Firewall Killer - AntiSec

Discussion in 'other firewalls' started by WE Sim, Apr 8, 2002.

Thread Status:
Not open for further replies.
  1. WE Sim

    WE Sim Guest

    Hi!

    Not sure whether issue was discussed here. If not, take a look at the software here:

    AntiSec disarms firewall and similar anti-intrusion programs while leaving the programs' icons in place as if protection was in force, thus allowing snooping programs access to computers without the owners knowing.

    http://cryptome.org/dirty-antisec.htm

    This issue is also currently being discussed under grc.security.software
     
  2. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    Ahhhhhhhhhhhhhh emergency emergency panic panic Anarchy anarchy Blaze run around in circles.

    I knew i wasnt triping the otheer day i went to a bad site and my zone alarm said true vector disabled and the za pro told me to reboot my system and the logo was a big red box with a yellow x.

    but it was only temporary.

    what your talking about is a ZA KILLER RIGHT

    Panic panic=(
     
  3. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    ughhhhhhhhhhh
     
  4. WE Sim

    WE Sim Guest

    Hi MRBLAZE!

    The software not only disables ZA but the following firewalls/IDS programs as well:

    Boshield.ico
    Esafe.ico
    cyberwall.ico
    Atguard1.ico
    Blackice.ico
    zonealarm.ico
    lockdown2000.ico
    neverhack.ico
    Jammer1.ico
    eTrust Intrusion Detection.ico
     
  5. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    well what are they doing about it gulp=(

    Any news  any real feed back does that include the latest zone alarm pro 3020?

    blaze grab WE Sim t shirt d.a.m.n it man tell me tell me hestiractly
     
  6. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    I'd regard anything that's coming from Codex with a grain of salt until we get some hard info on the actual capabilities of the program. I'm heading over to GRC and DSL to catch up on what's been written. Later. Pete
     
  7. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    spy 1 will sneak in and get the low dowen on those mofos good luck spy 1
     
  8. FanJ

    FanJ Guest

    I have not read it yet, so my thoughts might be premature (!), but I would be surprised if a good AT wouldn't protect you against such a thing....
    Well, let's see.
     
  9. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    lol that would suck you get za pro and all fire walls are obsolite caause some guy made that firewall killer.
     
  10. Blacksheep

    Blacksheep Spyware Fighter

    Joined:
    Feb 9, 2002
    Posts:
    109
    Location:
    Missouri, USA
    I don't see SPF Pro 5 on that list - it has TerminateProcess protection.
     
  11. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    A TerminateProcess API Call is IMHO not the smartest way to "deal" with security apps. There are far more sophisticated ways to put these out of business.

    Nevertheless, these nasties should be databased - and are in the meanwhile.

    regards.

    paul
     
  12. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    Blast it man we need insight

    ring the bells all parionoyed newby head for the hills grab your woman and children.

    Blaze shows up in kelt blue face and dress they may take are land but they will never take are freadom.

    anybody else feel a cold breeze?=)
     
  13. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    As a matter of fact: I do. It's the climate over here  :oops:

    Simply put, Sir Blaze: such an API call would terminate an app - and most apps will notice, thus so will you. No fun, but easily detectable. Scan and clean your system, and in principal your system should be clean. changing an app would be much more to fear: the icon could be up - although in reality it wouldn't run. For that reason, a MD5 checksum (or at least CRC32) is a necessaty: one would be alerted as soon as the checksum would be altered.

    (sophisticated variants are possible - but let's stick to the essence).

    regards.

    paul
     
  14. snowman

    snowman Guest

                 I'll wait to see what the experts have to say.....right now this thing doesn't seem very impressive to be........a process ender??   are so it would seem.

                don't think I'll be lossing any sleep over this.






                MR BLASE

                  hope you are enjoying you very brand new firewall........there was a recent update....you are awear of it huh?  am not sure but I think it was a patch for the e mail feature.........not really sure
     
  15. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    The general consensus on other forums seems to be that its' threat is minimal.

    While the program claims to have shut down such-and-such a firewall when run, in many reported cases it actually hadn't - in the cases where it did, simply re-starting the app worked.

    If you're running something like ZA, and using the DeskBand, it'll be instantly apparent if the icon's been replaced (you won't see activity on the bar while you're online anymore when you're surfing).

