalls are blocking this exploit by preventing the dll from being exploited........an if thats the case......it only verifies that file protection will work. ( open to correction on this) once the program...any program....is fully protected.......an afterwards an exploit of this nature enters an os....unless the file protection fails how can the program files\dlls be changed? honestly asking for prevention purposes.
I completely fail to see how anything could be injected into a file\dll in such circumstances

once again I must state that I don't see this as a firewall issue. sure a firewall may alert a user of the existence of the exploit.....an firewall may prevent the exploit from accessing the internet......but a firewall wont clean the exploit...it remains on the system

putting perfume on a smelly person may stop the oder but only a bath will remove the dirt.

Naviscope is a proxy...thats its intended purpose.....it can "strip the headers" but it wont clean the exploit......an the machine remains infected. someone else in the household comes along.....an does not enable naviscope..an the exploit works

for further consideration......a simple script detector could alert and allow the user to abort the exe......but the exploit would still remain on the os.

this is not a new issue....Windows from day one has had this.........an until now no one did what pcaudit did...it always could have been done...
a person wanting to use naviscope for its intended purpose of a proxy...hey fine.....but a person using navsicope believing it will somehow "clean" the exploit is just wasting their time and computer resources.......

my concern is that an impression will be given that a firewall is "the holy grail" which it is not.....a virus\trojan\worm needs to be cleaned from a system.....no firewall can yet accomplish that task.

respectfully

snowman

---begin quote---

All of the application control firewalls (with or without file authentication) currently on the market do _not_ authenticate in any manner the DLLs, SYSs, OCXs, VXDs, etc., that may be critical to the actual functioning of the application. Given the physical implementation of MSIE (in particular), authenticating the iexplore.exe executable (and only that executable) does very little -- it's little more than a stub program that calls enabling DLLs.

---end quote---



FanJ

that comment by Joe M is just where I am going in my responses........PREVENTION BEFORE -THE-FACT
if altering was prevented in the first place there would be no real need for such double checking
Believe me I am very open to learn on this issue

snowman

Jan,

-{ Quote: "So what is the point? Where is it going wrong?" }-

The O/S design from W9x, and:

-{ Quote: "Let's assume that you have a firewall that is capable to not only "check" the exe file (by using for example MD5-checksums), but also all the dll, vxd etc. files that it possible could call." }-

..here - as a derivative. As for now, there is no firewall being able to "check" all dll, vxd etc.

snowman,


-{ Quote: "how can any program dll be exploited once its been protected ?" }-

Protected in what way? any running client will do. Are your referring to sandboxing, Tiny Trojan Trap?

I agree it's an O/S issue first. That being said, it's in essence quite easy to implement for example a dll "like" the one in use by the pcaudit test (but not n innocent one like this one) in virtual any executable - say software. It would be undetected.

True: a firewall is by no means a holy grail. Nevertheless, if O/S design demands protection, it would be nice if an app - like a firewall - would alert before executing.

Have a go at the pcaudit test ;); it's rather fun: using Kerio FW and IE 5x, all kind of running apps will pop up - asking "is it OK to update" etc.

regards.

paul

So, this is where a utility like FileChangeAlarm (brother of NISFileCheck) could prove its value.
Why? You can tell it to warn you in real time for any change in whatever exe, dll, vxd, ocx, sys, etc. file.
Alas, I run W98SE and you can only use it on W2000/NT/XP.....

BY FANJ :

"So, this is where a utility like FileChangeAlarm (brother of NISFileCheck) could prove its value.""


John thats just my point.



