Look 'n' Stop, Thermite and AWFT.

Discussion in 'LnS English Forum' started by Frederic, Mar 1, 2003.

Thread Status:
Not open for further replies.
  1. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi All,

    Recently a new leaktest has been released: Thermite. It demonstrates the use of the CreateRemoteThread Windows function to bypass firewalls.

    You can find some information about Thermite here:
    http://www.securityfocus.com/archive/1/312783/2003-02-20/2003-02-26/1

    And there is a discussion here:
    http://www.dslreports.com/forum/remark,6071614~root=security,1~mode=flat

    Thermite can be downloaded from here:
    http://www3.sympatico.ca/oliver.lavery/za-hole.zip

    So, the Lnsfw1 driver has been updated to detect this kind of troyans.
    You can retrieve it from here:
    http://looknstop.soft4ever.com/Beta/Thermite/LNSFW1.SYS

    This is an experimental version, so please do the following:
    - rename c:\windows\system32\drivers\lnsfw1.sys to lnsfw1.old
    - copy the new driver to c:\windows\system32\drivers
    - reboot

    In case of bluescreen, you will have to come back to the lnsfw1.old driver and send me (at looknstop@soft4ever.com) the minidump file that will be created (in c:\windows\minidump folder).
    In case of the new driver not working against Thermite, please send me the driver logs (open the Console Window and press the driver logs button).

    And that's not all, it seems that with this new driver Look 'n' Stop is also able to pass most (all ?) the AWFT (http://www.atelierweb.com/awft/index.htm) tests.

    Please post your feedback here.

    Thanks,

    Frederic.
     
  2. tosbsas

    tosbsas Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    789
    Location:
    Lima, Peru
    Hey Frederic,

    is the dwonload location the right one?? The downloaded file says as version 2.0.0.3

    Ruben
     
  3. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    Frederic, you are just too good. I just began evaluating LNS today, and I find this kind of thing (read: commitment) very encouraging. [Sorry, I know this wasn't any sort of contribution to this thread, but I wanted to give credit where it was due.]
     
  4. Ph33r

    Ph33r Guest

    Atelier’s Leak-tester AWFT v1-3.0 is inferior to pcAudit v3.0.0.3, and I believe that’s proving since pcAudit v3.0.0.3 still capable of bypassing Look ‘n’ Stop’s Application Filtering Layer and AWFT v1-3.0 isn’t capable one bit of bypassing Look ‘n’ Stop’s Application Filtering Layer…

    And I’m in reference to the method used to bypass Software Firewalls ;), AWFT is quite useful in a Non-Spyware related way to assist showing users Lack of security involving their Application Filtering Layer in their Software Firewalls, where pcAudit sends a lot of privacy informatics about user and their machines to the pcAudit server for storage.
     
  5. lurker1

    lurker1 Guest

    Hi everybody,

    no doubt that LnS is more more successful than most other firewalls in
    answering challenges to most leaktest-programs available to the public.

    But this is only one problem, why firewall makers are scratching their
    head.
    There are known attacks on the actual configuration settings. Some
    firewall vendors have, as I read, reacted already with some success to
    this threat.
    Now..., when I had LnS installed for testing, I noticed several things.
    Everything seemed to me rather "open", and I wondered how easy it would
    be, even for an unexperienced person to insert in a few seconds, when
    the PC is unattended, a diskette overwriting the rulesets and lns.reg
    and executing it.
    Even if the stored checksums for the applications in the lns.reg would
    have been created by a one-way hash, which they obviously are not, it
    would be no problem to overwrite it with anotherone and execute it.
    The same attack could theoretically also be done by a trojan.
    As the applications in the applications-window are not even identified
    by their name/version-number/built-number it could take some time for
    the user to notice the changes.
    I don't know if I am right with my thoughts, but I am sure that the
    discerning user will spend a few moment to think about it.

    cheers
     
  6. Ph33r

    Ph33r Guest

    Hmmm intelligent response, however though any attempts made to make modification to Look ‘n’ Stop Registry Entries while Look ‘n’ Stop is currently running will not work out as they planned because Look ‘n’ Stop fetches all it’s Registry Informatics upon it’s Execution while shielding any modifications throughout it’s current session and re-applying upon abnormal attempts quickly as it becomes changes…

    Have you tried terminating fully Look ‘n’ Stop’s Process? Any body or thing must do its work when Look ‘n’ Stop isn’t running in the background… And from this aspect there is quite a risk, Look ‘n’ Stop by Default (Giving) Start-up methods doesn’t provide fast enough start-up boost which anything can possibly automatically make modifications before Look ‘n’ Stop even becomes Loaded… I use the Windows Shell Start-up Group to ensure Look ‘n’ Stop becomes loaded always after the Explorer.exe.

