Vampirefo Premium Member join:2000-12-11 Huntington, WV |
Very odd site Claims they can disable ZAI don't use ZA, and I don't know anything about this site, Please read and let me know what you guy's think.Again I don't know Jake about this site so, read with caution, You can read it with no problems, but don't click the link at the site, that link has some kind of code, that is suppose to disable ZA. I posted it here, because their are a lot of ZA user here, and many experienced pc users, here, That can determine if this is real, or a fake. If this is real, it needs to be reported to ZA, ASAP, if a fake, then disregard. » www.angelfire.com/on3/vx ··· ack.html |
|
R2R Not MVM join:2000-09-18 Long Beach, CA |
R2
MVM
2001-Jul-2 9:23 pm
I tried it -- yes, I know -- but this is my work computer!
It did NOT shut down my Zone Alarm. The zap.exe file was "Copyright (C) 1996-1999 Laszlo Molnar & Markus Oberhumer" -- so perhaps this does not work on newer version of ZA???
I thought this section was a little strange:
KERNEL32.DLL ADVAPI32.DLL GDI32.DLL OLEAUT.DLL USER32.DLL WSOCK32.DLL
Why are those files mentioned in this .exe file? |
|
Vampirefo Premium Member join:2000-12-11 Huntington, WV
|
I just tried it and it did shutdown ZAP, I got it from a friend just now, I had to try it, It killed the version 1.0.64, this is the only version i could find on short notice. [text was edited by author 2001-07-02 21:37:38] |
|
|
to Vampirefo
It only had "Close Key" in ADVAPI32.dll - This is odd It also only had Bind in Wsock32.dll - odd again. It was packed with an early version of UPX - I can't unpack it. It's probably not a virus taking into account it's small size. It has the some characteristics of a trojan(bind in wsock32.dll, it's packed), but once again it's too small. It most likely is just a hoax or an old web page |
|
SteveI know your IP address
join:2001-03-10 Tustin, CA |
to Vampirefo
Don't know ZoneAlarm at all, but this looks like a very promising approach to doing what they claim. Simply be creating the Mutex object that ZoneAlarm apparently depends on they can prevent ZA from starting, and I've seen this kind of thing happen (by accident) in other places.
My gut says this does exactly what they claim. Remember, if you can disable your firewall, so can something else. I've always wondered when this would happen.
Steve |
|
Nick8 Premium Member join:2001-03-17 UK
|
Nick8
Premium Member
2001-Jul-2 9:44 pm
This mutex flaw was discussed at great length quite a while ago. I don't use ZA either but I know that the latest versions of ZA / ZAP (2.6.x I think) are not vulnerable. Also there is a patch available for the old versions which was not produced by Zone Labs, I think DCS were responsible for the patch (aswell as the discovery of the vulnerability).
[text was edited by author 2001-07-02 21:46:18] |
|
|
Vampirefo Premium Member join:2000-12-11 Huntington, WV |
I just downloaded the latest version from ZAP, and this test killed it just as fast. |
|
enabl3DWtf Is God??? join:2000-07-04 West Palm Beach, FL |
to Nick8
well I'm using the latest version of ZAP(2.6.214) and that little program was able to shut it down. oh boy, oh boy!!!!! |
|
Nick8 Premium Member join:2001-03-17 UK |
to Vampirefo
Most of the discussion about this issue it too old to find, but I found this thread which is more recent. It seems the new version will still get shut down, but will cut the net connection dead (that's what they mean by "fixed"!). DCS's patch will prevent ZA getting shut down in the first place, its is suggested that the patch can be applied to any version of ZA. |
|
Vampirefo Premium Member join:2000-12-11 Huntington, WV |
to enabl3D
So two confirmed, kills on the latest version of ZAP, seems like we got us a problem guy's.This test is real who wants to tell Zone labs? anyone else with ZAP care to try? |
|
Vampirefo
|
to Nick8
The internet connection was not shutdown, only ZAP, I was still able to surf the internet.The information in that thread is not correct, the only thing that dies is ZAP, not the internet connection. [text was edited by author 2001-07-02 22:01:50] |
|
R2R Not MVM join:2000-09-18 Long Beach, CA |
to Vampirefo
Now I am paranoid, why wasn't I shut down??? |
|
Nick8 Premium Member join:2001-03-17 UK |
to Vampirefo
I can tell you for sure that they are fully aware of the issue . They were hounded several months back when the issue was made public by DCS. Their answer to it is to have ZA take the internet connection with it if it dies (in versions 2.6.x) - effective if not elegant. DCS's patch actually prevents the code from shutting down ZA. |
|
R2R Not MVM join:2000-09-18 Long Beach, CA |
to Vampirefo
This is different than BioNet -- BioNet kills zonealarm.exe, but this seems to Terminate vsmon.exe and minilog.exe -- correct? |
|
Nick8 Premium Member join:2001-03-17 UK
|
to Vampirefo
Can you confirm that port 7 is open and reachable?