PAUL

to name one program that we both know...."File Protector" by PEPI


Paul I very much appreciate your reply....truely I do.
At this point I just have to ask myself why....if a firewall can verify checksums.....why aren't the virus scanners and trojan scanners doing this same job? Are people just throwing away their money purchasing these products....it certainly appears this way.......if the virus\trojan scanners can't do what the firewall is being expected to do. My point is very simple..... what if a firewall detects the changes....that of itself wont remove the exploit. if the anti-virus\anti\trojan scanners were doing a good job the exploit never would have executed on the machine...or at the very least a user would have been alerted by the scanners and allowed to clean the exploit

if a firewall vendor can make a firewall perform this function.....why aren't the vendors of anti-virus\trojan products doing the same?? This subject has been kicked around and around for years without a response from vendors of virus\trojan scanners.........to impliment the kind of protection we are discussing.......therein lies my main concern. The buck is being passed...to the firewall.

an point of fact...the exploit is never cleaned\removed

respectfully

snowman

BY PAUL:

"in essence quite easy to implement for example a dll "like" the one in use by the pcaudit test (but not n innocent one like this one) in virtual any executable - say software. It would be undetected"
****************

PAUL

I could not agree more....in fact thats whats giving me the shivvers..........an why I so srogly believe that the anti-virus\anti-trojan vendors need to address this issue immediately. This time the exploit was innocent.....but sooner or later it wont be. A means of immediate detection\cleaning needs to be provided before such an exploit is exploited for evil.
certainly I don't mean to sound pushy on this issue....I am truely concerned here.............my apology to one and all if I come off sounding like on a soap box.....for be that from the truth...........this is obviously a preventable exploit....so why isn't it being prevented ????????

respectfully

snowman

-{ Quote: "if a firewall can verify checksums.....why aren't the virus scanners and trojan scanners doing this same job?" }-

By design AVs and ATs are for one purpose only: detecting and handling malware - databased and/or using heuristics. In case of a databased "fingerprint" including malware charasteriscs (a dll could be part of that) it will be flagged.
Thus, something "nasty" has to be detected, triggering the AV or AT. In principal, a dll as such is not malware. In short: IMHO this isn't an issue for AVs nor ATs. Only in case for example a dll is part of a virus/worm/backdoor/trojan, AVs/ATs should be able to handle it. As far as I see it, this isn't the case here.

One could only ask AV/AT vendors to include pcaudit in their databases - but since it's harmless, there's no use in doing so.

regards.

paul

Paul

again I thank you for replieing. hope you are having a pleasent day......always wishing you well


snowman

Enjoy your day as well, snowman (nearly 8:00 in the morning over here..).

regards.

paul

darn if I didn't just delete my reply!! I must need a rest break.....LOL

-{ Quote: " quoting: Forum Admin link=board=23;threadid=2790;start=60#19192 date=1028609628]
-{ Quote: "if a firewall can verify checksums.....why aren't the virus scanners and trojan scanners doing this same job?" }-

By design AVs and ATs are for one purpose only: detecting and handling malware - databased and/or using heuristics. In case of a databased "fingerprint" including malware charasteriscs (a dll could be part of that) it will be flagged.
Thus, something "nasty" has to be detected, triggering the AV or AT. In principal, a dll as such is not malware. In short: IMHO this isn't an issue for AVs nor ATs. Only in case for example a dll is part of a virus/worm/backdoor/trojan, AVs/ATs should be able to handle it. As far as I see it, this isn't the case here.

One could only ask AV/AT vendors to include pcaudit in their databases - but since it's harmless, there's no use in doing so.

regards.

paul
" }-
Putting PcAudit in a database would serve no useful purpose as it only represents a synptom of what can be done.
True, with vigilance, it's possible to intercept it, but those mostly at risk are those not usually following these forums and would be caught rigthanded.
Heck in one of the tests i did, i closed LNS and tried Sygate, to verify it's dll authentification.
Well the darn thing used the lns driver in trying access.
Now you tell me. Who would usually think of blocking anything from it's favourite firewall !

-{ Quote: "Well the darn thing used the lns driver in trying access.
Now you tell me. Who would usually think of blocking anything from it's favourite firewall !" }-

LOL! You must admit, although a serious matter, it's kinda funny as well ;D

regards.

paul

i'm not sure about all of this stuff and how important it is in life. i've been sick for the last few days and am about to go out of my mind with pain from a botched surgery back in 97. don't mean to complain as all of this information keeps my brain working a bit. just tired i think. gotta regroup and maybe i can catch up with all of you later.

