Using leak tests to evaluate firewall effectiveness (2007 article)

Well, I hate to break the news, but I've seen outbound firewall restrictions stop malware cold when it tried to phone home. This was when I did some testing a few years ago. I will try to dig up the screenshots if you require proof.

 

No need to trouble yourself. It can definitely break dumb malware. No doubts about that. Just like how usermode SRP on XP is able to block drive-by payloads. Secure? Hell...no.

 

well isn't most of the malware being used these days dumb? But to say outbound firewalls are useless is simply not true.

Code:

Application \device\harddiskvolume2\users\admin1\desktop\axuip (2).exe 
  Direction %%14593 
  SourceAddress 192.168.1.86 
  SourcePort 49367 
  DestAddress 223.xxx.xx.xx 
  DestPort 80 

No trouble and too late anyway. BTW, this is event 5152 (blocked event type). Direction %%14593 is outbound. axuip is a trojan downloaderr I dredged up. I've deliberately X'ed out most of the remote IP address because the Mods might not like it being revealed

 

I don't consider outbound protection to be a major factor in preventing intrusion. Both the internet firewall and a HIPS can play a role in certain situations like opening a file that contains code designed to exploit its handler, a malicious PDF for instance. The internet firewall will prevent the PDF reader from accessing the web directly. The HIPS will prevent it from launching the browser or injecting code into it. It depends on how you define host intrusion. I don't consider an exploited application as such unless the exploit code gets past the attack surface. If an attack exploits the PDF reader for instance, but due to the system and HIPS configuration, isn't able to do much else, I consider that a defeated attack, not an intrusion. OTOH, if malicious code managed to get my browser to bypass Proxomitron or Tor if I'm using it, I'd call that an intrusion.

I'm not sure if this is what you were referring to. If I'm missing your question, let me know.

 

@wat0114

I did not say outbound firewall as a whole is useless. I said outbound 'protection' is overrated and that against malware (specifically), it is useless. There is a distinction to be made here. In fact, I highlighted where I think outbound control fits in best...that is to restrict legit programs.

Read my 2 posts and the links MrBrian shared again. I really hope you understand where I'm coming from. Firewall cannot be relied to prevent malware from leaking data. Just because axuip (2).exe gets blocked does not mean other malware would follow suit. axuip_reloaded.exe or sexy.exe may choose to send data out through hijacking other apps outgoing connections. Trustme.exe may simply choose to disable your firewall or create its own network stack.

 

That's fine. I'm not out to prove anyone wrong, only trying to make a valid point. A firewall properly configured will indisputably prevent some malware from leaking data. It's not meant to be an absolute security solution. Rather, it can augment, very nicely I might add, a security approach. The problem, I believe, is the learning curve to control outbound comms is too steep for most people, so it's never been a very popular approach, although most mainstream software firewalls help in the decision making process with informative pop-ups.

Actually, I can probably find numerous samples from links in malwaredomainlist whos attempts to connect out will be stopped cold by the firewall.

 

I just tried bridged networking mode in a VirtualBox virtual machine. CurrPorts shows none of the traffic that the virtual machine generates. Since VirtualBox is just software, malware (with enough privileges) could do the same thing as VirtualBox.

From http://serverfault.com/questions/490043/differences-between-bridged-and-nat-networking:

From the VirtualBox manual:

 

Follow-up to the last post: I blocked all connections in Windows 7 firewall, but the virtual machine in bridged mode still was able to access the internet. Malware (with appropriate privileges) could thus do the same thing . Lest you think that I'm picking on the Windows 7 firewall, apparently the same is true of other firewalls.

 

You just have to use something different than bridged mode. I've no time to check atm, but it can be done so you restrict the vm to its own network connection and not the host's. Traffic will be routed through the vm's firewall instead. Actually the test i did above was in VMWare and that's the Win7 vm's firewall blocking the trojan's attempted comms

 

Or I can use a firewall on the guest.

The point I hoped to make is that malware that's able to install a driver could be just as stealthy in network access as VirtualBox in bridged mode.

Anyone want to guess if Wireshark on the host will see VirtualBox traffic for a virtual machine in bridged mode?

 

Right, which is basi cally what I meant. I can't debate the stealthiness of malware but all I know is that so much of it seems nothing special just as in the example I ran earlier. Rmus has proved this so many times over in these forums but no one seems to notice There's no reason for mainstream malware to affect the host machine if the vm guest is set up properly.

 

I think using VirtualBox as an example is causing some confusion. VirtualBox is software that installs a driver on the host that allows stealthy communication on the host in bridged mode. Since VirtualBox is just software, malware could do the same thing without VirtualBox being in the picture at all. If malware has the privileges to install a driver on the host, it could also communicate very stealthily on the host. Example of similar malware: https://www.wilderssecurity.com/showthread.php?t=351008.

I would be interested in any references about what percent of malware uses non-tricky methods vs. tricky methods to communicate.

 

understood.

Oh yeah, I don't dispute there is malware that can bypass firewall. All I've ever said is that the basic mainstream malware doesn't seem to do anything special this way, so a software outbound control firewall could stop it.

 

I used Wireshark and Microsoft Network Monitor on the Win 7 x64 host to monitor all network interfaces while using a Bridged Adapter VirtualBox virtual machine to browse some websites. Neither program detected my browsing activities .

 

Browsing from the vm guest?

 

Right.

 

You might want to check under the host's network and sharing settings and see if the vbox network adapters are showing as separate from the host's. This could be why Wireshark and MS' sniffer doesn't see the vm's network activity. I haven't used vbox for several years so I'm not sure how it differs, if at all, from vmware's bridged networking functionality.

Actually in your post above it's mentioned the vm's network packets pass though the hosts physical adapter but at a different osi layer. This could be why you aren't seeing vbox packets in the host's network sniffers? Just a guess.

 

@wat0114: The manual does mention some differences when bridging to a wireless NIC vs. wired NIC. I'll try it the other way. Also, this (my bolding):

 

I tried bridging to a wired NIC this time. Network Monitor could see the traffic from the virtual machine, while Wireshark could not. This is what I expected, given what I have read.

So Network Monitor may be a better choice than Wireshark for finding stealthy malware traffic if you're using Vista or later. Also, if you have the choice of both a wired and wireless connection while sniffing, use the wired connection if possible. From the manual (my bolding):

 

Regarding your bold text, that might be why the sniffers don't see the packets, I suppose I did some playing around with the vm (haven't done much in it at all in months) and see it's bridged networking. I use Jetico firewall on the host system and it has a network monitor which does see the vm guest's packets, but I think at a different layer just as one of your posts suggests. It doesn't see the guest's actual network activity, but rather only the stateful tcp and udp packets.

EDIT: I see you resolved the issue by going to wired. At least the MS net monitor sees the traffic.

EDIT 2: yes, Jetico manual describes the IP stateful packets as being at a "Low system" level.

 

There are some things that I didn't try on the wireless connection that maybe would have helped:
http://superuser.com/questions/150250/capturing-wireless-traffic-using-wireshark
http://searchnetworking.techtarget.com/feature/Wireless-sniffing-best-practices-using-Wireshark

 

Not entirely sure about this, but I think that malware installing a driver theory works but only if it can elevate its installation to admin level. If one runs as a Standard user then this essentially limits malware types to user level which are easily scuttled by a properly configured firewall.

 

Assuming it does not attempt privilege escalation, malware with standard user privileges can still do quite a lot. It can still interact with other programs. It can piggyback on allowed connections. Memory-only exploit/malware can run within the context of your browser.

Limited security benefits of limited users

I think this discussion we had previously is also relevant:
Windows 7 FW for inbound/outbound control