A Backdoor in XP's Firewall?.....and MS Antispyware allowing it!

An interesting read here about XP's firewall exceptions, and programs being allowed to add themselves.
http://habaneronetworks.com/viewArticle.php?ID=144

And from the link on that page, MS Antispyware doesn't notify you when an exception is added.
http://habaneronetworks.com/viewArticle.php?ID=146

 

Will that be fixed?

Will MS antispyware repair this? Are they waiting for reports like this on their Beta release, so that they can close potential loopholes that users find? Will my Zonealarm protect my system for now? P.S. I could not find (rk.exe.) In my Registry? I used Regseeker! loonychoons

 

i liked the part where he doesnt mention if antispyware detected the malware. I mean if you're gonna bash the tool on a web page, as least give full disclosure of what the tool does and doesnt do. I also enjoyed the part where he explained how he, being a great discoverer of security holes managed to get a malware exe running on his box. Hey look ma, im a big man on bugtraq! I found a hole, er.. i mean and exploit, err i mean a backdoor.. i mean a by design feature request from ISVs... oh nevermind, ill just publish it.

This is why security is always going to be a struggle. You build a firewall to block bad stuff. This interferes with legitimate software, the ISVs complain you are breaking their apps. So, you build and document a way for them to add themselves as an exception. Malware vendors start adding themselves to the exception list. You can't trust the users, because 99% of them would click 'no', and hork up thier newly installed software.. So whats left, some digital signing whizbang appelet that requires you to buy a 500$ cert to sign your software to grant trust to add an exception. But then 90% of folks disable CRL checking because its slow, so then even if you revoke a malware cert, it still works fine for years. Its a never ending cycle of cat and mouse. This will not be different until longhorn is the defacto desktop os.

If you are running as administrator, and i can trick/exploit/trojan you into running my code, i will own you. You cannot stop it. If i were a blackhat, i would have every one of your paypal and amazon credit cards and all the juicy emails, and then i would bluescreen your machine everytime you went to a web page with the letter R in the URL, just for amusements sake. Its not an exploit that you were bozo enough to click on something you shouldnt have.

How hard do you really think it would be for someone who can read asm like its english to figure out how a software firewall works and detour around it? 10 hours, tops. Look at marks rootkit revealer. It took them less than 2 weeks to release new versions of the rootkits that detour it. You cannot win, no amount of smart code will fix a fundimental problem of having too much permissions on your desktop. If you want to cry havok from the rooftops, that the only cause worth fighting, everything else is futile.

I don't normally rant about security, because its a little to close to my day job, but i will say that most of the people i work with dont run virus scanners, or spyware busters on our home machines, because we dont have to. A firewall, high security defaults on internet browsing (or even using a stream filter, like proxomitron), and don't click on unsafe code from untrusted sources. I've been on the net since it was a bunch of gopher sites, and i've never gotten a virus, or had my homepage hijacked. Security is 80% PBCAK, 10% current software and 10% boundery fortification to protect against the 0day stuff.

One of these days ill do an essay showing infection rates of some of the old big name viruses like slammer or code red, before and after a security patch was released to fix them. it will make you cry.

 

OK. I am lazy and have not studied noahdfear's link in depth.
However, after all the discussion on Window's firewall not being the sharpest spoon in the drawer, why would anyone rely on it as their firewall?
Forgetting the Firewall, are those articles saying that the MS Spyware program, itself, has a problem?
P.S. I use MS Spyware along with AdAware, since, as we all know, no one spyware detector does the whole job. (In fact, Giant did more than most other programs according to Eric Howes.)

 

And that is that!

Every day that goes by ,I am learning that I know more and more ,of what I do not Know. P.S. or even knew existed? KUDOS for JoeHobart!!! loonychoons

 

Yeah, it is sneaky, wonder how many realize there is an exceptions tab.

By defualt, MSN Messenger is blocked, you have to tick it - go figure.

The issue is not it's competence as a firewall, its a hole put there.

Regards - Charles

 

charlesvar--My earlier post was sloppily written. What I should have said is "Why would anyone use Windows Firewall?" Unless it is running and another firewall is being used, I presume the "hole" problem does not exist.
And I am still curious whether the problem with MS Antispyware occurs only when Windows Firewall is also running.

 

Arie--

Yes, that is what I meant, whether AntiSpyware would overlook alerting when a program adds itself to another, third party firewall's exception list.

 

as ben said in another post, be sure to post your concerns to the spyware beta newsgroups if you have an idea for antispyware.