Take care, Pretender ;)

regards.

paul

-{ Quote: " quoting: snowy link=board=23;threadid=2790;start=45#19143 date=1028580477]


Jack

the details you provided.........is that regarding an os ALREADY INFECTED?? on a NON-INFECTED os how would those results be possible? once explorer's files have been placed in protection.....that exploit just isn't going to be able to use it.
if what you are saying is true.......than file protection programs are useless........
Naturally on an already infected os it would be a waste of time to place any program into file protection...........
snowman
" }-

Hi snowman,

PC audit does not alter the files and does not "infect" them : if you allow Explore to access the W3 by the way you allow PCAudit too.
If you fW does not allow Explorer to access the Web, PC Audit cannot use it to access the WE, it shall try to access the W3 using another valid application.

Rgds,

JacK

Hi JacK,

-{ Quote: "PC audit does not alter the files and does not "infect" them " }-

I hope you don't mind, but I have a couple of questions:

1.
That would mean that an utility like FileChangeAlarm (checking exe, dll, etc. files in real time) would not help you here, is that right?

2.
I thought that was described that PC Audit "injects" its code in a dll file.
So does it change a dll file or not?

3.
Or is something going on like "injecting its code in such a dll file when that dll file is loaded in RAM"?


PS: to Pretender:
I wish you all the best, and I really hope you will feel better soon!!! Take care, Jan.

-{ Quote: " quoting: FanJ link=board=23;threadid=2790;start=60#19232 date=1028634852]
Hi JacK,

-{ Quote: "PC audit does not alter the files and does not "infect" them " }-

I hope you don't mind, but I have a couple of questions:

1.
That would mean that an utility like FileChangeAlarm (checking exe, dll, etc. files in real time) would not help you here, is that right?

2.
I thought that was described that PC Audit "injects" its code in a dll file.
So does it change a dll file or not?

3.
Or is something going on like "injecting its code in such a dll file when that dll file is loaded in RAM"?


PS: to Pretender:
I wish you all the best, and I really hope you will feel better soon!!! Take care, Jan.
" }-

Hi FanJ :)

1. I don't use FileChangeAlarm or something of the kind but I think it would not prevent the leak as PC Audit does not modify anything.

2. I did not disassembled PC Audit, so I cannot say how it works exactely but it does not modify a*dll : it works like a launcher, trying to start different applications having a valid access to the W3.

Rgds,

JacK

OK, Thanks JacK ;)

Cheers, Jan.

-{ Quote: " quoting: Forum Admin link=board=23;threadid=2790;start=60#19192 date=1028609628]
-{ Quote: "if a firewall can verify checksums.....why aren't the virus scanners and trojan scanners doing this same job?" }-

By design AVs and ATs are for one purpose only: detecting and handling malware - databased and/or using heuristics. In case of a databased "fingerprint" including malware charasteriscs (a dll could be part of that) it will be flagged.
Thus, something "nasty" has to be detected, triggering the AV or AT. In principal, a dll as such is not malware. In short: IMHO this isn't an issue for AVs nor ATs. Only in case for example a dll is part of a virus/worm/backdoor/trojan, AVs/ATs should be able to handle it. As far as I see it, this isn't the case here." }-

I'm sort of jumping into this in mid-stream, so I may have overlooked something previously said, however, . . . .

Actually, Paul, at one time AV software did run checksums -- specifically Central Point Anti-Virus (a part of Central Point's PC Tools for Windows for Win 3x) included CRC-32 checksumming. If the Checksum, the file date (I forget which one), or the file size changed, CPAV would alert the user. In other words, they relied on considerably more than just a virus signature or heuristics. Indeed, I believe KAV Inspector still does this.

