Bugbear Firewall Strategy ???

Bugbear Firewall Strategy

Had an expierence recently with the new variant of Bugbear...

It had managed to successfully drop my firewall

I read in the virus breakdown documentation on the Sophos Website that the virus trys to shutdown various flavours of Anti-Virus software and Firewalls.

As a consequence of this minor incident I am seeking feedback / suggestions regarding the renaming of the executable that runs my firewall.

For example, bugbear-B tries to shutdown PFW's by calls to - persfw.exe, zonealarm.exe, outpost.exe, blackice.exe etc... Would renaming the FW exectable and also modifying the appropriate registry entries for the PFW services reduce the risk of any virus being able to do this in the future.

It seemed like a good idea at the time

 

Good question......

I wouldn't know what to answer to that one, has the so called file might be calling other process and registry entries wich are listed under it's own. On the other if it is possible then that might be a solution on the short term.

It would also be a good idea for these kind of product to have a failsafe system wich would enable them not to be force to shutdown or killed without users permision.

 

Would password protecting your firewall & AV be able to do that? Could it really be that easy? I know I can't manually shutdown Kerio 2.1.5 or avast! 4 without my passwords.

 

I would highly doubt that.

You can download a small app of the web that can Kill running process...
If the file has that ability it would require something to stop it from doing so or having a SSM.....

 

Hi

i already thought to this, never tested, but i think that it could works (rename firewall executable).
Of course, like said FluxGFX a better codded trojan (which read the registry) would defeat that.
In this case, the last trick would be to code ourself an executable (in Visual Basic ou C++) which will be launched at start and which launch itself the real firewall executable (056lijzd.exe for instance ^^), so, no way for the malicious trojan to know which process is a firewall.

We have to found a tester or a trojan itself to test this trick.

regards,

gkweb.

EDIT : may be the trojan do a CRC check on the process ?? i don't think because an update can change the executable.

 

gkweb,

if the trojan does a CRC check then we would have to find a way to inject the file into the firewall and make it look like another process with a different CRC ? ( Would that be possible, I'll look for something like that on my side )

 

I said i don't think that trojan which kill firewall process do it on a CRC check, because even a minor update (like norton does) can change the executable, so, the CRC.
A trojan in the wild with a CRC check woudn't be efficient longer...

But as usual, i'm for the best solution, and even in the one hand build small executable that will launch our firewall is easy, modify CRC process is on the other hand more difficult...

But a good question would be : is it possible to check process CRC ?
if not there is no pb

regards,

gkweb.

EDIT : whatever the task is difficult, i'm really interested to find strong solution and after make a small program easy to use to launch other and hide their identities (especially our firewall...).
Easy to do in Visual Basic, but need setup.... I don't know C++ as good as VB, but we can try

 

Rename firewall seems make it function unproperly, i don't know why, may be a protection

regards,

gkweb.

 

I think that depends on the firewall - with Kerio 2 for example, it seems to work.
On the other hand, not every firewall completely stops working when its process is shut down, because the driver is still running - so some FWs are well protected against the majority of FW-killing malware.

 

I changed the name of the main executable for Kerio 2.15... If you are going to do this then you must ensure that you pick up any corresponding registry entries that will call this executable.

The main requirements are for the entries that run Kerio as a service...

ie HKLM\...App Paths; HKLM\...services

The assumption of course is that the virus attempts to shutdown the process using a direct call to the default executable name rather than quering the registry to find out the real name.

Depends on how cluey/ambitous the virus programmer wants to be...

I will try to create another executable to call the firewall and thus insulate myself from the simple premise that he won't query the registry.

I am taking the approach of car/house security, if you make it difficult enough then the intruder will just move on looking for an easier target?!
More details will be forthcoming.