Look 'n' Stop, Thermite and AWFT.

Hi All,

Recently a new leaktest has been released: Thermite. It demonstrates the use of the CreateRemoteThread Windows function to bypass firewalls.

You can find some information about Thermite here:
http://www.securityfocus.com/archive/1/312783/2003-02-20/2003-02-26/1

And there is a discussion here:
http://www.dslreports.com/forum/remark,6071614~root=security,1~mode=flat

Thermite can be downloaded from here:
http://www3.sympatico.ca/oliver.lavery/za-hole.zip

So, the Lnsfw1 driver has been updated to detect this kind of troyans.
You can retrieve it from here:
http://looknstop.soft4ever.com/Beta/Thermite/LNSFW1.SYS

This is an experimental version, so please do the following:
- rename c:\windows\system32\drivers\lnsfw1.sys to lnsfw1.old
- copy the new driver to c:\windows\system32\drivers
- reboot

In case of bluescreen, you will have to come back to the lnsfw1.old driver and send me (at looknstop@soft4ever.com) the minidump file that will be created (in c:\windows\minidump folder).
In case of the new driver not working against Thermite, please send me the driver logs (open the Console Window and press the driver logs button).

And that's not all, it seems that with this new driver Look 'n' Stop is also able to pass most (all ?) the AWFT (http://www.atelierweb.com/awft/index.htm) tests.

Please post your feedback here.

Thanks,

Frederic.

 

Hey Frederic,

is the dwonload location the right one?? The downloaded file says as version 2.0.0.3

Ruben

 

Frederic, you are just too good. I just began evaluating LNS today, and I find this kind of thing (read: commitment) very encouraging. [Sorry, I know this wasn't any sort of contribution to this thread, but I wanted to give credit where it was due.]

 

Atelier’s Leak-tester AWFT v1-3.0 is inferior to pcAudit v3.0.0.3, and I believe that’s proving since pcAudit v3.0.0.3 still capable of bypassing Look ‘n’ Stop’s Application Filtering Layer and AWFT v1-3.0 isn’t capable one bit of bypassing Look ‘n’ Stop’s Application Filtering Layer…

And I’m in reference to the method used to bypass Software Firewalls , AWFT is quite useful in a Non-Spyware related way to assist showing users Lack of security involving their Application Filtering Layer in their Software Firewalls, where pcAudit sends a lot of privacy informatics about user and their machines to the pcAudit server for storage.

 

Hi everybody,

no doubt that LnS is more more successful than most other firewalls in
answering challenges to most leaktest-programs available to the public.

But this is only one problem, why firewall makers are scratching their
head.
There are known attacks on the actual configuration settings. Some
firewall vendors have, as I read, reacted already with some success to
this threat.
Now..., when I had LnS installed for testing, I noticed several things.
Everything seemed to me rather "open", and I wondered how easy it would
be, even for an unexperienced person to insert in a few seconds, when
the PC is unattended, a diskette overwriting the rulesets and lns.reg
and executing it.
Even if the stored checksums for the applications in the lns.reg would
have been created by a one-way hash, which they obviously are not, it
would be no problem to overwrite it with anotherone and execute it.
The same attack could theoretically also be done by a trojan.
As the applications in the applications-window are not even identified
by their name/version-number/built-number it could take some time for
the user to notice the changes.
I don't know if I am right with my thoughts, but I am sure that the
discerning user will spend a few moment to think about it.

cheers

 

Hmmm intelligent response, however though any attempts made to make modification to Look ‘n’ Stop Registry Entries while Look ‘n’ Stop is currently running will not work out as they planned because Look ‘n’ Stop fetches all it’s Registry Informatics upon it’s Execution while shielding any modifications throughout it’s current session and re-applying upon abnormal attempts quickly as it becomes changes…

Have you tried terminating fully Look ‘n’ Stop’s Process? Any body or thing must do its work when Look ‘n’ Stop isn’t running in the background… And from this aspect there is quite a risk, Look ‘n’ Stop by Default (Giving) Start-up methods doesn’t provide fast enough start-up boost which anything can possibly automatically make modifications before Look ‘n’ Stop even becomes Loaded… I use the Windows Shell Start-up Group to ensure Look ‘n’ Stop becomes loaded always after the Explorer.exe.