So, it's certainly doable and in fact has been done. Unfortunately, that's of little solace in the context of this vulnerability demonstrator. As you note, this is not (as far as I can tell) a virus-like application, it doesn't modify any existing files; it appears to simply hook into anything with an internet connection. I haven't had the time to download and run PC Audit, but I suspect it dynamically links at runtime. If I'm correct, then something like Dependency Walker wouldn't pick this up (HandleEx would, however).

Furthermore, one would need a massive database of checksums, dates, file sizes, etc., to authenticate such a file. We ain't got this in Windows environments (and I doubt we'll get it either).

Using something like NIS File Check (regularly, very regularly) could alert one to having a new file on their box. But that still begs the question of what you're going to do about it.

There's an even more exotic exploit possible. This was first discussed (publicly) by someone publishing as EmilioG in the old GRC newsgroups some time back (apparently not the same EmilioG as is now sometimes seen on the DSLR forums). This was also referred to as DLL injection, but involved injection into the work space of an authentic DLL in RAM. Well, dear hearts, file authentication ain't gonna do you much good in this case! The legitimate DLL on disk would remain unchanged; only the DLL in RAM would be changed. And, in essence, this is what CRv1 did. Indeed, in CRv1, there wasn't any file on disk to authenticate -- sucker went straight into RAM.

I could ramble on for a while on this subject, but it would probably be best if I start at the beginning and read through the thread in its entirety first. ::)

Hi Joseph,

I would like to thank you so much for your posting !!! ;)

Thanks, Jan.

Mickey,
I just got here and this query goes all the way back to the very beginnings of the thread where you said:-{ Quote: " quoting: MickeyTheMan link=board=23;threadid=2790;start=0#18847 date=1028359472]
. . . . But at the same time, because of other proggies in use such as Spyblocker, i only needed this one mainly for the 2 features that i liked the most:
1. Hide System information (user agent)
2. Hide Last Page Visited (referer)
Little did i know at the time that this would become the only thing currently capable of stopping PCAUDIT . . . ." }-Again, I haven't had the time to check this out yet, but if this is a crucial component of the vulnerability being demonstrated, it would seem that AtGuard, NIS, and NPF(?) have a capability to block this exploit.
From the relevant Help page in NIS 3.0x: -{ Quote: "Browser (User Agent)
Specifies whether sites are provided with information about the type of browser and operating system you are using. If you enable Privacy Control, the Browser (User-agent) field is permitted by default.
There are three ways to handle requests for browser and operating system information:

Permit: Allows your browser to reveal the type of browser and operating system that you are using.
Block: Prevents your browser from revealing the type of browser and operating system that you are using.
Reply: Directs your browser to insert a specific string in place of the browser and operating system information that is usually sent in the user-agent field.

Troubleshooting tip
Most sites that check the user-agent field are attempting to provide customized page content that is compatible with your browser and operating system. However, malicious sites may want browser and operating system information in order to proceed with some type of attack. Misidentification helps to resist this type of attack. " }-So, would that solve the problem with PC Audit?

Hi Joseph,

-{ Quote: "Again, I haven't had the time to check this out yet, but if this is a crucial component of the vulnerability being demonstrated, it would seem that AtGuard, NIS, and NPF(?) have a capability to block this exploit.
" }-

Somewhere in the thread I posted that I was able to keep my UA "hided" at the privacy net test, after changing a setting.
The change that I made, was exactly the one you are referring to: the one in my NIS1.0 to block User Agent.

BTW: until now I have not checked the PC Audit test myself.
I guess that the fact that I'm able to block my UA, doesn't have to mean that I am not vulnerable in general to the kind of exploits that PC Audit tries to point at.

