PC AUDIT

Discussion in 'other firewalls' started by MickeyTheMan, Aug 2, 2002.

Thread Status:
Not open for further replies.
  1. MickeyTheMan

    MickeyTheMan Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    1,016
    http://www.isa-llc.com/
    "About pcAudit™

    pcAudit™ is a free security evaluation program, for personal computers, developed by Internet Security Alliance, Inc.

    How it works

    pcAudit™ is a program developed to simulate an attack by a "hacker". To determine the status of security on this computer, pcAudit™ will try to send data from this computer to Internet Security Alliance's server. If successful it means you either do not have a security program installed, or your present program was ineffective in blocking the data sent from your computer to Internet Security Alliance's server (which it absolutely should have). In either case you have a security problem.

    A little more technical

    Our research shows that ".dll" files sending and receiving data, to and from the Internet, outnumber ".exe" files by 2 to 1 margin.

    Using a "dll" file as a "payload", pcAudit™ will test for vulnerabilities exploited by such notorious malicious programs as "Happy99" or recent "Sircam", overlooked by most personal and corporate firewalls.

    System Requirements:

    • Windows 95, 98, Millennium, NT/2000/XP;
    • Intel Pentium 120 MHz or higher;
    • 32 MB of RAM;
    • 10 MB of available hard disk space;
    • Internet Explorer 5 or higher;
    • Active Internet connection"




    This type of program represents a serious problem as no firewall that i know of is yet able to defeat this test.
    The program uses a dll to inject code into any other process able to access the net and will fly right through without your firewall being able to defeat it.

    However, there is a way to handle it. If your proxy ( you better start using one, if you don't already) is able to use HIDE SYSTEM INFORMATION (user agent ) then it will defeat the test from gathering info from your system and sending it out elsewhere. Naviscope does offer such protection.
    This is how Naviscope handles the request/Send Headers:
    http://mickeytheman.digitalrice.com/files/pcaudituseragent.png
    I tested successfully against this test with Naviscope launched directly from the browser or linked to the pacfile (spyblocker) as well as both with a firewall running or not.
    I tested on Win98SE and win2k platforms

    I advised Frédéric ( LNS ) of my findings and rest assured that LNS will undoubtebly be the first firewall to incorporate measures to counteract such programs.
     
  2. SKA

    SKA Registered Member

    Joined:
    Aug 2, 2002
    Posts:
    152
    MTM, does Proxomitron has this same feature as Naviscope ?

    Tks
    SKA
     
  3. MickeyTheMan

    MickeyTheMan Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    1,016
    I'm not sure about proxomitron and Webwasher !
    As i don't use them but Naviscope, i'm waiting from users to confirm or not if the other 2 can handle that as well.

    But it is a serious issue enough for everyone to start using a proxy than can immediately until firewalls can handle that type of exploit !

    PC AUDIT is only the symptom of the type of exploits that could be used.
    Until firewalls can handle this, i urge everyone to start using a proxy if you are not, and if the current one you use can't handle that test, then switch to Naviscope.
     
  4. crockett

    crockett Registered Member

    Joined:
    Jul 15, 2002
    Posts:
    333
    :pHello Mickey;

    Just tried the test on a machine equipped with WW. Not 100% sure if the WW configurations are properly set, but one thing is for sure - I got hacked. :p

    Seems the same themes are gonna come back again, i.e. the ones which surfaced when (very useful) tests like tooleaky, firehole et al. first hit the web some time ago.

    The best defence just seems to stop mailcious kinds of such softwares to arrive on your machine in the first place [easier said than done!?].

    However, SSM (first heard about this software from JacK... Link available on www.optimix.be.tf) is trying to tackle this kind of problems - but present versions are sometimes causing some configurations to freeze when harshly pushed. Seems to be on the right track, however.

    Another good news (also got it from optimix) is that the next version of Kerio Personal Firewall is gonna put emphasis on efficiently stopping such 'calling home programs' from smoothly operating. Beta version just been released, so let's hope it's gonna get the job done as soon as possible.

    Crockett :cool:
     
  5. MickeyTheMan

    MickeyTheMan Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    1,016
    Yeah well everyone's going to work hard on that over the next little while, but until anyone else's comes up with a solution, there is one working right now : Naviscope.
    Why not use it until safeguards measures are built into firewalls or other apps you mentioned ?
    It is so easy to setup with a browser that there is almost no excuse for not doing it NOW ! ;)

    The feature in Naviscope that defeats PCAUDIT is
    HIDE SYSTEM INFORMATION ( user agent )
    See if your proxy has that feature.
     
  6. snowman

    snowman Guest

    Clearification Please....in my correctly understanding that its User Agent involded o_O?
     
  7. MickeyTheMan

    MickeyTheMan Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    1,016
    Hi Snowman, Naviscope will strip the header from the request made by the server so it can't retieve any info back.
     
