dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
11023

Vampirefo
Premium Member
join:2000-12-11
Huntington, WV

Vampirefo

Premium Member

Very odd site Claims they can disable ZA

I don't use ZA, and I don't know anything about this site, Please read and let me know what you guy's think.Again I don't know Jake about this site so, read with caution, You can read it with no problems, but don't click the link at the site, that link has some kind of code, that is suppose to disable ZA.

I posted it here, because their are a lot of ZA user here, and many experienced pc users, here, That can determine if this is real, or a fake. If this is real, it needs to be reported to ZA, ASAP, if a fake, then disregard.

»www.angelfire.com/on3/vx ··· ack.html

R2
R Not
MVM
join:2000-09-18
Long Beach, CA

R2

MVM

I tried it -- yes, I know -- but this is my work computer!

It did NOT shut down my Zone Alarm. The zap.exe file was "Copyright (C) 1996-1999 Laszlo Molnar & Markus Oberhumer" -- so perhaps this does not work on newer version of ZA???

I thought this section was a little strange:

KERNEL32.DLL
ADVAPI32.DLL
GDI32.DLL
OLEAUT.DLL
USER32.DLL
WSOCK32.DLL

Why are those files mentioned in this .exe file?

Vampirefo
Premium Member
join:2000-12-11
Huntington, WV

Vampirefo

Premium Member

Click for full size
I just tried it and it did shutdown ZAP, I got it from a friend just now, I had to try it, It killed the version 1.0.64, this is the only version i could find on short notice.
[text was edited by author 2001-07-02 21:37:38]

gameboyrom
Premium Member
join:2000-11-27

gameboyrom to Vampirefo

Premium Member

to Vampirefo
It only had "Close Key" in ADVAPI32.dll - This is odd
It also only had Bind in Wsock32.dll - odd again.
It was packed with an early version of UPX - I can't unpack it. It's probably not a virus taking into account it's small size. It has the some characteristics of a trojan(bind in wsock32.dll, it's packed), but once again it's too small. It most likely is just a hoax or an old web page

Steve
I know your IP address

join:2001-03-10
Tustin, CA

Steve to Vampirefo

to Vampirefo
Don't know ZoneAlarm at all, but this looks like a very promising approach to doing what they claim. Simply be creating the Mutex object that ZoneAlarm apparently depends on they can prevent ZA from starting, and I've seen this kind of thing happen (by accident) in other places.

My gut says this does exactly what they claim. Remember, if you can disable your firewall, so can something else. I've always wondered when this would happen.

Steve
Nick8
Premium Member
join:2001-03-17
UK

Nick8

Premium Member

This mutex flaw was discussed at great length quite a while ago. I don't use ZA either but I know that the latest versions of ZA / ZAP (2.6.x I think) are not vulnerable. Also there is a patch available for the old versions which was not produced by Zone Labs, I think DCS were responsible for the patch (aswell as the discovery of the vulnerability).

[text was edited by author 2001-07-02 21:46:18]

Vampirefo
Premium Member
join:2000-12-11
Huntington, WV

Vampirefo

Premium Member

Click for full size
I just downloaded the latest version from ZAP, and this test killed it just as fast.

enabl3D
Wtf Is God???
join:2000-07-04
West Palm Beach, FL

enabl3D to Nick8

Member

to Nick8
well I'm using the latest version of ZAP(2.6.214) and that little program was able to shut it down.
oh boy, oh boy!!!!!
Nick8
Premium Member
join:2001-03-17
UK

Nick8 to Vampirefo

Premium Member

to Vampirefo
Most of the discussion about this issue it too old to find, but I found this thread which is more recent. It seems the new version will still get shut down, but will cut the net connection dead (that's what they mean by "fixed"!). DCS's patch will prevent ZA getting shut down in the first place, its is suggested that the patch can be applied to any version of ZA.

Vampirefo
Premium Member
join:2000-12-11
Huntington, WV

Vampirefo to enabl3D

Premium Member

to enabl3D
So two confirmed, kills on the latest version of ZAP, seems like we got us a problem guy's.This test is real who wants to tell Zone labs? anyone else with ZAP care to try?
Vampirefo

Vampirefo to Nick8

Premium Member

to Nick8
The internet connection was not shutdown, only ZAP, I was still able to surf the internet.The information in that thread is not correct, the only thing that dies is ZAP, not the internet connection.
[text was edited by author 2001-07-02 22:01:50]

R2
R Not
MVM
join:2000-09-18
Long Beach, CA

R2 to Vampirefo

MVM

to Vampirefo
Now I am paranoid, why wasn't I shut down???
Nick8
Premium Member
join:2001-03-17
UK

Nick8 to Vampirefo

Premium Member

to Vampirefo
I can tell you for sure that they are fully aware of the issue . They were hounded several months back when the issue was made public by DCS. Their answer to it is to have ZA take the internet connection with it if it dies (in versions 2.6.x) - effective if not elegant. DCS's patch actually prevents the code from shutting down ZA.

R2
R Not
MVM
join:2000-09-18
Long Beach, CA

R2 to Vampirefo

MVM

to Vampirefo
This is different than BioNet -- BioNet kills zonealarm.exe, but this seems to Terminate vsmon.exe and minilog.exe -- correct?
Nick8
Premium Member
join:2001-03-17
UK

Nick8 to Vampirefo

Premium Member

to Vampirefo
Can you confirm that port 7 is open and reachable?

