Outbound Monitoring: catching an exploit

Discussion in 'other firewalls' started by Rmus, Feb 20, 2011.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Mar 16, 2005
    Usually outbound connections are made after a malware executable infects.

    But here is an exploit that uses the malicious code in the web page itself to call back out before the malware executable is downloaded.

    I was looking earlier for exploits that would work on IE8 and found one that made four outbound connections, after which the malware executable was downloaded and attempted to execute. I ran it a few times to watch what happens.

    Here are the four firewall alerts. I permitted each one:





    And the security alert for the malware executable:


    Then I reloaded the page and permitted the first Java Web Start Launcher connection, then denied the next three alerts, after which this error message appeared:


    So, it was a Jar file that triggered the malware executable as a .dat file. Without it, no malware.

    I assume one or more of the last three outbound connections was necessary for the exploit to succeed, and that without outbound monitoring, it would have succeeded.

    (That is, the malware executable would download. Whether or not it would execute/infect would depend on other security in place)

    I've not seen these types of firewall alerts before the malware is downloaded.

    Has anyone else?


    LODBROK Guest

    Yes. It's becoming not too uncommon. I don't have the logs anymore, but here are a couple of entries from Malware Defender that I posted up here a little while ago in the "Is there a huge need for a software FW?" thread:
    c:\program files\mozilla firefox3\firefox.exe Access network TCP [Local host : 1109 (kpop)] -> [ : 1108]
    c:\program files\mozilla firefox3\firefox.exe Send message to another process c:\windows\system32\csrss.exe

    Continuing on with a few more "allow" permissions began the install of a particularly nasty trojan wherein Java was heavily involved . Not interested in continuing any further, I finally whacked it via the real time component of my AV suite. But the damage was so bad I ended up restoring my test system from an image.

    This confirms there is no need, huge or otherwise, for a software FW. :rolleyes:
  3. safeguy

    safeguy Registered Member

    Jun 14, 2010
    You may want to take a look here to see both sides of the coin;)
  4. Syobon

    Syobon Registered Member

    Dec 27, 2009
Thread Status:
Not open for further replies.