Outpost vs. Leak Tests

Hi SmackDown,

It detects it as well. I still think that the inside-outside security of Look'n'Stop is the best so far.

Regards,

Patrice

 

Patrice has the same results as i had

 

Hey _anvil

I don’t debate that this possibly had been a problem for Look ‘n’ Stop previous Drivers and/or Versions back but surely hasn’t been for a long while now…

All goes to show you should quickly verify something before posting assumptions about something; we all made that mistake time to time. One can only learn from his/her mistakes... Like i'm doing everyday, shhhhhh don't tell no-one though

 

Not so quick.

@SmackDown

Yes, that's the point! Your picture shows, that McAfee could block it _only_ because the browser isn't allowed to communicate via port 110/25. There is no alert like "GOD2 tries to communicate via Internet Explorer" or something like that. What if the trojan would go over port 80 or use your mail client instead?
(soory, I thought this would be obvious...)


@Patrice and Ph33r_

What did L'n'S say _exactly_ as alert?
I tested it just today with the newest version I could download (ver. 2.04).

 

I do have Internet Explorer Authorized to my Application Filtering, of course that parts obvious….

“* This software has started the following application which connects to internet. Do you authorize it to do that ? *"

 

@Ph33r_

As I wrote before, I didn't get this message...

Which "software" (name of file) did start your browser?

Is the version (2.04) I used for testing the most recent one?

 

Look 'n' Stop v2.04p2 with most recent Application Filtering driver...


Regards,

 

Hi, it would make no difference, SSM would catch it, but that's neither here nor there, IE has no need to connect to any port unless, I authorize it.

If one just lets their applications connect to every port, Why have a firewall at all? One's security is only as good as the weakest link, which is the operator, see how easy it was for me to catch it?

The operator here is just a little bit smarter than the average Joe, these kinds of programs, only get by people who don't take the time to secure their PC.

 

Hi _anvil,

No problem, because the firewall would warn me again. Every change of a program which has the rights to access the internet is registered (even if you just add some letters in the exe file). So, no problem even if the trojan is hidden.

Regards,

Patrice

 

I redid the test with the version you mentioned, and installed the driver, you can find here: http://looknstop.soft4ever.com/Beta/OopsThermite/LNSFW1.SYS

I have WinXP and Opera7 as default browser.

I didn't change much on L'n'S's default config (only some options, not rules), and I allowed Opera to access the internet.

Well, GOD2 got through and sent me mails without any "peep" from L'n'S...
There wasn't a single hint about a "god2.exe" or one of the dll's.

Again, Ph33r_, which "software" (name of file) did start your browser at that moment, according to L'n'S?


@SmackDown

As I wrote before, my tests showed another result (SSM missed the 'important' part.) Did your tests show something else?

You missed the point I made above: the trojan could easily use port 80 (ok, not for sending mail, but something similar ) or your mail client - McAfee would not alert you.


@Patrice

Not the file is changed, but the running trusted process.

 

Hello,

I install it and let my 2 browsers open and sniffer Pro to watch.

Easily caught by SSM - I did not try to see if OP v2b catches it without SSM for sure somebody else will try. No outbounds at all.

Furthermore, you must install willingly the proggy : no user on my PCs has those rights but administrator ( WinXP Pro) an I never connect to the W3 as Admin when not needed, just this time to see what this keylogger was able to do : just nothing on my system

Rgds,

 

Sure here are pics of SSM busting GOD 2, How much more evidence does one need? SSM names GOD 2 and it's location, plus It shows my name trying to be add to Registry.

 

Here is second pic, How could anyone miss these?

 

@JacK and SmackDown

SmackDown, your pics show exactly what I got (thanks for verification...now we can discuss... )

You both don't seem to understand, what I mean when saying: "SSM missed the 'important' part." (I didn't doubt, that SSM _does_ alert you a few times - read carefully, SmackDown )

So, what is the 'important part'?
Look at the pics: how can it be, that the 'explorer.exe' does something malicious, like starting a trojan from time to time (pic 1) and attaching a keylogging module to another process (pic 2)?! *
The answer is: GOD2 has injected itself somehow into 'explorer.exe' (it hijacked your shell!), which happened _unnoticed_ by SSM!
The second point: SmackDown, I miss the pic, showing how SSM detects the injection of "log-sender.dll" into the browser process. The reason is simple: SSM does _not_ detect it...