Pete,
Going all the way back to your posting on or about 7:37 AM on 5 August:-{ Quote: " quoting: spy1 link=board=23;threadid=2790;start=45#19107 date=1028547461]
. . . . Snowman - yes, I thought about changing the OS info with that reg hack, to keep from having an identifying 'fingerprint' consisting of whatever information does get through every time you click to get a link, but (like you) I realized that all that stuff would have to be constantly changed to avoid winding up with the same fingerprint anyway! . . . . " }-
Ah, yessss, . . . the registry hack! Interesting story about that. Goes back to when MS decided to shut off support to guys still running Win 3X (now why would they want to do that, I wonder? 8) ) Well, they did at any rate. Unfortunately, there were others then running Win 95 or Win 98 and they noticed that the web pages were still present; it was just that guys running Win 3X couldn't reach 'em. Puzzling that. . . . Turned out that MS was deliberately blocking users trying to access the pages, but still using Win 3x. Simple solution: Change the User-Agent information to indicate the user was using Win 9X -- problem solved! ;D (I believe that, at one point, MS did something similar to keep people using Netscape from being able to access web pages on the MS website.)

Well, that was sort of an interesting anecdote: The more important point is that this information is stored somewhere in the registry -- and PCAUDIT apparently uses a DLL to do what it does. Consequently, there's a possibility that simply blocking User-Agent in AG/NIS/NPF won't make much difference (I think that only applies to the header field sent by the browser itself.) The DLL can simply extract the information from the registry. At that point, it could start up the browser indicated in the registry (which is almost invariably going to be in its default location) and PERMITted Internet Access and then pass its message to the PCAUDIT site or using any Internet-enabled application it chooses -- presumably as long as such an application doesn't allow fine-tuning of what destination port/IP addresses are being accessed--do precisely the same thing. Now, that would be a PITA. (But it does also indicate the scope of what such an exploit could do rather well.)

OK,

I did the test.
I was running the very strange setting with NIS1.0 and ZAF 2.6.362 running in tandem while doing the test.
UA was blocked in NIS1.0.
ZA asked me three times whether an app was allowed to outbound access, I said no.
I succeeded in the test:
"Your computer is well protected.
To uninstall pcAudit you must re-start your computer".

I'm going to run ADinf32 Pro now to see whether indeed there is no strange file left on the system; and some other scanners ;)

Snowman, from your posting of 5:49 PM on 5 August:-{ Quote: " quoting: snowy link=board=23;threadid=2790;start=45#19148 date=1028584158]. . . . ok......as I understand this exploit.....its nothing more than a "piggy-back".......an for it to function it has to alter a dll in Explorer....." }- Well, not exactly . . . . the devil is in the details, you see. 8) First, when you 'authenticate' a DLL (or an OCX or a VXD or a SYS or a ...), you're actually authenticating the file image as it exists on disk. Specifically, you're not authenticating the file image as it exists in RAM. (Nor are you going to, I might add, because that image changes constantly as in-RAM data space is used -- those pesky buffer overflows and all that.) So, there are two obvious ways for that download from PCAUDIT to accomplish this: It can 'inject' itself into the RAM-resident image of the DLL (or whatever), presumably in some of the data buffer space, or it can simply dynamically link to one of the DLLs used by Internet-enabled applications.Neither of these alternatives would have any noticeable impact when you run file authentication utilities (real-time or non-real-time).

So, ahhh, . . . . just how many of these 'common' DLLs are there? Well, over in microsoft.public.security, you'll see an interchange between 'tack' and me in which something on the order of 14 DLLs common to both MSIE and Opera are identified. And most of these DLLs will be called by just about any Internet-enabled application. Infect or dynamically link to any of these (only in RAM, for that matter) and game over.
-{ Quote: "Now..if Explorer is placed in full protection.....which prevents any and all changes of any kind being made to the Explorer dll's..............then how is the Exploit going to mis-use the Explorer...an attach itself to it ???" }-In other words, this isn't the mechanism that appears to be being used by PCAUDIT (well, it certainly doesn't need to be the mechanism in use).

