vulnerability

Discussion in 'ProcessGuard' started by Feivel, Jul 7, 2004.

Thread Status:
Not open for further replies.
  1. Feivel

    Feivel Registered Member

    Joined:
    Nov 7, 2002
    Posts:
    100
    Location:
    Baytown, TX
  2. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    hmmm.... dunno if it only applies to *free* as I thought in free it protected ONE file only, and rest of program operated like normal.

    Could be wrongo_O?

    I saw that myself earlier on tonight, [bbr-dsl] but will wait until one of the guys can comment further.

    TAS
     
  3. i'llbebach

    i'llbebach Guest

    Just goes to show that no security app is unbeatable. They all have their flaws, and many are yet to be discovered. Anyone who believes otherwise is only fooling themselves. Lets just hope the manufacturers find out about the flaws before the hackers do.
     
  4. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Yes, the discoverer of this vulnerability (Tan Chew Keong - first name being Chew) has notified us and we are working on a fix, and we commend him for taking the responsible route of vulnerability disclosure of contacting the vendor before making his findings public. This is an extremely complex vulnerability which means 1) fixing it won't be an overnight process (but rest assured it will be fixed), and also 2) due to the complexity of the vulnerability it is very unlikely that many programmers will be able to exploit it, even after reading Tan's informative description - even fellow kernel-mode device driver developers will have a lot of trouble exploiting this one, so there isn't actually much to worry about from an end-user point-of-view, especially as the vulnerability will soon be rendered useless in a very short period of time when we release the fix.

    Best regards,
    Wayne
     
  5. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Thanks Wayne for the info. :)

    Cheers, TAS
     
  6. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Reading the blurb it is a proof of concept and could cause a system crash.
    As it stands you would have to download STDrestore.exe and run it before PG could be stopped. Hence their warning not to run unknown programs as an Admin. Process Guards checksum list would also alert you.
    Not sure what version it works against we will have to await DCS's response as they do know about it already and have said it will be corrected in the next version.
     
  7. Feivel

    Feivel Registered Member

    Joined:
    Nov 7, 2002
    Posts:
    100
    Location:
    Baytown, TX
    Proof of concept for now but I can see someone hell bent on being malicious attacking that vulnerability.
     
  8. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Feivel, I can't - programmers who are skilled enough to make use of any of Chew's advanced work typically have more productive and rewarding things to do with their time than try to attack peoples computers ... :). Another thing to remember is that Process Guard is a unique and relatively new program that doesn't exist on many computers around the world yet as we haven't done much marketing for it yet. If an attacker is trying to get into your system, there's only a very small chance that Process Guard will exist - there's a much better chance that other they'll encounter other defences like anti-viruses, firewalls etc, so spending a lot of time developing an exploit for a program that isn't likely to even exist on the targets system is very counterproductive for the attacker, especially considering the exploit will be rendered useless very soon with the release of a new version which fixes the problem. In regards to popularity, mIRC is a good example - there are a lot of worms that target IRC, but the vast majority of them only target the mIRC client because of its popularity. Microsoft's Internet Explorer is another good example - there are many web browsers available, but because there's a good chance of IE being on the targets computer the hacker is much more likely to spend their time attacking that than any other browsers such as Firefox or Opera. Chew's proof-of-concept isn't easily turned into a working exploit that can be used by attackers, so I'd be very surprised if we saw or heard anything more about this ever again, especially after we release a fix shortly. If anyone does try to make a working exploit we can all laugh at them together for wasting their time :)

    Cheers,
    Wayne
     
  9. Feivel

    Feivel Registered Member

    Joined:
    Nov 7, 2002
    Posts:
    100
    Location:
    Baytown, TX
    Wayne,

    I suppose your right about anybody talented enough to use Chew's idea would be doing something more, shall we say, productive with their time. As you say ti will be fixed in the next version anyway. Is this only exploitable in the free version (like Chew says) or does this effect the registered version also (Chew couldn't test I think)? Also (I ask alot of questions) is the next version of PG a free upgrade to your extremely security concious and smart for choosing DiamondCS customers?
     
  10. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    The full version is also vulnerable as both the free and full versions use the same SDT kernel hooking techniques.

    Absolutely. Since we started releasing software to the public in the early-mid 90s we've always given free upgrades to subsequent releases of our programs, including brand new versions written from the ground up. In our personal opinions, if you pay for a program once you should never have to pay for it again. We have many TDS-2 customers who only ever purchased TDS-2 once, back in the mid-late 90s, then received a free license to TDS-3 and will soon receive a free license to TDS-4. There is just one exception to this rule which I'm sure you'll understand, with our upcoming TDS4 program which will require a subscription to get database updates simply because that requires us to spend so much time every day finding, analysing and adding detection for new trojans which costs us a lot of time and money, but that's only in regards to the database (not the program), and I'm sure you can understand why a subscription is required for daily database updates (virtually all anti-virus vendors are also forced to require subscriptions), which up until now we've been able to provide for free also, but to do the job properly and thoroughly is simply costing too much time and money to provide free daily database updates.

