Personal Firewalls

brett · 2002/04/11

There's quite an interesting thread in the groups at GRC relating to the ability of certain malware to "kill" any running PF. Here's a copy of a post by Kevin McAleavey (one of the developers of BOClean):-

I should perhaps been a bit more specific on ZA 2.6.xxx - please forgive me folks, I never did believe in software firewalls and don't use any of them. What I *should* have said was early versions of ZA 2.6.xxx (the freebie - we've played with it to test compatibility of our own products) and they go byebye with ease. After ZA's changes, and those of other manufacturers including ourselves, you have to now go after a Ring0 device driver to kill the security product, but YES, they ALL DIE if you know what to do. The DIRT demonstration doesn't know how to do this and I am
*NOT* going to mention any specifics as to how.

Let's fire up the wayback machine to March 22, 2001 when we posted a report on our site regarding a specific trojan that exploited the TerminateProcess() function on EVERY major antivirus and firewall in existence ... please note in particular the THIRD paragraph down:

http://www.nsclean.com/psc-bion.html (Bionet 3.13)

and then the list beneath that of what it took out. You could also add to the list if you knew the specific programs to target. VSMON would get yanked first, then the ZA GUI. Same for "watchdogs" employed by other software to protect the main program.

Since BioNet, hundreds of other trojans incorporated this "ability" to take out all sorts of programs, most notably "MoSucker" which went beyond the original "one-shot" of BioNet and would keep nailing the various programs every second. Whereas with BioNet, you could restart the programs
affected (if they weren't rendered corrupt) and hopefully nail them. MoSucker and a number of others however would keep whacking the security software and take it out before it even had a chance to get started, much less get to work. Fortunately, most of the hundreds of trojans designed to take out security software are VERY poorly written and don't work. However this OLD NEWS issue was what forced us to redesign BOClean 4.07 into
BOClean 4.08 last year in order to do as much as possible to prevent it since our previous separate "watchdog" program was just as exposed as BOClean itself was at the time.

What the DIRT thing shows is old news. Nailing security programs with TerminateProcess actually goes back a couple of years now but BioNet actually made it push button easy which is why we made note of it in the report last year.

The REAL PROBLEM however isn't in the security programs, the problem is Microsoft's DELIBERATE DESIGN. THERE IS NO SOLUTION FOR TERMINATEPROCESS other than having Microsoft put up a "Kill? Y/N" box before the kernel's TerminateProcess() function pulls the rug out. Nobody but Microsoft can fix this and they have consistently, irrevocably REFUSED to do so. We've
been after them for years about this ourselves as have been many others to no avail.

=========================

From the WindowsAPI documentation:

The TerminateProcess function terminates the specified process and all of its threads.

<snipped>
========================

What's going on is a truly bad design and while the discussion has centered on blaming the various security companies for the problem when it's really Microsoft's fault (although all of us have done our utmost to circumvent this as best as we can) there IS NO SOLUTION until Microsoft is made to deal with this. I'd encourage folks to make the point to Microsoft personally here.

And actually, the situation is worse than the DIRT demo has pointed out. While many vendors have moved from Ring3 (the API layer of Windows) to put schemes to protect their products into Ring0 (the forbidden bunker of Billyland) the TerminateProcess() call also calls into Ring0 where it actually resides.

I need to be very careful about saying anything more detailed here as it would only aid and abet malcontents. But they've already gone there. There are a number of undocumented Windows calls that can get you FROM Ring3 TO Ring0 without the need to write VXD's or SYS files. Some of the recent trojans have done this. Microsoft needs to patch the TerminateProcess
function in RING ZERO itself to put that signage up ... simply moving the "not responding? Kill?" box from TASK manager to the TerminateProcess() call would be sufficient.

If Microsoft could be encouraged to do this, you could STILL hit YES on a hung program to kill it, but more importantly if malware decided to kill your firewall, you could let the box sit there while you determined WHY the box appeared and then decide Yes or No to the box ... but in the ongoing debate here, this whole point fo where the ACTUAL fault lies has been completely ignored.

Needless to say, I've been getting squatola done on my end here with all the questions pertaining to this dirtbag parlor trick. Real trojans today have that capability and they have had it for well over two years now. Anyone want to get Microsoft interested in fixing THIS hole? It's not like it's not been noticed or is a new one.
Click to expand...

The full thread can be found in the grc.secuirty.softare group (article ID 3CB348C3.7EC44E73@cybrsolutions.com).

The above, when coupled with the results of the results of the "Firewalls -v- Leak Tests" study at PCFlank, rather makes you wonder as to whether there is a great deal of benefit to be had from a PF.

Was Steve Atkins right all along?

DoctorDoom · 2002/04/12

This is another excellent example of why relying on a firewall or IDS to compensate for user incaution is inviting grief.

The cold fact of computer security life is this: the overwhelming majority of cases of malware on a computer are the result of incaution, or unfamiliarity with the dangers, when opening email or newsgroup attachments; files received via ICQ, KaZaa and other file-sharing apps; pirated programs downloaded from "warez" sites or obtained on floppies or CDs; etcetera, etcetera.

Viruses don't miraculously appear on a computer. They must be installed there, and in 99.999% of the cases it's done by the user through ignorance of or indifference to basic security precautions.
[hr][/hr]
Re the "leak test " programs, here are the results based on my installation this evening of BlackICE PC Protection, version 3.5.cbq, a major upgrade over BI Defender.

The new BI has an "application protection" function that instantly flags any program on the machine that wants to launch or to connect to a network, but is not on its approved list. Because of that:

Outbound: it wouldn't run because the system has no PACKET.DLL file, and the source the OB website recommended wasn't responding.

GRC's Leaktest: BI PCP caught it.

Firehole: BI PCP caught it.

TooLeaky: BI PCP caught it.

Yalta: BI PCP never let it get to the classic/advanced screen.

All of these resulted in an "unknown application" alert. In order to let them actually try to get to the net, I'd first have to give them permission to run at all. And, protecting one's computer is predicated on being told when an unknown application is attempting to run, let alone get out and phone home.

Out of curiosity, I did approve FireHole. As soon as I clicked Start, the old reliable 95-era Cybermedia Guard Dog flagged it and said it was trying to launch Opera.

To my mind, the new power of BI is going to make it a lot harder for malware to escape detection.

brett · 2002/04/13

BI PCP sounds to be quite interesting; it's quite a few years since I last dabbled with BID and, at that time, was not overly impressed with the product. Time maybe to take another look.

Log in or Sign up

Personal Firewalls

brett Inactive Alumni Thread Starter

DoctorDoom Inactive

brett Inactive Alumni Thread Starter

Share This Page

Log in or Sign up

Personal Firewalls

brett Inactive Alumni Thread Starter

DoctorDoom Inactive

brett Inactive Alumni Thread Starter

Share This Page

Useful Searches