Outbound Monitoring: catching an exploit

Discussion in 'other firewalls' started by Rmus, Feb 20, 2011.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Usually outbound connections are made after a malware executable infects.

    But here is an exploit that uses the malicious code in the web page itself to call back out before the malware executable is downloaded.

    I was looking earlier for exploits that would work on IE8 and found one that made four outbound connections, after which the malware executable was downloaded and attempted to execute. I ran it a few times to watch what happens.

    Here are the four firewall alerts. I permitted each one:

    [​IMG]

    kerio_2.jpg

    kerio_3.jpg

    kerio_4.jpg

    And the security alert for the malware executable:

    ie_1.gif

    Then I reloaded the page and permitted the first Java Web Start Launcher connection, then denied the next three alerts, after which this error message appeared:

    ie8_2.jpg

    So, it was a Jar file that triggered the malware executable as a .dat file. Without it, no malware.

    I assume one or more of the last three outbound connections was necessary for the exploit to succeed, and that without outbound monitoring, it would have succeeded.

    (That is, the malware executable would download. Whether or not it would execute/infect would depend on other security in place)

    I've not seen these types of firewall alerts before the malware is downloaded.

    Has anyone else?


    ----
    rich
     
    Rmus, Feb 20, 2011
    #1
  2. LODBROK

    LODBROK Guest

    Yes. It's becoming not too uncommon. I don't have the logs anymore, but here are a couple of entries from Malware Defender that I posted up here a little while ago in the "Is there a huge need for a software FW?" thread:
    c:\program files\mozilla firefox3\firefox.exe Access network TCP [Local host : 1109 (kpop)] -> [127.0.0.1 : 1108]
    c:\program files\mozilla firefox3\firefox.exe Send message to another process c:\windows\system32\csrss.exe

    Continuing on with a few more "allow" permissions began the install of a particularly nasty trojan wherein Java was heavily involved . Not interested in continuing any further, I finally whacked it via the real time component of my AV suite. But the damage was so bad I ended up restoring my test system from an image.

    This confirms there is no need, huge or otherwise, for a software FW. :rolleyes:
     
    LODBROK, Feb 20, 2011
    #2
  3. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,797
    You may want to take a look here to see both sides of the coin;)
     
    safeguy, Feb 22, 2011
    #3
  4. Syobon

    Syobon Registered Member

    Joined:
    Dec 27, 2009
    Posts:
    469
    Syobon, Feb 23, 2011
    #4
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...