These are the 'important parts' which I was talking about. You probably see now, that there _is_ a problem. Look, we are not talking about GOD2 in the first place, but about ways to bypass Firewalls and Sandboxes - and obviously, there _are_ ways to do so.
If GOD2 would be modified only _a bit_, SSM would probably fail completely...

Sorry for causing some confusion before, but I had assumed you would go more into the details yourselves...

* (BTW: SSM doesn't really 'block' the injection of keylog.dll into 'explorer.exe' - verify it with APM or ProcessExplorer! Dunno, what's wrong here...)

 

I don’t use SSM :/

 

@Phant0m/Ph33r_ (or whatever )

Still I'd like to know, why "my" L'n'S doesn't block GOD2 _at all_...
Would you please read again (and perhaps reply to) my previous postings about that topic?

Have I forgotten to set a special option? Might there be a hole in the (default-) ruleset?

 

If there was a hole in your Rule-set that still wouldn’t be valid as we are discussing the Application Filtering Layer having detection/blocking capabilities and not the Packet Layer having detection/blocking capabilities.

 

Because of the .DLL Injection you are right; Look ‘n’ Stop doesn’t provide a whole lot of protection in this area. No concern as I was telling another last night that because Frederic spent so much time fixing the main areas which counted the most before implementing DLL Module Filtering that only perfection would come out of this. Use Sygate Personal Firewall for an example with its DLL Module Filtering and it’s poor Leaktest handling…

 

Yes, that is what I had presumed - but I am not too familiar with L'n'S, so I want to 'check' everything.

Not sure, if I understand you correctly: do you now confirm my test results (L'n'S does _not_ block GOD2), contradictory to what you and Patrice wrote before?
If not: help me to find, what is wrong with 'my' L'n'S, please.

 

What I wrote was accurate; just doesn’t necessary mean at a global scale

 

You aren't on court here, Ph33r_.
Please just answer my simple question: do you confirm my test results with GOD2 and L'n'S? Or haven't you tested it, yet?

And if you have other results, please tell me how you got them - it can't be that hard...

(forgive me, if you have already given the answer to my question, and I just don't get it... my english isn't the best )

 

So, what is the 'important part'?

Hullo _anvil

AFM the important part is does GO2 phone home without I can prevent it or been alerted : no outbounds (checked with SnifferPro)

Definitely NO.

I looked with HijackThis if Explorer.exe or any other app was hijacked : NO if I don't allow it.

Does GOD2 makes a log about the keystrokes NO if I don't allow it.

It's only simple dll injection.

Of course there are ways and there will always be to bypass a FW.
GOD2 cannot bypass SSM (and I reckon it could not even bypass OPv2 without SSM)

 

Anvil, could you please email me at #@%$# .
Thanks.

 

@JacK

Again: I am not just talking about this special trojan 'GOD2', which indeed can be blocked by SSM at certain states - I am talking about some of the methods, GOD2 uses to _successfully_ bypass SSM, L'n'S (?) and probably any other 'outbound protector.'

Sorry, I was talking about another kind of hijacking. Read again my comments on SmackDown's pics, please.
Do you think it is 'normal behaviour' of explorer.exe to attach keylogging modules to other processes? And why does your browser suddenly send mail?!
(both unnoticed by SSM - look at SmackDowns pics)

Yes, it is dll injection - but too much for SSM (and L'n'S?) at the moment...

Yes, that's (basically) all I wanted to say!
And GOD2 shows an example for one of these ways. Why do we discuss?

 

Hello, I'm a SSM developer.

_anvil was right, GOD 2 was really lucky to hijack explorer.exe. This was because of slight glitch in SSM. SSM was aware that "GOD 2" wanted to create a remote thread in some process, but due to this bug, SSM didn't know the name of this process and because of current policy, SSM allowed this action without asking a user.

Thanks for this notice.
The hotfix already available. You just need to get the following file (about 30kb):
http://mc.webm.ru/mchooknt.dll

Best regards,
Max