Windows - Malwares best friend

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Subject: Flawed outbound packet filtering in various
personal firewalls
=====================================================

Issue: Outbound filtering in personal firewalls does
not block packets that are generated by protocol stacks
other than the default Microsoft stack.

at least two personal firewalls don't "see" the TCP packets
that this "non-standard" protocol adapter generates.

it was found that the "Lock" or "Block All" settings of
firewalls was also ineffective against TCP packets from
non-standard protocol adapters.

Known vulnerable firewalls: ZoneAlarm and ZoneAlarm Pro as
of their current revisions and Tiny Personal Firewall. All
versions prior to the current ones are also vulnerable.

Note: Other personal firewalls are be susceptible to this
same problem.

Also troubling is the fact that, in both cases, specially
crafted packets can be sent *to* a machine which an application
can sniff off the wire. These packets are ignored by the personal
firewalls and there is no warning to the end user. This makes
two-way communication possible with a machine, even when its
firewall is set to "Lock" or "Block All" network traffic.

(courtesy Tom Liston, BugTraq.)

Note: this is a substract
wilders.org security

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

On Fri, 25 Jun 2004 18:34:39, "news" <geerge@yahoo.com> wrote:

> Subject: Flawed outbound packet filtering in various personal firewalls
> =====================================================
>
> Issue: Outbound filtering in personal firewalls does
> not block packets that are generated by protocol stacks
> other than the default Microsoft stack.

Issue: You're fishing this newsgroup, aren't you?

Non-issue: Unless a computer-cracker "owns" your system,
the only TCP/IP stack that is installed is the default stack, from
Microsoft.

So, keep your anti-virus software updated, run a firewall (software or
hardware),
and never use Internet Explorer nor Outlook nor Outlook Express,
and don't allow strangers to physically access your computer,
and you will never have to worry about non-default stacks ever
appearing on your computer.

QED

 

[user]

Archived from groups: comp.security.firewalls (More info?)

news wrote:

> Subject: Flawed outbound packet filtering in various
> personal firewalls

How is this news? It has been long known that a driver can be made to
talk to adapters directly, and bypass the stack (and the firewall
software watching it) completely. It points to a long-known axiom: Let
malware run on your system, and it isn't your system anymore.

 

[user]

Archived from groups: comp.security.firewalls (More info?)

Bart Bailey wrote:

> In Message-ID:<edkDsTLBzWmk-pn2-WRpFPo6o6e9V@localhost> posted on Sat,
> 26 Jun 2004 21:24:44 GMT, Melvin Klassen wrote: Begin:
>
>> So, keep your anti-virus software updated, run a firewall (software
>> or hardware),
>> and never use Internet Explorer nor Outlook nor Outlook Express,
>> and don't allow strangers to physically access your computer,
>> and you will never have to worry about non-default stacks ever
>> appearing on your computer.
>
> Worth quoting!
> Very well said, and cuts to the heart of much of the hysteria that
> some folk enjoy promoting, either for commercial financial gain, or
> just personal amusement.

Yeah, because ALL trojans can be detected with anti-virus software.

And what about not installing questionable software? Oops, forgot that
one, but it's more important than not using OE, if you're simply using
it for NNTP.

 

[user]

Archived from groups: comp.security.firewalls (More info?)

· wrote:

> Bart Bailey wrote:
>
>> In Message-ID:<edkDsTLBzWmk-pn2-WRpFPo6o6e9V@localhost> posted on
>> Sat, 26 Jun 2004 21:24:44 GMT, Melvin Klassen wrote: Begin:
>>
>>> So, keep your anti-virus software updated, run a firewall (software
>>> or hardware),
>>> and never use Internet Explorer nor Outlook nor Outlook Express,
>>> and don't allow strangers to physically access your computer,
>>> and you will never have to worry about non-default stacks ever
>>> appearing on your computer.
>>
>> Worth quoting!
>> Very well said, and cuts to the heart of much of the hysteria that
>> some folk enjoy promoting, either for commercial financial gain, or
>> just personal amusement.
>
> Yeah, because ALL trojans can be detected with anti-virus software.

I realized after posting the above sentence that some people might not
realize that it is intensely SARCASTIC.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

>I realized after posting the above sentence that some people might not
>realize that it is intensely SARCASTIC.

I figured it was either really sarcastic or really stupid, and gave you the
benefit of the doubt.
--
Dave "Crash" Dummy - A weapon of mass destruction
crash@gpick.com?subject=Techtalk (Do not alter!)
http://lists.gpick.com

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Melvin Klassen wrote:

> On Fri, 25 Jun 2004 18:34:39, "news" <geerge@yahoo.com> wrote:
>
>
>>Subject: Flawed outbound packet filtering in various personal firewalls
>>=====================================================
>>
>>Issue: Outbound filtering in personal firewalls does
>>not block packets that are generated by protocol stacks
>>other than the default Microsoft stack.
>
>
> Issue: You're fishing this newsgroup, aren't you?
>
> Non-issue: Unless a computer-cracker "owns" your system,
> the only TCP/IP stack that is installed is the default stack, from
> Microsoft.

not always true: one example is the newdotnet LSP hijacker (basically
adds a layer to WSOCK2) that comes bundled with early versions of Kazaa
and iMesh, among other things. It *can* easily happen, even if it starts
with something relatively innocuous like a the google toolbar, Kodak
camera updater software or any of the Wildtangent games and other stuff
(that comes preloaded) on many HP home-model machines. Updates which
pull in progerssively worse malware can lead to this.
Unfortunately I've seen this happen many times. google toolbar has =
hotwetteens.exe pron dialler.
>
> So, keep your anti-virus software updated, run a firewall (software or
> hardware),
And take the other *very*, unbelieveably simple action of searching on
[program you want to install] +spyware and see what is returned.

> and never use Internet Explorer nor Outlook nor Outlook Express,
This threat can be mitigated to a certain extent by running a softwware
firewall that you can lock down by both port and destination. Many SW
firealls basically allow everything, everywhere if the app is allowed.
Case in point is ZA allowing HTTP from email clients.

> and don't allow strangers to physically access your computer,
> and you will never have to worry about non-default stacks ever
> appearing on your computer.
> QED

*groan* Set up a remote access VPN between 5 sites the other day. Locked
it down with a bastardly nasty ruleset and multiple layers of pretty
much everything.
Owner of biz was extermely worried about people jumping on PC (Pc's are
in a very public business with high traffic) so set lock times low and
advised staff training on walk-away= lock PC. Owner then writes down
password and post-it notes it to the screen. Bang Head Here.
E.

So is anybody gonna use MS's antivirus when it comes out? I hear the tag
-name for is not Whistler or Longhorn but...... Woody.