Broadband Tech > Security > Security > Very odd site Claims they can disable ZA

Very odd site Claims they can disable ZA

I tried it -- yes, I know -- but this is my work computer!

It did NOT shut down my Zone Alarm. The zap.exe file was "Copyright (C) 1996-1999 Laszlo Molnar & Markus Oberhumer" -- so perhaps this does not work on newer version of ZA???

I thought this section was a little strange:

KERNEL32.DLL
ADVAPI32.DLL
GDI32.DLL
OLEAUT.DLL
USER32.DLL
WSOCK32.DLL

Why are those files mentioned in this .exe file?

reply to Vampirefo
It only had "Close Key" in ADVAPI32.dll - This is odd
It also only had Bind in Wsock32.dll - odd again.
It was packed with an early version of UPX - I can't unpack it. It's probably not a virus taking into account it's small size. It has the some characteristics of a trojan(bind in wsock32.dll, it's packed), but once again it's too small. It most likely is just a hoax or an old web page

reply to Vampirefo
Don't know ZoneAlarm at all, but this looks like a very promising approach to doing what they claim. Simply be creating the Mutex object that ZoneAlarm apparently depends on they can prevent ZA from starting, and I've seen this kind of thing happen (by accident) in other places.

My gut says this does exactly what they claim. Remember, if you can disable your firewall, so can something else. I've always wondered when this would happen.

Steve
--
Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net

This mutex flaw was discussed at great length quite a while ago. I don't use ZA either but I know that the latest versions of ZA / ZAP (2.6.x I think) are not vulnerable. Also there is a patch available for the old versions which was not produced by Zone Labs, I think DCS were responsible for the patch (aswell as the discovery of the vulnerability).

[text was edited by author 2001-07-02 21:46:18]

reply to Nick8
well I'm using the latest version of ZAP(2.6.214) and that little program was able to shut it down.
oh boy, oh boy!!!!!
--
si no te gusta que te miren... ponte un cartucho en la cabeza

reply to Vampirefo
Most of the discussion about this issue it too old to find, but I found this thread which is more recent. It seems the new version will still get shut down, but will cut the net connection dead (that's what they mean by "fixed"!). DCS's patch will prevent ZA getting shut down in the first place, its is suggested that the patch can be applied to any version of ZA.

reply to enabl3D
So two confirmed, kills on the latest version of ZAP, seems like we got us a problem guy's.This test is real who wants to tell Zone labs? anyone else with ZAP care to try?

reply to Nick8
The internet connection was not shutdown, only ZAP, I was still able to surf the internet.The information in that thread is not correct, the only thing that dies is ZAP, not the internet connection.
[text was edited by author 2001-07-02 22:01:50]

reply to Vampirefo
Now I am paranoid, why wasn't I shut down???

reply to Vampirefo
I can tell you for sure that they are fully aware of the issue . They were hounded several months back when the issue was made public by DCS. Their answer to it is to have ZA take the internet connection with it if it dies (in versions 2.6.x) - effective if not elegant. DCS's patch actually prevents the code from shutting down ZA.

reply to Vampirefo
This is different than BioNet -- BioNet kills zonealarm.exe, but this seems to Terminate vsmon.exe and minilog.exe -- correct?

reply to Vampirefo
Can you confirm that port 7 is open and reachable?

This program is DCS's own tester! It was released many months ago - I am surprised that no-one has reported the new ZA's failure to deal with it correctly yet.
[text was edited by author 2001-07-02 22:09:15]

reply to Vampirefo
I have ZA 2.6.88 and am running win2k. My question is the same as R2, why wasn't I shut down?
--
It only takes one person to change the world. I am not that person.

reply to Nick8

reply to Vampirefo
zaf 2.6.88 no effect

reply to enabl3D

said by EmiGrante:

---

well my internet did get shut down

---

reply to bzar1
Download the program to your desktop, and then run it, I am not running like they want, I have it on my desktop. Then I run it and it kills ZAP fast, TPF is preventing port 7 from opening.