What exactly does a FW stop going "out"?

Discussion in 'other firewalls' started by tonyseeking, Apr 18, 2009.

Thread Status:
Not open for further replies.
  1. tonyseeking

    tonyseeking Former Poster

    Joined:
    Nov 12, 2008
    Posts:
    406

    invisible background downloads? while im surfing using firefox, there can be invisible background downloads? how?
     
  2. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    tonyseeking, I would suggest you find some time to spend with a search engine, and read up on these topics and more. There are many great white papers as well as sites devoted to each of these issues.

    My opinion is that while you can certainly learn a lot here from the barrel of geeks that haunt Wilders, you might get a better foundation to better understand the answers you are recieving.

    Sul.
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,994
    Location:
    California
    Here are some examples.

    Current PDF exploit in the wild.

    The malicious file loads in Acrobat Reader, code attempts to make an outbound connection to download a trojan. Since Acrobat is not an authorized application in my Firewall rules, an alert pops up:


    [​IMG]

    If successful, the trojan installs as an information stealer. It would set up a Shell to send out passwords and other information it searches for on your hard drive, to the attacker's server.

    Two ways PDF files infect:

    • By Remote Code Execution (drive-by download), where just connecting to the site will trigger the action by means of code in the Web Page. Successful against IE, Firefox, Opera, unless Javascript is disabled and PDF files configured to download, rather than run from the web site.

    • Opening PDF file sent by email. Prevention here is obvious (I hope!).

    Sober worm

    Old email exploit. If the victim is tricked into opening the document, the worm copies itself as Services.exe (here on Win2k; Svchost.exe on WinXP, Vista). It attempts an outbound connection, but since the Firewall maintains a Hash List of permitted applications to connect out, this bogus application is blocked:


    sober-kerio_2a.gif


    Some Sober variants were spyware and information stealers


    Codec, Flash Update Tricks

    User is tricked into installing a Codec that is infected. Here, the exploit attempts to use Windows Explorer to connect out to download more malware.

    Not an unusual action, since Explorer will often search across network drives. A block rule prevents.

    codec.gif

    Netsky Worm

    One of the most successful of email exploits; uses the double extension trick. The victim thinks it is a data file, when .scr is really an executable file extension.

    netsk.gif

    Many similar examples would show how a firewall can alert to unauthorized outbound connections.

    However, note Kerodo's comment about sophisticated malware that can bypass firewalls. The recent conficker worm had some tricks like that:

    SRI International Technical Report
    http://mtc.sri.com/Conficker/addendumC/

    How this performs against the Vista firewall has not been reported.

    Although not specific to your topic, yet relevant, you mention that you use Firefox. Certainly you are aware that properly configured, it is immune from all in-the-wild web-based malware attacks (so-called Drive-by Download).

    That leaves exploits that can bypass your common sense.

    Cover those two bases and there is nothing left to intrude and infect, hence, nothing malicious to connect outbound.

    Or so it seems to me...


    ----
    rich
     
    Last edited: Apr 21, 2009
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.