Bugbear Firewall Strategy ???

Discussion in 'other firewalls' started by Spyke, Jun 24, 2003.

Thread Status:
Not open for further replies.
  1. Spyke

    Spyke Registered Member

    Joined:
    Jun 24, 2003
    Posts:
    2
    Bugbear Firewall Strategy o_O

    Had an expierence recently with the new variant of Bugbear...

    It had managed to successfully drop my firewallo_O

    I read in the virus breakdown documentation on the Sophos Website that the virus trys to shutdown various flavours of Anti-Virus software and Firewalls.

    As a consequence of this minor incident I am seeking feedback / suggestions regarding the renaming of the executable that runs my firewall.

    For example, bugbear-B tries to shutdown PFW's by calls to - persfw.exe, zonealarm.exe, outpost.exe, blackice.exe etc... Would renaming the FW exectable and also modifying the appropriate registry entries for the PFW services reduce the risk of any virus being able to do this in the future.

    It seemed like a good idea at the timeo_O o_O
     
  2. FluxGFX

    FluxGFX Registered Member

    Joined:
    Jan 23, 2003
    Posts:
    667
    Location:
    Ottawa/Canada
    Good question......

    I wouldn't know what to answer to that one, has the so called file might be calling other process and registry entries wich are listed under it's own. On the other if it is possible then that might be a solution on the short term.

    It would also be a good idea for these kind of product to have a failsafe system wich would enable them not to be force to shutdown or killed without users permision.
     
  3. Amerk_5

    Amerk_5 Registered Member

    Joined:
    May 22, 2003
    Posts:
    78
    Location:
    Dansville, NY
    Would password protecting your firewall & AV be able to do that? Could it really be that easy? I know I can't manually shutdown Kerio 2.1.5 or avast! 4 without my passwords.
     
  4. FluxGFX

    FluxGFX Registered Member

    Joined:
    Jan 23, 2003
    Posts:
    667
    Location:
    Ottawa/Canada
    I would highly doubt that.

    You can download a small app of the web that can Kill running process...
    If the file has that ability it would require something to stop it from doing so or having a SSM.....
     
  5. gkweb

    gkweb Guest

    Hi

    i already thought to this, never tested, but i think that it could works (rename firewall executable).
    Of course, like said FluxGFX a better codded trojan (which read the registry) would defeat that.
    In this case, the last trick would be to code ourself an executable (in Visual Basic ou C++) which will be launched at start and which launch itself the real firewall executable (056lijzd.exe for instance ^^), so, no way for the malicious trojan to know which process is a firewall.

    We have to found a tester or a trojan itself to test this trick.

    regards,

    gkweb.

    EDIT : may be the trojan do a CRC check on the process ?? i don't think because an update can change the executable.
     
  6. FluxGFX

    FluxGFX Registered Member

    Joined:
    Jan 23, 2003
    Posts:
    667
    Location:
    Ottawa/Canada
    gkweb,

    if the trojan does a CRC check then we would have to find a way to inject the file into the firewall and make it look like another process with a different CRC ? ( Would that be possible, I'll look for something like that on my side )
     
  7. gkweb

    gkweb Guest

    I said i don't think that trojan which kill firewall process do it on a CRC check, because even a minor update (like norton does) can change the executable, so, the CRC.
    A trojan in the wild with a CRC check woudn't be efficient longer...

    But as usual, i'm for the best solution, and even in the one hand build small executable that will launch our firewall is easy, modify CRC process is on the other hand more difficult...

    But a good question would be : is it possible to check process CRC ?
    if not there is no pb :D

    regards,

    gkweb.

    EDIT : whatever the task is difficult, i'm really interested to find strong solution and after make a small program easy to use to launch other and hide their identities (especially our firewall...).
    Easy to do in Visual Basic, but need setup.... I don't know C++ as good as VB, but we can try ;)
     
  8. gkweb

    gkweb Guest

    Rename firewall seems make it function unproperly, i don't know why, may be a protection :'(

    regards,

    gkweb.
     
  9. _anvil

    _anvil Registered Member

    Joined:
    Jun 18, 2003
    Posts:
    56
    I think that depends on the firewall - with Kerio 2 for example, it seems to work.
    On the other hand, not every firewall completely stops working when its process is shut down, because the driver is still running - so some FWs are well protected against the majority of FW-killing malware. :)
     
  10. Spyke

    Spyke Registered Member

    Joined:
    Jun 24, 2003
    Posts:
    2
    I changed the name of the main executable for Kerio 2.15... If you are going to do this then you must ensure that you pick up any corresponding registry entries that will call this executable.

    The main requirements are for the entries that run Kerio as a service...

    ie HKLM\...App Paths; HKLM\...services

    The assumption of course is that the virus attempts to shutdown the process using a direct call to the default executable name rather than quering the registry to find out the real name.

    Depends on how cluey/ambitous the virus programmer wants to be...

    I will try to create another executable to call the firewall and thus insulate myself from the simple premise that he won't query the registry.

    I am taking the approach of car/house security, if you make it difficult enough then the intruder will just move on looking for an easier target?!
    More details will be forthcoming.
    ;)
     
Loading...
Thread Status:
Not open for further replies.