Question about process injecting trojans

If trojans that use server-to-client connection are "injected" into, say, explorer.exe, will software firewalls like ZA and Kerio show explorer.exe as connected to an external IP address?

[Gavin - DiamondCS]

Hi,

Yes, the parent process is shown as having the connection, since a DLL trojan becomes part of that process. In some cases of course there could be some patching to hide the connection from netstat

You might want to look at Process Guard if you have a connection like this occuring. Probably BEAST if anything. I would recommend you use ASViewer to show me what autostarts you have, you can email gavin@diamondcs.com.au with the results

Or try to find the DLL in explorer by yourself with APM, if you are experienced. See our site for downloads of these programs

Thanks for the reply. I'm not infected with anything to my knowledge, but I was just curious if a software firewall would give any indication that a DLL trojan server (they all claim to be "FWB") is trying to connect to a client machine in the event that I might get infected with something built from scratch that isn't in any AV/AT signature databases.

[LowWaterMark]

Well, as far as the firewalls go, it will depend upon versions and features. For example, the pay versions of Zone Alarm (ZAPlus and ZAPro) have component level controls in them. If you have one of those versions and have that feature enabled, then when a new component becomes part of a previously used network aware program, ZA alerts you to that new component and let's you either block it or allow it.

But, you do need to stay on top of these types of alerts because often as you use features in a program you have not used before, they may draw in new components not registered yet in the ZA component listing. In this case, they are probably completely valid components. So, being aware of what's going on and researching new components when alerts are received can require some extra effort. There's no way for the firewall to know which components are good and which are bad.

[Gavin - DiamondCS]

Most firewalls now do some to a lot of blocking of this..

The readme to a downloader I analysed, which was brand new claims to bypass the latest Zone Alarm, and some I know are using inventive methods to do it. I wont mention HOW but there are some very tricky and inventive methods which cant be stopped easily.

"If trojans that use server-to-client connection are "injected" into, say, explorer.exe, will software firewalls like ZA and Kerio show explorer.exe as connected to an external IP address?"

Usually, firewalls are bypassed by exploiting the ruleset. This means the DLL is injected into a trusted application for which an "allow rule" exists. (An exception applies to port-cloaking rootkits.)

In other words, the firewall WILL generally detect any incoming or outgoing connections. But the user has created a rule which will allow such connections. For example, every user needs to create a ruleset which allows the web browser to connect to the internet (remote ports 80, 443, 8080 etc.). If a DLL trojan is injected into the browser and attempts to connect to these remote ports the firewall will usually be bypassed.

Some firewalls will tell you if a new module (e.g., the DLL trojan) is inserted into the browser. However, see LowWaterMark's post which correctly describes the problem.

Process Guard or System Safety Monitor will tell you if a DLL trojan is injected in a "bad, suspicious" manner into another application. For example, dynamic injection methods CreateRemoteThread and SetWindowsHookEX are covered.

Process Guard or System Safety Monitor will not help you if the DLL is loaded via LoadLibrary (static injection method). It is also possible to register a DLL trojan as an In-process Server. For example, MyDoom.A does the following:

--snip--
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}]
@="WebCheck"

[HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]
@="C:\\shimgapi.dll"
"ThreadingModel"="Apartment"
--snip--

In summary, DLL trojans are still a nuisance.