This program is DCS's own tester! It was released many months ago - I am surprised that no-one has reported the new ZA's failure to deal with it correctly yet.
[text was edited by author 2001-07-02 22:09:15]

damonlab
Premium Member
join:2001-05-02
Detroit, MI

damonlab to Vampirefo

Premium Member

to Vampirefo
I have ZA 2.6.88 and am running win2k. My question is the same as R2, why wasn't I shut down?

enabl3D
Wtf Is God???
join:2000-07-04
West Palm Beach, FL

enabl3D to Nick8

Member

to Nick8
Click for full size
well my internet did get shut down
heres a screenshot of netstat right after running the program:

bzar1
join:2001-05-15
Tucson, AZ

bzar1 to Vampirefo

Member

to Vampirefo
zaf 2.6.88 no effect
Nick8
Premium Member
join:2001-03-17
UK

Nick8 to enabl3D

Premium Member

to enabl3D
said by EmiGrante:
well my internet did get shut down
This is what I expected - if ZA gets shut down, listener is active but internet connection is dead and therefore listener is unreachable.

[text was edited by author 2001-07-02 22:17:15]

Vampirefo
Premium Member
join:2000-12-11
Huntington, WV

Vampirefo to bzar1

Premium Member

to bzar1
Download the program to your desktop, and then run it, I am not running like they want, I have it on my desktop. Then I run it and it kills ZAP fast, TPF is preventing port 7 from opening.
Vampirefo

Vampirefo to Nick8

Premium Member

to Nick8
I am on cable and my connection is not being shutdown, ZAP is failing the test on my pc.

bzar1
join:2001-05-15
Tucson, AZ

bzar1 to Vampirefo

Member

to Vampirefo
so far both that were effected were 2.6.214 huh,maybe?

ok running from the desktop does take za down but the internet connection is also lost as they claim.probably not the best solution but its effective.
[text was edited by author 2001-07-02 22:29:08]
dave
Premium Member
join:2000-05-04
not in ohio

dave to R2

Premium Member

to R2
said by R2:
I thought this section was a little strange:

KERNEL32.DLL
ADVAPI32.DLL
GDI32.DLL
OLEAUT.DLL
USER32.DLL
WSOCK32.DLL

Why are those files mentioned in this .exe file?
That list is a standard import list--i.e., which DLLs this .EXE refers to. Tells the image activator (or whatever the hell they call it in this OS!) what DLLs to merge into the address space. Practically every .EXE has one.
[text was edited by author 2001-07-02 22:48:31]
Nick8
Premium Member
join:2001-03-17
UK

Nick8 to Vampirefo

Premium Member

to Vampirefo
I'm guessing but depending on how ZA kill's the net connection, TPF could be responsible for ZA's inability to do so. Tiny statically installs a low-level driver - you would have to un-install Tiny to test this I'm afraid.....

bzar1
join:2001-05-15
Tucson, AZ

bzar1 to Vampirefo

Member

to Vampirefo
yeah running from the desktop does take za down but as they claim the internet connection is locked also.

damonlab
Premium Member
join:2001-05-02
Detroit, MI

damonlab to Vampirefo

Premium Member

to Vampirefo
Running from my desktop didn't take ZA down. Now I am getting paranoid.

Vampirefo
Premium Member
join:2000-12-11
Huntington, WV

Vampirefo to Nick8

Premium Member

to Nick8
Drop TPF UMMM not, LOL. I won't run naked, I like to at least have my pants on.
Nick8
Premium Member
join:2001-03-17
UK

Nick8

Premium Member

Well if you have ZA installed and I'm right, you will be protected / disconnected. What's wrong? Don't you trust me??

Seriously - ZA will protect you until you run the mutex test and then if you can still browse, reboot immediately and re-install Tiny. Worst case unprotected time: As long as it takes you to open your browser and hit Alt-F4 and enter . You can save your Tiny config if you decide to do this .

[text was edited by author 2001-07-02 22:37:17]
dave
Premium Member
join:2000-05-04
not in ohio

dave to Vampirefo

Premium Member

to Vampirefo

More info needed...

Anyone know what the mutex is actually for? Is it just to enforce a single executing instance? If so, it seems a bit tacky for the 2nd instance (in this case, the real Zone Alarm) to wait indefintely rather than exit shouting that it's already running.

On the side of Zone Alarm, I note that the exploit seems to require SeDebugPrivilege. This is not a privilege to be handed out lightly. By default in Win2000, it's assigned to admins only. Therefore you apparently need to be running the exploiter as an admin. Well, whoopee, anything you run as an admin has thousands of ways to breach the system, right?

If by chance the priv was only needed to terminate the existing instances of Zone Alarm programs, then the exploiter can only generally work if it can run before Zone Alarm. The fix, of having ZA make a fuss if it can't immediately acquire the mutex, seems sufficient.

damonlab
Premium Member
join:2001-05-02
Detroit, MI

damonlab to Vampirefo

Premium Member

to Vampirefo

Re: Very odd site Claims they can disable ZA

I am running as admin in win2k and it didn't do anything to my ZA, saved onto my desktop or ran from its current location. ZA still blocks all pings when I try to do a port scan, so I figure it is still working alright.