    However, all our other shareware programs such as Process Guard, Port Explorer, etc, don't require such daily work from us, and consequently we're able to offer free upgrades for life to all licensed customers so you'll only ever have to purchase one license (and that in turn grants you access to the Members Area, where you can then purchase our other programs at Members-discounted rates). :)

    Cheers,
    Wayne
     
  11. Feivel

    Feivel Registered Member

    Joined:
    Nov 7, 2002
    Posts:
    100
    Location:
    Baytown, TX
    Thanks for the answer, just too bad we can't add ntoskrnl.exe to the protection list (or could we?).


    For your sake, I hope you have this in a macro :)

    Perfectly understandable. i have read and replied in the thread about this.

    I think I'm in love :)
     
  12. i'llbebach

    i'llbebach Guest

    If there are no skilled programers working on these things, then who is making all the viruses, worms, trojans, keyloggers, spyware, rootkits, and other assorted malware (shitware) that is crawling all over the internet? Are you saying the people who make this crap aren't skilled enough? Come on, lets be realistic here, there are probably hackers working on it right now.
     
  13. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Feivel, The update will be free to licenced users.
     
  14. 0--0

    0--0 Guest

  15. joeblow99

    joeblow99 Guest


    I have always assumed that the people to be afraid of are the government agencies, especially US government agencies, who, I'm guessing, create and place trojans on thousands of computers in the hope of getting information about 'terrorism', or about anybody they have taken a dislike to.

    I feel reasonably secure against common thieves - I think the anti-trojan vendors work against them; but I have the feeling they ignore trojans put out by their governments.

    A well-known vendor of anti-trojan software said, in another forum, that he was visited by the police because he had added a particular anti-trojan definition to his product's database. He said that when he showed them that he had seen the trojan 'in the wild' they went away.

    That told me volumes about the relationship of the anti-trojan vendors to their governments.
     
  16. chew

    chew Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    515
    Location:
    GeordieLand.
    Wayne DiamondCS

    "(Tan Chew Keong - first name being Chew)"

    Minor correction here. Tan is the surname or family name. Chew Keong is the name .

    Hope that helps.

    :)
     
  17. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Ah, correct - I was just a bit confused as this was said in the email ...
    Chew Keong it is then ... :)
     
    Last edited: Jul 7, 2004
  18. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    You would be surprised how easy it is to make trojans, worms, and especially adware. A lot of the time previous source code is re-used, often because the malware "writer" simply isn't skilled enough to completely write such a project. Most trojans are very simple - a RAT (Remote Access Trojan) for instance is a simple Client - Server program and often the hardest thing about creating one is for the writer to learn Winsock. If you dont believe me, go and investigate yourself :)

    In contrast to a simple user-mode trojan, it is very difficult to create a stable, kernel-mode driver which works on multiple operating systems.
     
  19. whoopsie

    whoopsie Guest


    he shoots
    he scores
    the crowd goes
    SILENT
     
  20. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Hello there anonymous guest.

    Uhm... governments putting out trojans? If you're aware of this, why is nobody else? ;) If any government ever did release a trojan, I don't think there'd be a single anti-virus or anti-trojan vendor out there who wouldn't add it to their detection database. Why wouldn't they? Obviously I can only speak about the Australian government (although I'm assuming things are very similar in the US), but the government can't just roll up in white vans, hand over a cheque to the vendor and say "don't tell anybody about this illegal piece of software we made and don't add detection for it". They'd need to change laws, and this means the government vs. the opposition, in public, and you would read about it in the news because it would be nothing short of bizarre and a lot of people would be rallying to prevent such a law from being made as it's unconstitutional. (I can't see it ever happening).

    And can you provide us with a URL to that statement they made?

    It tells the rest of us absolutely nothing. You didn't even state what country they were living in - ie. which government. (There's a big difference between how a communist government such as North Korea would react compared to a government such as Australia). We have effectively no relationship with our government, and I'd be very surprised if any other anti-trojan vendors have any 'relationships' with their governments either. Lets say the US govt was actually using trojans for whatever reason, if we obtained that trojan we'd add detection for it, it's that simple. A trojan is a trojan, we don't care who actually writes or releases it, we'll add detection for it.