This program is DCS's own tester! It was released many months ago - I am surprised that no-one has reported the new ZA's failure to deal with it correctly yet. [text was edited by author 2001-07-02 22:09:15] |
|
damonlab Premium Member join:2001-05-02 Detroit, MI |
to Vampirefo
I have ZA 2.6.88 and am running win2k. My question is the same as R2, why wasn't I shut down? |
|
enabl3DWtf Is God??? join:2000-07-04 West Palm Beach, FL |
to Nick8
well my internet did get shut down heres a screenshot of netstat right after running the program: |
|
bzar1 join:2001-05-15 Tucson, AZ |
to Vampirefo
zaf 2.6.88 no effect |
|
Nick8 Premium Member join:2001-03-17 UK
|
to enabl3D
said by EmiGrante: well my internet did get shut down
This is what I expected - if ZA gets shut down, listener is active but internet connection is dead and therefore listener is unreachable. [text was edited by author 2001-07-02 22:17:15] |
|
Vampirefo Premium Member join:2000-12-11 Huntington, WV |
to bzar1
Download the program to your desktop, and then run it, I am not running like they want, I have it on my desktop. Then I run it and it kills ZAP fast, TPF is preventing port 7 from opening. |
|
Vampirefo |
to Nick8
I am on cable and my connection is not being shutdown, ZAP is failing the test on my pc. |
|
bzar1 join:2001-05-15 Tucson, AZ
|
to Vampirefo
so far both that were effected were 2.6.214 huh,maybe?
ok running from the desktop does take za down but the internet connection is also lost as they claim.probably not the best solution but its effective. [text was edited by author 2001-07-02 22:29:08] |
|
dave Premium Member join:2000-05-04 not in ohio
|
dave to R2
Premium Member
2001-Jul-2 10:22 pm
to R2
said by R2: I thought this section was a little strange:
KERNEL32.DLL ADVAPI32.DLL GDI32.DLL OLEAUT.DLL USER32.DLL WSOCK32.DLL
Why are those files mentioned in this .exe file?
That list is a standard import list--i.e., which DLLs this .EXE refers to. Tells the image activator (or whatever the hell they call it in this OS!) what DLLs to merge into the address space. Practically every .EXE has one. [text was edited by author 2001-07-02 22:48:31] |
|
Nick8 Premium Member join:2001-03-17 UK |
to Vampirefo
I'm guessing but depending on how ZA kill's the net connection, TPF could be responsible for ZA's inability to do so. Tiny statically installs a low-level driver - you would have to un-install Tiny to test this I'm afraid..... |
|
bzar1 join:2001-05-15 Tucson, AZ |
to Vampirefo
yeah running from the desktop does take za down but as they claim the internet connection is locked also. |
|
damonlab Premium Member join:2001-05-02 Detroit, MI |
to Vampirefo
Running from my desktop didn't take ZA down. Now I am getting paranoid. |
|
Vampirefo Premium Member join:2000-12-11 Huntington, WV |
to Nick8
Drop TPF UMMM not, LOL. I won't run naked, I like to at least have my pants on. |
|
Nick8 Premium Member join:2001-03-17 UK
|
Nick8
Premium Member
2001-Jul-2 10:33 pm
Well if you have ZA installed and I'm right, you will be protected / disconnected. What's wrong? Don't you trust me?? Seriously - ZA will protect you until you run the mutex test and then if you can still browse, reboot immediately and re-install Tiny. Worst case unprotected time: As long as it takes you to open your browser and hit Alt-F4 and enter . You can save your Tiny config if you decide to do this . [text was edited by author 2001-07-02 22:37:17] |
|
dave Premium Member join:2000-05-04 not in ohio |
to Vampirefo
More info needed...Anyone know what the mutex is actually for? Is it just to enforce a single executing instance? If so, it seems a bit tacky for the 2nd instance (in this case, the real Zone Alarm) to wait indefintely rather than exit shouting that it's already running.
On the side of Zone Alarm, I note that the exploit seems to require SeDebugPrivilege. This is not a privilege to be handed out lightly. By default in Win2000, it's assigned to admins only. Therefore you apparently need to be running the exploiter as an admin. Well, whoopee, anything you run as an admin has thousands of ways to breach the system, right?
If by chance the priv was only needed to terminate the existing instances of Zone Alarm programs, then the exploiter can only generally work if it can run before Zone Alarm. The fix, of having ZA make a fuss if it can't immediately acquire the mutex, seems sufficient. |
|
damonlab Premium Member join:2001-05-02 Detroit, MI |
to Vampirefo
Re: Very odd site Claims they can disable ZAI am running as admin in win2k and it didn't do anything to my ZA, saved onto my desktop or ran from its current location. ZA still blocks all pings when I try to do a port scan, so I figure it is still working alright. |
|