  8. snowman

    snowman Guest

    Mickey

    thankya...so it is the User Agent then .

    snowman
     
  9. MickeyTheMan

    MickeyTheMan Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    1,016
    Naviscope ( until users of other proxies can confirm otherwise ) is the only known way to prevent PCAUDIT to succeed on one's machine.

    If anyone else knows of another method, ( short of not letting it in the first place, which is no guarantee ) please step forward !

    Again i urge everyone to use a proxy capable of handling this type of exploit that deals with the very weaknesses of your OS
     
  10. crockett

    crockett Registered Member

    Joined:
    Jul 15, 2002
    Posts:
    333
    Mickey;

    To say the least, this is all very interesting.

    Please tell us more about Naviscope general features !?

    How did you get to know it and why do you like it so well beside the pcaudit matter ?

    Crockett
     
  11. MickeyTheMan

    MickeyTheMan Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    1,016
    Tried all 3 proxies at one point or another, and Naviscope is the easiest to configure mainly because it does not have all the bells and whistles of say Proxomitron. But at the same time, because of other proggies in use such as Spyblocker, i only needed this one mainly for the 2 features that i liked the most:
    1. Hide System information (user agent)
    2. Hide Last Page Visited (referer)
    Little did i know at the time that this would become the only thing currently capable of stopping PCAUDIT

    AFAIK i was in a sort of hot debate on this subject as everyone claimed missing the test, and i couldn't fail no matter how hard i tried. I even shut my firewall off and still passed.
    I was even successful on the win2k platform, and some peole almost called me a liar.
    So it had to be something on my sys, but what ?
    I've spent the last 3 days working on this and by process of elimination to finally come up with Naviscope being the one. Then it was a matter of finding what in Naviscope prevented the test to succeed. By unchecking the option HIDE SYSTEM INFORMATION, i finally failed the test. As odd as it may seem, i was relieved to fail a test ! :D

    http://mickeytheman.digitalrice.com/files/naviscopeblock.png
    This is basically what Naviscope blocks. Nothing fancy. You check or uncheck an option.
    I use it chained to the pacfile and browser, but you can just chain it to your browser.
    Should you want to chain to pacfile and browser :
    http://pages.infinit.net/carbo1/proxysetupwithpacfie.html
    Just IE and Naviscope :
    http://pages.infinit.net/carbo1/setiewithnaviscope.html
     
  12. MickeyTheMan

    MickeyTheMan Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    1,016
    Snowman, where did you get these instructions ?
    They will have no effect as the dll used is able to inject code into any app able to access the net, even your AT or AV's update features.
     
  13. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hi MTM ;)

    I use System Safety Monitor which prevents the execution of any leaktest, like
    PC Audit, Firehole, leaky, etc.... Firewall or no firewall.

    I use it in conjunction with KPF.

    I mentionned it in another test a few weeks ago :)
    d/l http://maxcomputing.narod.ru/ssm.html?lang=en (very slow site)

    Or http://www.optimix.be.tf/ssm.htm (with French explanations)

    Best regards,
     
  14. snowman

    snowman Guest

    NOTE

    Because my previous post on this topic appeared to be of no value in preventing the exploit....I deleted the post.

    snowman
     
  15. MickeyTheMan

    MickeyTheMan Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    1,016
    Jack, you are talking about PCAUDIT, right ?
    All the others, LNS can take care of but this one.

    Has SSM improved much ? Was unstable as heck last i heard of it.
     
  16. Prince_Serendip

    Prince_Serendip Registered Member

    Joined:
    Apr 8, 2002
    Posts:
    819
    Location:
    Canada
    Hi guys! I do not wish to be a bearer of bad tidings but TomCat has confirmed that Naviscope 8.69 phones home! It sends the Windows product number to Naviscope. Please refer to this url.

    http://www.tom-cat.com/cgi-bin/spybase/spybase.cgi?view_records=1&name=^N|^N&re=1&sb=4&so=ascend&nh=1&mh=1

    I also have Javacool's IDBlaster, and it's yet to be confirmed if Naviscope sends the changed number. I still use Naviscope anyway. Lesser of two or more evils?

    Mickey the Man informs me that this particular Naviscope site is no longer operating so then there are no worries! THANK YOU, Mickey!!! And, if you also use stuff like SpyBlocker it would be blocked.

    BTW, I also use a proxy. So, everything's cool! :cool:
     
  17. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hello Mickey,

    Yes, I am but it prevents also all other leaktests whether you are running a FW or not. KPF takes care of the other to but Firehole (from memory, not sure) .

    Cheers,

    JacK
     
  18. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    Re:pC AUDIT / Naviscope

    Will Naviscope work together with Windows XP? :p

    Ciao,

    Smokey
     
  19. MickeyTheMan

    MickeyTheMan Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    1,016
    Thanks Jack.
    As for LNS not handling PCAUDIT, that's partly true as well.
    If one is vigilant, then one could stop things like PCAUDIT as it does give you a prompt about Windows 32-bit VxD message server starting the following app which connects to internet, and all one has to do is block it, but that is also something too easily overlooked. Also gives more credit to the recommendation to never allow blanket authorization to any app.
     