    For the record, the Australian government has never visited us in regards to trojans or anything related to them, such as our anti-trojan software, and we've been a registered business since December 1986. The only time we were ever visited was when two analysts from Australia's Defence Signals Directorate, Information Security Group (http://www.dsd.gov.au/infosec/) came over about a year ago, but that was just in regards to us releasing our Cryptosuite program, as here in Australia (and most other countries) you must obtain government authorisation before exporting a program that uses strong cryptographic algorithms, but even then it was just more of an informal chat rather than a formal interview, so even when it comes to cryptography we have no relationship with our government - just formal approval to export our software, but that's required by all crypto software vendors, and not just here in Australia.

    Regards,
    Wayne
     
  21. sarment

    sarment Registered Member

    Joined:
    Jul 11, 2004
    Posts:
    27
  22. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Sarment, Yes, The possible vulnerability will be closed in a couple of weeks a new version will be released. The possible vulnerability was a proof of concept which has been discussed between DCS and the vulnerability designer.
    No such distributed malware exists at the moment and would require extensive development at a very high level to be effective before being released into the wild.

    HTH Pilli
     
  23. joeblow101

    joeblow101 Registered Member

    Joined:
    Jul 29, 2004
    Posts:
    2
    The developer said he was visited by the police after adding a 'definition' for a particular trojan. When he showed them that it was already 'in the wild'' they went away.

    The message was, that trojans (or viruses or worms or keyloggers - whatever they should be called) are used by law enforcement. This was in the US, by the way.

    Aside from that bit of evidence, I am assuming that US snooping agencies use trojans as a way to mine information from computers of people they suspect of 'terrorism' or whatever; they don't have the resources to install physical keyloggers on every pc in the world, so sneaking in software keyloggers (or whatever software it takes to do the job) is a good compromise.

    After the trojan has done its job on the targetted computers, the next step would probably be to release it into 'the wild', where it would quickly be found by the anti-trojan vendors and neutralized. If a target found he had a trojan, he wouldn't be suspicious, since a million other computers would be infected with the same snooping software.

    But I'm an ignorant user and will be happy to be instructed by the experts: if you want to mine passwords or other information from the computers of suspected terrorists, drug dealers, etc., and you have many thousands of possible targets - hell, you may have the entire internet population in mind, is planting snooping software on their computers a good way to do it?

    Are there methods of getting the software planted, and the information sent back to Agent X at headquarters, assuming you have a lot of money and people to spend on the project, that can get by existing anti-snooping software?

    One of the reasons I bought Process Guard was that the descriptions of the 'rootkits' and other methods of planting software on a computer were completely new to me; I had naively thought that the AV and Anti-Trojan scanners I was using had made me pretty safe - I'm not a terrorist or a drug dealer, but, on general principles, I don't like the idea that some sonofabitch can get into my computer, for whatever high-minded reasons.


    No, I don't want to denigrate somebody who just wants to keep out of legal trouble. I'm sure readers more knowledgeable than I am can confirm, or deny, that that is how it works in the US.
     
  24. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,046
    Good Grief. I live in the US, and I don't for one minute believe this nonsense. With virus/trojan developers world wide, how on earth could anyone begin to enforce this. Also we have a lot of wonderous things in the US, but keeping secrets doesn't seem to be one of them. If this was done, surely the whistle would have sounded.

    Go to the Diligizer fraud boards and read about all the people who insist that the US Federal Reserve and Treasury Dept. run a secret financial market to make the wealth richer.

    It is Nonsense.

    Proof, Proof, proof, or silence.
     
  25. joeblow101

    joeblow101 Registered Member

    Joined:
    Jul 29, 2004
    Posts:
    2
    What do you think of my supposition that the US snoops are manufacturing trojans and dropping them en masse into the computers of suspected terrorists, or whatever, collecting what they can for analysis by Agent X, and then releasing the trojan into 'the wild' where it will be spotted by the trojan vendors?

    If anti-trojan programs rely on a database of definitions, rather than some kind of heuristic analysis, then that might be a good way for the US snoops to get a lead on whoever it is they are looking for.

    The US has legislation in place that allows for electronic gathering of information from computers, with a warrant, without specifying an individual; in other words, there is no legal reason they can't drop trojans on a million computers, if they want to and are able to do it. Given the hysteria in the US, I assume the US government snoops will use any means in their power to spy indiscriminately on as many people as they can.

    What I don't know is whether or not 1. it is practical, and 2. what is the best way to do it without alerting the targets that they are being spied on by the government, as opposed to a bunch of criminals.

    My scenario is an attempt at answering 2.
     
Thread Status:
Not open for further replies.