Firewall Killer - AntiSec

      Paul

      please excuse me.....I am rather struggling to fully comprehend the real danger of this particular exploitor....

      reason being......perhaps you may recall that ZA was a target of this type of exploit in the not so far past......an at the time a third party provided a patch....later za provided a new version that could not be exploited in this manner..............an here is where I am confused.........the first exploit (patched) was a remote terminate process.........the now exploit.....an correct me if I'm mistaken.....is a trogan type that would need to installed............nevertheless...the terminate process patch should work in either case.....

     

 

         Paul

          thank you....I realize the value of your time an appreciate your reply.


          yes the mutex patch was the one I had in mind....I didn't know it was still obtainable.

          I had a feeling that you might grade this exploit along the lines that you did......an its taken as a valued opinion........an again..thanks


                 snowman

 

THXS snow man and Paul=)

now i can sleep tight cuddled with my rocket launcher

 

Some background here on the Author of Antisec, and other information.

http://forums.zdnet.com/group/zd.Security.Virus.Alerts/cnet/cnetnt.tpt/@thread@23733@F@1@D-,D@ALL/@article@mark@23733?EXP=ALL&VWM=&ROS=&OC=300

 

Blaze pull out 36mm 6 shot rotary multi launcher =)lock and load baby.

These mofo going dowen.

mass clicking sounds in back grounds=) =) =) =) =) =).

bunch of litle eyes begin to rise frome the shadows lol

 

Blaze, to paraphrase Bing Crosby:

Wiredniss becom yuo,
it go wiht you hiar...

 

I saw AntiSec is in the database of BOClean and TDS-3, and I just read in an update notice by Paul W. that it is also in the database of TrojanHunter.

 

Im protected im protected nah nah nah nah lol=)

http://www.gamingforyou.co.uk/mysmilies/contrib/tweetz/wiggle.gif
http://www.grillsportverein.de/smilies/otn/realhappy/luxhello.gif
http://www.gamingforyou.co.uk/mysmilies/contrib/tweetz/hump.gif


http://www.duhspot.com/users/smiley/s/contrib/tweetz/moon.gif

 

I believe that Bionet can corrupt and put security software out of business.

http://www.nsclean.com/psc-bionet.html

See SYNOPSIS:

 

Paul was talking about the TerminateProcess() function.
Kevin McAleavey (the creator of BOClean) made a very interesting posting at GRC.Security.Software in a thread called "Strange backdoor.trojan behavior".
https://grc.com/x/news.exe?cmd=article&group=grc.security.software&item=56531&utag=

-begin quote-

Let's fire up the wayback machine to March 22, 2001 when we posted a
report on our site regarding a specific trojan that exploited the
TerminateProcess() function on EVERY major antivirus and firewall in
existence ... please note in particular the THIRD paragraph down:

 http://www.nsclean.com/psc-bion.html   (Bionet 3.13)

and then the list beneath that of what it took out. You could also add to
the list if you knew the specific programs to target. VSMON would get
yanked first, then the ZA GUI. Same for "watchdogs" employed by other
software to protect the main program.

Since BioNet, hundreds of other trojans incorporated this "ability" to
take out all sorts of programs, most notably "MoSucker" which went beyond
the original "one-shot" of BioNet and would keep nailing the various
programs every second. Whereas with BioNet, you could restart the programs
affected (if they weren't rendered corrupt) and hopefully nail them.
MoSucker and a number of others however would keep whacking the security
software and take it out before it even had a chance to get started, much
less get to work. Fortunately, most of the hundreds of trojans designed to
take out security software are VERY poorly written and don't work. However
this OLD NEWS issue was what forced us to redesign BOClean 4.07 into
BOClean 4.08 last year in order to do as much as possible to prevent it
since our previous separate "watchdog" program was just as exposed as
BOClean itself was at the time.

What the DIRT thing shows is old news. Nailing security programs with
TerminateProcess actually goes back a couple of years now but BioNet
actually made it push button easy which is why we made note of it in the
report last year.

The REAL PROBLEM however isn't in the security programs, the problem is
Microsoft's DELIBERATE DESIGN. THERE IS NO SOLUTION FOR TERMINATEPROCESS other than having Microsoft put up a "Kill? Y/N" box before the kernel's TerminateProcess() function pulls the rug out. Nobody but Microsoft can fix this and they have consistently, irrevocably REFUSED to do so. We've been after them for years about this ourselves as have been many others to no avail.

========================
<snip>
========================

What's going on is a truly bad design and while the discussion has
centered on blaming the various security companies for the problem when
it's really Microsoft's fault (although all of us have done our utmost to
circumvent this as best as we can) there IS NO SOLUTION until Microsoft is
made to deal with this. I'd encourage folks to make the point to Microsoft
personally here.

<snip>

If Microsoft could be encouraged to do this, you could STILL hit YES on a
hung program to kill it, but more importantly if malware decided to kill
your firewall, you could let the box sit there while you determined WHY
the box appeared and then decide Yes or No to the box ... but in the
ongoing debate here, this whole point fo where the ACTUAL fault lies has
been completely ignored.

Needless to say, I've been getting squatola done on my end here with all
the questions pertaining to this dirtbag parlor trick. Real trojans today
have that capability and they have had it for well over two years now.
Anyone want to get Microsoft interested in fixing THIS hole? It's not like
it's not been noticed or is a new one.

-end quote-

 

                  * The Principal Stays The Same*

       although Paul  says it much better than I could ever hope to.....this was what I was pointing to when
making my inquiry......

      not being a programer/coder..nor a security expert..I would dare not be so foolish as to be judgemental of the capabilities of any virus/trogan...an would instead heed the advice/opinions of those who are really capable and knowledgeable in this field...

     there is evidence that this type of exploit has been around awhile (other like trogans) ......an my personal thoughts on this particular trogan is that its fourth rate...an isn't going to cause the sky to fall.  But what I think isn't important.....its what people in the security community who do their jobs to earn their livehood who's opinions should be taken seriously.

       will I lose sleep over this exploit...hardly....will I tremble with fear when using my computer because this exploit is in the wilds.......the only trembles will be from not have my morning coffee.....none other.

      this issue has been in the face of M$ for years...one among many.

      countless hours are spent by computer users around the world trying to protect themselfs from exploits that should be the responsibility of M$.......an the people in the security community have sleepless nights trying to provide tools to assist users in their ongoing struggle........

     I am not going to keep a glass of water nearby to pour over my cpu/monitor in case this exploit should hit my computer.......in fact I consider Brilliant to be a far worse threat.....

                            my humble lil opnion

                                snowman

     

 

Thanks FanJ and Paul,

Yes I was aware the TerminateProcess problem is an OS flaw and old news. The trojan coder vs AT coder, virus coder vs AV coder = coder wars with not much help from MS.