  20. MickeyTheMan

    MickeyTheMan Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    1,016
    Re:pC AUDIT / Naviscope

    I have no idea about XP, but don't see why not.
    It's a proxy that works with your browser.
     
  21. MickeyTheMan

    MickeyTheMan Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    1,016
     
  22. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Mickey - Guess I'm clueless (again! <g> ).

    If user agent is all that's causing people to fail the test, won't the people who have Opera set to display as something else pass?

    Has anyone checked?

    (I won't be taking the pcflank test - sorry, I just don't believe in voluntarily d/l'ing something into my computer which is then going to tell me I have a 'vulnerability' of some kind - when it discloses a vulnerability that can get in and work by itself despite my defenses then I'll believe it - I could be totally wrong about that viewpoint, but time will tell).

    Also, if Naviscope is going to be totally abandonware - will it still work at all? Is the program itself dependent on anything from an outside source? Pete
     
  23. MickeyTheMan

    MickeyTheMan Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    1,016
    BTW it's PCAUDIT, PCFLANK is Another one.

    I don't blame you one bit. It is most likely that a user with your knowledge would not be subject to these vulnerabilities and should quickly recognize anything out of the ordinary.

    The point of these tests is to to answer the question what if ?
    What if anything managed to get in despite my precautionary measures ?
    What would happen then ?
    Would my sys prevent info from leaking out ?
    How much of a risk is involved ?

    There is no need for everyone to test these proof of concept ideas, but surely you will understand some better do it. This is the only ways that security vendors can then take steps to alter their products and install safeguards into them.

    Most firewallls have already covered most of the previous tests that have been issued in the past 2 years, but would have done nothing if no one pushed the issues. Heck some are still reluctant to fix some of them despite being exposed at large.

    PCAUDIT just happens to be the latest and surely not the last one for which a permanent cure will need to be implemented for.

    As for what the future holds for Naviscope, it's a little early to tell. But for the time being, it manages to stop PCAUDIT dead in it's tracks, and that's good enough for me for now.
    Simple proxy to setup and easy to use, ideal for most users which the same can't be said for SSM ,which as Jack mentioned , can also block PCAUDIT.
     
  24. snowy

    snowy Guest

    As yet its not been clearly stated what part User Agent is playing here. the comment about "stripping the headers" is simply not a full explanation.......by "stripping the headers" is this ment to imply that the information that User Agent displays about the os is removed?? the basic feature of User Agent is no more than displaying the os information.........
    nor do I notice a reply to the question by Spy 1 as to would Opera defeat this exploit?
    as for "stripping the headers" if in fact that does imply that the os information dosplayed by User Agent is "Changed" to reveal something other than the proper os in use......that can be accomplished with proxo...webwasher.....Opera......could someone offer alittle more specific information on what actual part User Agent plays here.
    Like Spy 1....I never download such tests onto my computer.....in the past prior to a re-format I have taken a couple of these tests.....passing each one. Nevertheless..I believe such tests places the os at a complete disadvantage an therefore are not valid tests.....installing a known trojan onto a computer stacks the deck......may as well install a Sub-Seven...the results would be the same. By installing a "legally functioning program" that requires access to the internet...would result in the same results....if a firewall is set to make all programs request permission such firewall leak tests just don't....wont pass.
    other contention is such tests are not actually firewall tests but better considered as tests of anti-virus and anti-trojan programs...or perhaps registry monitors
    These comments are cast out for the sake of discussion not argument.
    as for the part Naviscope plays......would not a program such as say...Multi-Proxy or like programs have the same results..........
    if in fact...its the fact that User Agent has free passage outbound to display the information it delivers...than the exploit is depending on that "free passage" ....an by using a progran such as Naviscope..the information being sent "outbound" goes to another server....nevertheless the information is still leaving the os "outbound"...therefore the test is failed. imo this would be the manner that the test uses User Agent. until someone can provide a better explanation.
    in complete honesty I just don't see the test as being firewall related.......not if User Agent is involded. injecting a dll into User Agent......an User Agent is part of what the broswer uses...its just naturally going to bypass the firewall if the broswer is used.......an if the broswer is connecting to a "middle man" server.....its still alowing the exploit out

    snowman
     
  25. snowy

    snowy Guest

    Its been further said that the test exploit injects a dll in other programs such as anti-virus programs..etc...an that the exploit passes the firewall when such programs are updated...of course it does!! trojans can infect more than one program.....nothing new about this......
    the post by Jack lends support to this theory....by using a registry monitor= "system safety monitor" = he passes such tests as this one.....in theory if this exploit was classified as a virus or trojan an its signature placed in such program it would be deleted or prevented

    snowman
     
Thread Status:
Not open for further replies.