-{ Quote: " quoting: MickeyTheMan link=board=23;threadid=2790;start=60#19206 date=1028617136]
. . . .
Putting PcAudit in a database would serve no useful purpose as it only represents a synptom of what can be done." }-I agree completely. Like most exploit demonstrators, PCAUDIT does something benign; but its ramifications are far more complex.
-{ Quote: ". . . .Heck in one of the tests i did, i closed LNS and tried Sygate, to verify it's dll authentification.
Well the darn thing used the lns driver in trying access.
Now you tell me. Who would usually think of blocking anything from it's favourite firewall !" }-
Heheheh!!! ;D You musta missed gwion's distress when he found that the last exploit demonstrator revealed a hole in TPF/KPF (I forget exactly which one) that relied on precisely that mechanism!

-{ Quote: " quoting: FanJ link=board=23;threadid=2790;start=75#19250 date=1028647482]
. . . .
BTW: until now I have not checked the PC Audit test myself.
I guess that the fact that I'm able to block my UA, doesn't have to mean that I am not vulnerable in general to the kind of exploits that PC Audit tries to point at." }-

Excellent double negative. :D (Careful or we'll make an Englishman out of you yet.)

You are correct. A lot of people missed the point with Gibson's initial Leaktest. They got carried away with blocking the specific implementation. The point, of course, was that it represented an entire category of potential vulnerabilities (especially in Win 9X or Win ME boxes). Similarly, the technique invoked by PC Audit could be used to do just about anything it might desire. Indeed, it would be much more dangerous than the currently popular versions of RATs and keyloggers.

Out of curiosity, I wonder if there's a way to feed your browser a false (and falsified) copy of the registry?

Hmm...

-{ Quote: " quoting: FanJ link=board=23;threadid=2790;start=75#19253 date=1028650025]. . . .I was running the very strange setting with NIS1.0 and ZAF 2.6.362 running in tandem while doing the test.
UA was blocked in NIS1.0.
ZA asked me three times whether an app was allowed to outbound access, I said no. . . . " }-
Out of curiosity, what were the apps that ZA queried about? Is it like Paul said -- it simply started cycling through Internet-enabled applications?

Out of curiosity, do great minds start sentences alike?

-{ Quote: " quoting: Checkout link=board=23;threadid=2790;start=75#19265 date=1028654377]
Out of curiosity, do great minds start sentences alike?" }-
Well, errr, no ... great minds don't. ;D

-{ Quote: " quoting: FanJ link=board=23;threadid=2790;start=75#19253 date=1028650025]
OK,

I did the test.
I was running the very strange setting with NIS1.0 and ZAF 2.6.362 running in tandem while doing the test.
UA was blocked in NIS1.0.
ZA asked me three times whether an app was allowed to outbound access, I said no.
I succeeded in the test:
"Your computer is well protected.
To uninstall pcAudit you must re-start your computer".

I'm going to run ADinf32 Pro now to see whether indeed there is no strange file left on the system; and some other scanners ;)
" }-

Hello,

Did you run the test with IE open ?

If IE was not open, it's normal your succeed the test if Explorer is not allowed to access the W3.

Regards,

JacK

-{ Quote: " quoting: JacK link=board=23;threadid=2790;start=90#19279 date=1028658313]
Hello,

Did you run the test with IE open ?

If IE was not open, it's normal your succeed the test if Explorer is not allowed to access the W3.

Regards,

JacK
" }-

Thanks, thanks JacK !!!

Did the test again, I failed.

Stupid, stupid me; aaargggghh; back to where I belong........
:-[ ::) :-[

My apologies to all of you!
Sorry, Jan.

