Can malware run outside of itself?

Discussion in 'other firewalls' started by TheMozart, Jun 12, 2011.

Thread Status:
Not open for further replies.
  1. TheMozart

    TheMozart Former Poster

    Joined:
    Jan 6, 2010
    Posts:
    1,486
    Let's say for example I download and install a program.exe...and I then use something like Windows 7 firewall control to deny all outgoing access for the program.exe, can that program still "phone home" and send personal and sensitive data to the program author through another file or program besides the program.exe?
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    Of course, it is only a matter of programming
     
  3. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    It can create another file, modify your existing files, etc.
     
  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Yes, it,s pretty common I will say. It can modify another process in memory, create a remote thread into it or inject a dll into it, and this way it can leak out the firewall.

    There are many FW leak tests about this. You can search n read about firewall leak tests.
     
  5. Spooony

    Spooony Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    514
    It can inject itself into other processes. You denied program.exe that is packed. It will make use of dll to further its cause.
     
  6. datarishik

    datarishik Registered Member

    Joined:
    May 11, 2010
    Posts:
    182
    This is an interesting read. Any examples...?
     
  7. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    malwares that fall into file infectors category. Sality?
     
  8. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,433
    Location:
    Europe

    It's rootkits work.
     
  9. ekerazha

    ekerazha Registered Member

    Joined:
    Jul 22, 2004
    Posts:
    28
    Yes... i.e. through dll injection
     
  10. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    The PCaudit2 leaktest is a good demonstration of just what you're talking about. It creates a randomly named DLL, which it hooks into your system. It will then attempt to connect out using every running process on your system. There are 3 ways the test can be defeated:
    1, Block the original process.
    2, Block the DLL injection.
    3, Block the local/loopback connections it makes to the running processes on your system.

    Present day malware doesn't necessarily use the last 2 items listed or is able to defeat security-ware that protects against these. In some cases, the only way to defeat such malware is to not allow it to execute to begin with.
     
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
  12. EboO

    EboO Registered Member

    Joined:
    Mar 12, 2011
    Posts:
    287
    So Windows firewall and third party firewall are bypassed easily no ?
    LnS and hips firewall are the only solutions against dll ?
     
  13. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Windows FW has no outbound control at all so it is not even applicable here.
     
  14. EboO

    EboO Registered Member

    Joined:
    Mar 12, 2011
    Posts:
    287
    Even if i block outbound connections ?
     
  15. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Outbound for what? for all? by what?
     
  16. EboO

    EboO Registered Member

    Joined:
    Mar 12, 2011
    Posts:
    287
    I'm asking if windows firewall can protect the pc against malwares describe in precedents posts.
    If outbound connection are configured for being blocked, and just some softwares allowed.
    Will it help or not ?
     
  17. Ranget

    Ranget Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    846
    Location:
    Not Really Sure :/
    Windows 7 and Vista has an outbound Firewall

    but it has to be configured properly :-*

    any way i trust a third party Firewall vendor more than i trust windows Firewall

    P.S: why don't Microsoft Make a more advanced Firewall Control Gui and Add it to MSE as a Feature o_O
     
  18. SourMilk

    SourMilk Registered Member

    Joined:
    Mar 31, 2006
    Posts:
    630
    Location:
    Hawaii
    Check out GRC leaktest. My Windows 7 firewall always fails.

    SourMilk out
     
  19. EboO

    EboO Registered Member

    Joined:
    Mar 12, 2011
    Posts:
    287
    Good idea :)
     
  20. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Not necessarily. In the link posted by Aigle, you'll see how several firewalls did against specific tests. What those tests don't tell you is just how much the results can change with changes in the rules. Several of those tests exploit Internet Explorer, at least they worked on IE6 when they were released. If you use another browser, a firewall rule blocking Internet Explorer will defeat those specific tests. Using leaktests to rate firewalls is largely a marketing gimmick, comparing completely different products. Firewalls with built in HIPS always do better on leaktests, but that doesn't mean that firewalls with HIPS can control traffic as well as a conventional rule based firewall. There's also no reason that a firewall and HIPS have to be combined into a single security app.

    Depending on the specific malware involved, the results are going to be extremely variable. Firewalls work better against some. HIPS are better against others. Some malware if allowed to execute can disable both. I've always favored separate firewalls and HIPS for several reasons, but topping that list is one simple fact. When they're separate, each can be configured to defend and/or restart the other. A successful attack against a combined product kills both. When separate, a HIPS can protect attack surface apps, which includes the firewall. When they're combined, the HIPS becomes part of the attack surface.
     
  21. Ranget

    Ranget Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    846
    Location:
    Not Really Sure :/
    Wise choice

    i will add some stuff to my build thanks for this idea :-*
     
  22. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    To protect fully you will need a HIPS type firewall.
     
  23. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Adding to an existing setup is not always a good idea. Ideally, you build a system that's based around the security policy that serves your needs. It's seldom possible to plug gaps in your security by installing security apps. You'll get the best results by first formulating your security policy, then selecting user and security apps that best fill them. A security app that's ideal for enforcing one policy may be almost worthless with a different one. With firewalls for instance, there's pros and cons to both separate apps and integrated packages. When someone asks me what's the best, I usually tell them the best choices are the one(s) that:
    1, are compatible with your system and installed software.
    2, best match the security policy you're implementing.
    3, match your ability to configure them and use them to their full potential

    There is no perfect answer, and it's rarely the same for more than one individual. A rule based firewall is of little value to a user who doesn't understand the basics of internet protocol. A HIPS that allows you to set specific parent-child dependencies for individual applications is a bad choice for a user who doesn't know what that is or doesn't know how to determine what a specific application needs to function.

    There's more to a security policy than a term or a name. A good security policy should cover your daily activities and address the common situations that are part of normal usage. Some of the common things a security policy should cover is how different types of files are handled. What will be used to open each type? Will this be done from another application (like opening a PDF in the browser) or only by its own application (saved to disc, then opened directly). It should outline a policy for handling unknown files, like being automatically scanned by your AV ot being uploaded to VirusTotal. It should cover how installing and updating is handled, (leaving security apps running throughout the process, testing in a virtual system first, monitoring the install process, making system backups first, etc). Some of those are inconvenient, though not nearly as bad as removing malware disguised as an app you wanted or one that proves to be incompatible with apps you already have. You have to choose what's right for you based on how much you install balanced against the inconvenience of the extra steps. It takes a while to analyze your daily usage and detail how the different common scenarios will be handled, but doing so allows you to select and configure your OS, user apps, and security package so that they're in complete agreement with each other and with your needs. Detailing your security policy and selecting/configuring apps to match gives you much more complete coverage with little overlap and few if any gaps. Choosing security apps first almost always results in a piecemeal approach with duplicated coverage in some areas with others missed entirely.

    If you decide to try building a system based on your needs and secured by a policy of your making, treat it as a work in progress. It doesn't have to be perfect on the first or 2nd try. If you separate your OS and your data to separate partitions and make backup images of the OS partition, you can work with one when you feel like it and switch to the other when you don't. You can also experiment with building your own on a virtual system.
     
  24. EboO

    EboO Registered Member

    Joined:
    Mar 12, 2011
    Posts:
    287
    LnS isn't enough ?
     
  25. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Not really, if the malware hooks onto a whitelisted process.
     
Thread Status:
Not open for further replies.