Maybe Frederic might consider providing better Start-up Methods like in the Service Area or the Windows Shell Start-up Group…

 

Yes, it is the right one. The version has not been changed yet because the driver is not included in an official setup package.
However, by asking the driver logs in the console you should see the following specific string "Driver Entry Win2k OT2." which identifies this special driver.

Frederic

 

Informatics giving to me is only;

FW:
Driver Entry Win2k/XP

Even though I’m using the giving New Look ‘n’ Stop Application Filtering Driver and passing AWFT 10 without making any abnormal System changes proves that…

 

FW:
Driver Entry Win2k/XP

refers to lnsfw.sys, the packet filter.

Just below, you should have:
FW1:
Driver Entry Win2k OT2.

for application filtering (lnsfw1.sys).

Frederic.

 

Actually i don't see it, must require fresh re-boot to see that Informatics...

 

Thanks Frederic

Ruben

 

Hi lurker1,

Here are some comments.

Like mentioned by Ph33r, Look 'n' Stop writes back the contents of its internal settings to the registry (and to lns.reg) when it exits. So this method is not as so "open".

If you overwrite that information, Look 'n' Stop will detect the application as a new one or with a signature that has changed.

I don't understand why the version-number/buit-number should be useful for the user.
The only thing asked to the firewall is the detection of the exe content change (whatever the used method).

So, you are talking about troyans that will attack firewalls directly (by replacing/removing files or registry, automating firewall actions,...).
Yes, we should take about that but this is at the frontier between anti-virus, IDS and firewall roles.

Assuming the following steps are under control:
- step 1: basic application connection detection
- step 2: masquerading detection (leaktest from grc)
- step 3: application starting another one which connects (tooleaky, firehole)
- step 4: applications executing in the context of another allowed process (firehole, PCAudit, BackStealth, AWFT, Thermite)

Perhaps this is now the only remaining possibility to defeat firewalls ?

To be complete, there was another step under Win9X/Me, with applications using their own protocol bypassing MSTCP (Outbound).

Frederic

 

Hi Frederic,

sorry to keep on nagging.:-}

If the malicious lns.reg contents relating to apps and sigs were
created, say on another PC, by LnS itself, the sigs would even without
knowing the method of algorithm be always legal for the corresponding
malicious app. Or not?
And the application could also have a name that is somehow familiar to
the user. Version- and built-number would only be an additional mark for
the user to identify more precisely.

cheers

 

Good point, I agree there that it’s very easy gathering valid informatics from the .reg file or the registry to use when making malicious modifications to one’s installed Look ‘n’ Stop. But back to the part where the Look ‘n’ Stop would require to be fully closed when making these changes otherwise Look ‘n’ Stop will shield it’s registry entries and reapply upon abnormal modification attempts.

That’s actually not quite a bad suggestion, since Look ‘n’ Stop does it’s comparison by Signatures and nothing more, it’ll be interesting to be capable of retrieving File Informatics to determined if it had been updated. Like double clicking on an Entry in Look ‘n’ Stop Application Filtering List to bring up Dialog with File Properties… Even though it’s not really necessary Feature, as it won’t enhanced anything in Reference to security how I can see it…

 

Hi Ph33r,

first of all, sorry... I am aware that I have opened up an off topic
thread. That's why only a quick answer on closing LnS:
I don't have LnS installed right now, so I can not fiddle around with
it. But if the "person carrying the diskette" would know that there
are programs on the PC which can close a running process, like some
Trojan scanners (at least mine). It would take two clicks. Execute
the .reg and reload LnS. If it can be done in this way, a trojan
could have a function like that in the program. However, possibly the
idea is too far fetched, anyway. :-}

cheers

 

Process Termination Protection.