Joe

as always it was a pleasure reading your very enlightening post. the following is presented as questions:

this "exploit" appears to use the VxD service hooking to insert itself into the call chain of the #'s registry functions in the win95 kernel (virtual machine manager) please correct if I am in-correct here...
first: can virtual machine manager be disabled ?(I am alittle confused in understanding between "virtual machine" and "virtual machine Manager) Second: if it can...how would that effect the os? Third: would that prevent such exploits
Joe in our last discussion we somewhat kicked around this subject of monitoring....an you may recall I mentioned one program.......you also mentioned one..
just a matter of being curious on my part Joe...so please if you are busy ignor the questions.

snowman

Joe

just thought to save you some time....I have located the answer to my question......thanks

snowman

JUST FOR INFORMATION ONLY:::::::::



The file Microsoft msgsrv32.exe or msgsrv32.dll is a file located in the C:\WINDOWS\SYSTEM directory placed on the computer during the Windows installation. The description of this file is "Windows 32-bit VxD Message Server" and is responsible for such Windows tasks as:

Handle Plug and Play messages between various parts of the operating system.
Handle responses to and from setup programs.
Display the initial logon dialog box if a network is present or profiles are enabled.
Play the system startup and shutdown sounds.
Load the Windows drivers at startup and then unload them at shutdown.
Run the shell program.

Joe.....and others

say is this "exploit" the same as used by trojans such as:

COMA

Frenzy

HVL-RAT


snowman

-{ Quote: " quoting: snowy link=board=23;threadid=2790;start=90#19307 date=1028674437]. . . . this "exploit" appears to use the VxD service hooking to insert itself into the call chain of the #'s registry functions in the win95 kernel (virtual machine manager) please correct if I am in-correct here..." }-
Whoa!!! Wait!!

First, like some of the others here, I'm not downloading this thing to find out what it does. I learned my lesson on that with YALTA. Obviously, that means I haven't torn this thing apart.

For the precise details of how it works, you want input from someone who's done precisely that (and that's far beyond my area of expertise).

I'm simply extrapolating from the information provided here by people like Mickey and JacK, who have fiddled with it. This was a relatively easy call based on their observations and symptoms described. And, again, I track this kind of exploit all the way back to those seminal postings by EmilioG on the old GRC newsgroups.

In one sense, the details of exactly how PCAudit does this aren't terribly important; there are many possibilities of how it can be accomplished. In this sense, it's apparently just another later-generation Leaktest demonstrator. (And a lot of people got too caught up in the details of Leaktest and missed the larger implications.)

Let me give you a practical illustration: Here are the 13 files common to both Opera and MSIE. And, if you look closer, you'll very quickly recognize that almost all of these are going to also be called by just about any Windows-based Internet-enabled application out there.

Normally, I would be reluctant to post this list, but I already have (in another context) and long before this particular kind of exploit came to my attention -- so it ain't no big secret any more.
C:\WINDOWS\SYSTEM\NETBIOS.DLL
C:\WINDOWS\SYSTEM\NETAPI32.DLL
C:\WINDOWS\SYSTEM\COMCTL32.DLL
C:\WINDOWS\SYSTEM\WININET.DLL
C:\WINDOWS\SYSTEM\MSVCRT.DLL
C:\WINDOWS\SYSTEM\OLE32.DLL
C:\WINDOWS\SYSTEM\RPCRT4.DLL
C:\WINDOWS\SYSTEM\SHFOLDER.DLL
C:\WINDOWS\SYSTEM\SHLWAPI.DLL
C:\WINDOWS\SYSTEM\ADVAPI32.DLL
C:\WINDOWS\SYSTEM\GDI32.DLL
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\USER32.DLL
C:\WINDOWS\SYSTEM\VERSION.DLL
-{ Quote: " first: can virtual machine manager be disabled ?(I am alittle confused in understanding between "virtual machine" and "virtual machine Manager) Second: if it can...how would that effect the os? Third: would that prevent such exploits" }-I can only address the last question and my response is tentative even in that case. No, it would not necessarily.
-{ Quote: " Joe in our last discussion we somewhat kicked around this subject of monitoring....an you may recall I mentioned one program.......you also mentioned one.." }-
Sure, remember that well. File authentication and monitoring (e.g., registry monitoring) are all parts of an effective suite of security utilities -- but both functions don't need to be in the same utility and they don't solve all the problems out there. Specifically, I don't think they'll solve this one.
In one sense I believe in security through diversity. I like having multiple vendors for multiple specialized utilities. And I would actually encourage people to use different vendors for different utilities. With the existing emphasis on code re-use, it's quite likely that if one utility provided by a vendor has a vulnerability, so will others. But it's far less likely that that 'common' vulnerability will be present in different kinds of utilities provided by different vendors. And it makes it a bit more difficult for the bad guys.