    I wonder why more programs don't have a feature like that? And why it's seemingly so hard for the firewall manufacturers to include a feature that severs your Internet connection instantly if your firewall goes down while you're online? (it seems to me a small, separate program could be included which would constantly monitor two conditions - are you (a) online and (b) is the firewall up and running. If (a) is true and (b) is false, it would instantly cut your connection and throw up a box asking you to re-start your firewall. Pete
     
  16. FanJ

    FanJ Guest

    But that extra program could also be put out of control.
    So it still would be a good idea to have a good resident running AT.
     
  17. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Resident running AT's are targeted by the same kinds of exploits. They should have the same feature included.

    As I said, this small program would be separate from whatever the parent program is, and one of the requirements of using it would be to re-name it to something of your choice (thus making it secure from dis-abling - it can't be shut down if malware doesn't know what its' path is).

    Where's javacool at - I bet he could design a program that would do this himself (you could have a 'fill-in-the-blank' feature for whatever program you're trying to cover with it). Pete
     
  18. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Sorry to say, but it's just a part of the Windows design. A TerminateProcess API Call is in use for ending all running apps - that call is used whenever you close any running program.

    Thus, it can be called by any - in this case nasty - executable you will install, a trojanserver for example. No way around that.

    regards,

    paul
     
  19. snowman

    snowman Guest

              TerminateProcess?  isn't that the same or very near the same as using  Alt+Ctrl+delete?  

            on my os if/when using Alt+Ctrl+delete a warning window will automatically appear stating that all un-save information will be lost if I continue.......an then there is an option to make a choice.

             am not for certain but isn't this the same way with win2000 and xp?


             Pete we have near same os's.....is that how your's works?

             so as I don't have a false sense of security.....if this is not the case its appreciated if someone advised.


                  thankingya all
     
  20. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    {SNOWMAN}   hope you are enjoying you very brand new firewall........there was a recent update....you are awear of it huh?  am not sure but I think it was a patch for the e mail feature.........not really sure

    WHERE IS THIS PATCH LOL
     
  21. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    mr.blaze - Use the 'Check for Updates' feature in ZA.

    Helpful hint - It's probably not a good idea to mock the way other people write - if it hasn't crossed your mind, that could, definitely, back-fire on you. Pete
     
  22. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    LOL=) what on gods eareth are you talking about mock i use cut and pase lol i be the last person to mock someone ROTFL LMAO have you seen my spelling

    im worst then any one here lol=)

    i think you better go back and reads smomes posts ; lol

    yes i look at updates already says there are none im have most current verstion=)

    so where is patch or i dont need one
     
  23. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    snowman - No, I think it refers to whatever happens when you close any program using the program itself, not C/A/D. Like clicking the 'x' in the upper right-hand corner of the screen while you're in your browser.

    I'm not expressing myself well on my idea, apparently.

    Last shot: I'm running Program X resident in SYSTRAY, and it's in my start-up.

    Iwant to be instantly notified if Program X goes down - for whatever reason.

    The makers of Program X (being the nice, customer-responsive guys that they are) , provide me with a small separate d/l (which is either tied into an existing process monitor on my computer or contains one of its' own). All that small program does is monitor the two conditions I noted before - (a) is the computer connected to the Internet (b) is Program X a running process. If the small program (or separate module) sees that the indicated program has shut down, and the computer is still on the Internet, it instantly throws up a screen asking you if you wish to re-start the program while at the same time cutting your Internet connection. As I said before, you would have to re-name the module with the name of your choice to keep it from being terminated by any outside source - and seeing as how it's a separate d/l (those who didn't wish to make use of it wouldn't have to d/l or use it.

    I really do not understand why this wouldn't work, so someone please explain it to me. okay? pete
     
  24. snowman

    snowman Guest

                Pete

                you explained yourself very well......an your idea sounds super great........I'll be watching to see if such a program is mage available.

              actually,, seems I mistakenly thought that a warning would be displayed if any process was being terminated by way of the terminate process feature....an I appreciated your guidence..thanks


             P.S.

                if by chance it somehow appeared that it was me who was mocking how someone writes......I definitely did not intend to do so......an offer an apology
    if it appeared as such............never would I intentionally do such a thing..........an Pete I am grateful to you for pointing this out .     I type poorly.....an rarely check for mis-spelling......a bad combination.........
     
  25. snowman

    snowman Guest

          http://www.edvicesecurity.com/ad02-02.htm




            Mr Blase

            the above url is the info i was referring to......an as Pete said......the updater should dl any patches...to be honest I may have spoken to soon an a patch has not been made as yet......my apology if such is the
    case,,,    from one of your other posts I was awear that you had un-checked "check for update" an I just wanted to make sure you was being fully potected.
     
Loading...
Thread Status:
Not open for further replies.