LnS & LSP Trojans

Discussion in 'LnS English Forum' started by guest3, Oct 3, 2003.

Thread Status:
Not open for further replies.
  1. guest3

    guest3 Guest

    Currently, a lot of trojan coders try to develop an LSP trojan.

    LSP trojans are trojans which work as a Winsock LSP (layered service provider). See here ( http://air.knu.ac.kr/reference/COM/layeredservicetop.htm ) for background information.

    The idea is to tunnel firewalls. Can this work? I thought most modern firewalls would already support the filtering of low level drivers. Will LnS stop LSP trojans?

    Thx for any information.
  2. Phant0m

    Phant0m Registered Member

    Jun 7, 2003
    Look ‘n’ Stop Personal Firewall (Pro) version has NDIS & TDI level filtering; so to answer your question, Yes Look ‘n’ Stop has capabilities to stop LSP Trojans… :D
  3. Nautilus

    Nautilus Registered Member

    Oct 22, 2002
    Article from Eyal Dotan (VB, June 2003), excerpt:

    "Another way of performing PIDF [Ann.: Process ID Falsification] is through a layer called WinSock's Service Provider Interface (SPI). SPI, also called LSP (Layered Service Provider), is an interface for hooking all socket operations within the system. In other words, whenever any program accesses the Internet, the SPI hook (the Trojan's DLL in this case) is called as if it were loaded by that program. Any I/O request that is performed from within the SPI hook will be seen by the system (and by the personal firewall) as having come from the legitimate program that initiated an Internet operation. So, in addition to falsifying process IDs, SPI allows the Trojan to be launched at the machine?s startup, with no easily detectable traces. Neither does SPI execute any process ? SPI is merely a DLL that is loaded by any and all trusted Internet programs on the machine. Hence, it is not visible in the task list either."

    I would guess that's something System Safety Monitor or Tiny Personal Firewall's sandbox will have to take care of ...

Thread Status:
Not open for further replies.