Joe

LOL...no I wont download this either.....

hey much thanks for your response....as mention this is merely a matter of being curious on my part.......at first just something to do on a rainy afternoon......I certainly haven't the knowledge to tear these things apart......curious yes...but not that curious...LOL
wishing a great day......

respectfully
snowman

Hello:)

New address for pcAudit http://www.pcinternetpatrol.com/products/index.php?product=audit.

I would like to know. Why would you let a program like this run on you system? (not saying this program is bad) I mean If you allow this program to run (SSM users) you're defeating the the point of using SSM. The whole point of using SSM is to block silly little programs like this. I think PG might even flag this program and ask if you want to allow it to run. I doubt a webpage can get into your computer and see what's on it and if they do well that's what encyrption is for. :) I know this thread is there to help people understand this type of thing but I feel that if you don't know what you're downloading, well don't download it. Practice safe computing and be happy. :)

-{ Quote: "I would like to know. Why would you let a program like this run on you system? (not saying this program is bad) I mean If you allow this program to run (SSM users) you're defeating the the point of using SSM. The whole point of using SSM is to block silly little programs like this." }-If you know a program is suspicious then yes, you could block it from running with SSM. But what if it was part of a supposedly legitimate application? The test here is whether SSM can alert you to suspicious behaviour - if a screensaver tries injecting a DLL into your browser and terminating your firewall (which SSM will detect in most cases) then that is the point at which most people's suspicions would be raised. Not all malware will be called evil-exploit.exe. ;D-{ Quote: "I think PG might even flag this program and ask if you want to allow it to run." }-With Execution Protection enabled, yes.-{ Quote: "I doubt a webpage can get into your computer and see what's on it and if they do well that's what encyrption is for. :)" }-If you use Internet Explorer and have not been keeping up to date with patches, it sure can (http://secunia.com/advisories/11793/). Even if you are up to date patch-wise, you could still get burnt by someone using an exploit not yet discovered, acknowledged or fixed by Microsoft.-{ Quote: "I know this thread is there to help people understand this type of thing but I feel that if you don't know what you're downloading, well don't download it." }-In essence you are saying don't download anything - because without disassembling and analyzing every program beforehand, you can't be sure of whether they have malicious code or not. Hence the use of signature scanners (AV's and AT's) for "known" malware and behaviour monitors (firewalls, process monitors, registry trackers) for the "unknown".

Paranoid. Most people get a computer get online and not have an AV or firewall. They go and see these cool things like take themexp.com or a site like it that offers themes, wallpaper and such. Someone new to the internet can stumble on these sites and download stuff that eill put ads on their computer. Next they get a slowdown and start to panic and next you see them posting help anywhere and I mean anywhere. They get HJT run it and their computer is filled with bad junk. Now my post was refering to people that don't have computer knowledge. I mean They don't know what they are downloading and where it came from and who made it.

As you said SSM will catch most if not all the DLL injection. I think Sygate will catch most also.

If people would have a well rounded security setup they should be ok. I mean like AV, AT, Anti Spyware program, browser that isn't IE and a firewall. Thats the basic to start with. I wouldn't suggest them to go out and download HJT and mess with that being that it could mess up their computer if they do something shouldn't

But back to the topic at hand. PcAudit is just another program there to pretty much scare you into beleiving that everyone is out to get you (not you persay, anyone). If you know security or hand around forums like these you should get a good feeling of what to do in cases like this. ;) I'm not going to download and run PcAudit because I have nothing to prove to myself. I feel safe. ;)