 

Hi folks, I want to pinpoint the REAL reason why noahdfear got that spyware on his Backdoor: You are using Microsoft Firewall which almost 100% of technicians and knowledgeable people (including the famous Fred Langa) have alerted everybody NOT TO USE. If you had not been using this "one way only" firewall you shouldn't have had this problem in the first place.

Do yourselves a favor and instead of wearing out your brains looking for a reason Microsoft Firewall has a Backdoor and blaming Microsoft AntiSpyware for not fixing it, buy a good professional third party Firewall and problem SOLVED. Period. Case closed. Go on with your life.

I personally use Trend Micro Internet Security 2005 (Antivirus plus Firewall) and before that I used the 2004 version last year and Never (and I really mean NEVER) got anything past it. I also run Ad-Aware SE, Microsoft AntiSpyware, SpywareBlaster, Spybot Search&Destroy, X-Cleaner (free version) and I don't have spywares or adwares on my PC.

So... buy yourself a good Firewall, a good antivirus and some antispyware tools and end of discussion. KAPUT!!

 

You are using Microsoft Firewall which almost 100% of technicians and knowledgeable people (including the famous Fred Langa) have alerted everybody NOT TO USE.

This is silly advice, and you are a bozo for making these unsubstantiated claims. Cite your references for this 100% number or get off the stage. You find me 5 people who work professionally in the IT industry who advocate that you should turn off and go open, rather than use the basic firewall provided in XP. The point you are trying to make with nonsensical made up statistics is that you are very happy with the extra features you get from your trend micro product, and report good success with its usage.


I want to pinpoint the REAL reason why noahdfear got that spyware on his Backdoor.If you had not been using this "one way only" firewall you shouldn't have had this problem in the first place.
This demonstrates you did not read noah's post, my reply, or the referenced article. Please do explain to us internet bumpkins how a "one way only" firewall doesnt prevent things from coming IN. I think the point you were trying, but failed to make was that some vendors have software that can notify you of outgoing network traffic. Do you know how many 'major outbreaks' of clientpc targeted networking replicating viruses wouldnt have made the news if everyone was running a "one way only" firewall.. I do.. go look it up.


So... buy yourself a good Firewall, a good antivirus and some antispyware tools
That is the first thing you've said ill buy into. The discussion about this is the capabilities of the *free* firewall and antispyware microsoft is offering.. for *free*. Noting that this *free* "one way only" firewall would have prevented every single one of the last 5 years worth of network replicating viruses (see, now you dont have to look it up), I for one was glad to see the firewall (thats been there since ship) be enabled by default in sp2. It certainly can't compete with commerical purpose-built software, but how much do you really need to be 'safe' from most things?

 

Ok mazaprin, got my goodnight chuckle, thanks.

Regards - Charles

 

Use of Anti-Spyware Tools

Following much of this BBS's advice, I run Spybot and Adaware. A number of posters on this thread have mentioned their desirability. These highly recommended tools may be great for the frequent posters on this site, who are REALLY experienced and knowlegible, but for me, a person most hesitant to mess with the Registry and basically a user with little understanding of OSs, the messages these tools give are largely useless. For example, AdAware will alert to a registry change and show a string of entries I have no way to evaluate. The link to further info appears under a pop-up that obscures its message, and the message is from a third party company that denies any connection to AdAware or the responsibility for any results of taking corrective action. How is a user like me to become competent to operate these programs?

If this should have been posted on another thread, I apologize

 

Hello prschoef,

For example, AdAware will alert to a registry change and show a string of entries I have no way to evaluate.

How is a user like me to become competent to operate these programs?

One option is to ask here, as you say, lots of knowledgable people here. But above all, both the OS (if XP) and Ad-aware as well as SpyBot have ways of reversing changes. Knowing how to do that is more important than knowing in detail about whatever gets flagged. If you have confidence that you can backtrack, then learning what the individual items are wll come from experience.

And Lavasoft and Spybot each have their own forums as well.

Regards - Charles

 

Anti-Spyware Advice

Thanks, I'll search those forums.

 

prschoef--

That would suggest that you do have some spyware/malware on your PC, which perhaps is caused by the registry change (or it could be some other spyware).
In any event, based on my experience with AdAware (I do not run SpybotS&D), I have found it completely safe to quarantine anything that AdAware tells me is not desireable. First of all, you can always restore it within AdAware, if you find making the change causes problems. (I believe SpybotS&D functions similarly). And, as charlesvar has said, there also are ways of restoring your system within Windows itself.
I certain would advise against using that thirdparty program. Can you determine what its name is?
And, instead of going to another forum, you could follow the advice here
http://www.windowsbbs.com/showthread.php?t=37074

 

Hi Pete,

Start your own thread and give us the particulars and we'll see if we can help.

Regards - Charles