    Maybe Frederic might consider providing better Start-up Methods like in the Service Area or the Windows Shell Start-up Group… ;)
     
  7. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Yes, it is the right one. The version has not been changed yet because the driver is not included in an official setup package.
    However, by asking the driver logs in the console you should see the following specific string "Driver Entry Win2k OT2." which identifies this special driver.

    Frederic
     
  8. Ph33r

    Ph33r Guest

    Informatics giving to me is only;

    FW:
    Driver Entry Win2k/XP

    Even though I’m using the giving New Look ‘n’ Stop Application Filtering Driver and passing AWFT 10 without making any abnormal System changes proves that… :)
     
  9. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    FW:
    Driver Entry Win2k/XP

    refers to lnsfw.sys, the packet filter.

    Just below, you should have:
    FW1:
    Driver Entry Win2k OT2.

    for application filtering (lnsfw1.sys).

    Frederic.
     
  10. Ph33r

    Ph33r Guest

    Actually i don't see it, must require fresh re-boot to see that Informatics...
     
  11. tosbsas

    tosbsas Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    789
    Location:
    Lima, Peru
    Thanks Frederic

    Ruben
     
  12. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi lurker1,

    Here are some comments.

    Like mentioned by Ph33r, Look 'n' Stop writes back the contents of its internal settings to the registry (and to lns.reg) when it exits. So this method is not as so "open".

    If you overwrite that information, Look 'n' Stop will detect the application as a new one or with a signature that has changed.

    I don't understand why the version-number/buit-number should be useful for the user.
    The only thing asked to the firewall is the detection of the exe content change (whatever the used method).
    So, you are talking about troyans that will attack firewalls directly (by replacing/removing files or registry, automating firewall actions,...).
    Yes, we should take about that but this is at the frontier between anti-virus, IDS and firewall roles.

    Assuming the following steps are under control:
    - step 1: basic application connection detection
    - step 2: masquerading detection (leaktest from grc)
    - step 3: application starting another one which connects (tooleaky, firehole)
    - step 4: applications executing in the context of another allowed process (firehole, PCAudit, BackStealth, AWFT, Thermite)

    Perhaps this is now the only remaining possibility to defeat firewalls ?

    To be complete, there was another step under Win9X/Me, with applications using their own protocol bypassing MSTCP (Outbound).

    Frederic
     
  13. lurker1

    lurker1 Guest

    Hi Frederic,

    sorry to keep on nagging.:-}

    If the malicious lns.reg contents relating to apps and sigs were
    created, say on another PC, by LnS itself, the sigs would even without
    knowing the method of algorithm be always legal for the corresponding
    malicious app. Or not?
    And the application could also have a name that is somehow familiar to
    the user. Version- and built-number would only be an additional mark for
    the user to identify more precisely.

    cheers
     
  14. Ph33r

    Ph33r Guest

    Good point, I agree there that it’s very easy gathering valid informatics from the .reg file or the registry to use when making malicious modifications to one’s installed Look ‘n’ Stop. But back to the part where the Look ‘n’ Stop would require to be fully closed when making these changes otherwise Look ‘n’ Stop will shield it’s registry entries and reapply upon abnormal modification attempts.

    That’s actually not quite a bad suggestion, since Look ‘n’ Stop does it’s comparison by Signatures and nothing more, it’ll be interesting to be capable of retrieving File Informatics to determined if it had been updated. Like double clicking on an Entry in Look ‘n’ Stop Application Filtering List to bring up Dialog with File Properties… Even though it’s not really necessary Feature, as it won’t enhanced anything in Reference to security how I can see it…
     
  15. lurker1

    lurker1 Guest

    Hi Ph33r,

    first of all, sorry... I am aware that I have opened up an off topic
    thread. That's why only a quick answer on closing LnS:
    I don't have LnS installed right now, so I can not fiddle around with
    it. But if the "person carrying the diskette" would know that there
    are programs on the PC which can close a running process, like some
    Trojan scanners (at least mine). It would take two clicks. Execute
    the .reg and reload LnS. If it can be done in this way, a trojan
    could have a function like that in the program. However, possibly the
    idea is too far fetched, anyway. :-}

    cheers
     
  16. Ph33r

    Ph33r Guest

    Process Termination Protection. ;)
     
Thread Status:
Not open for further replies.