Full Disclosure mailing list archives
How to easily bypass a firewall...
From: "Sir Humpsalot" <sirhumpsalot97 () hotmail com>
Date: Mon, 28 Jul 2003 15:49:49 +0200
Whenever a program first tries to access the Internet, most/all personal firewalls display a dialog box asking the user if he/she wants to allow program "This is a Trojan.exe" to access the Internet. If the user wants "This is a Trojan.exe" to access the Internet, he/she clicks "Remember my answer" and then "OK". "This is a Trojan.exe" can now access the Internet.
Now, if you can't figure out how to bypass the firewall, read on. Otherwise, delete this email and celebrate. You've mastered "101 Programming a Trojan"!
"This is a Trojan.exe" is a smarter program, and it knows that it's smarter than the firewall. Since it already knows that the user will press OK, it will save the user from pressing enter, and will send the required commands to the firewall itself. Right before it tries to connect to some Internet site and send all passwords, credit card numbers, and porn pictures of the user's wife, it will start a new thread. This thread's only goal in life is to check all new windows if it's the firewall, and, whenever it finds the firewall's dialog box, send the required commands to enable "This is a Trojan.exe" full Internet acccess.
Possible solutions: 1. Firewall forces the user to wait eg. 2 secs before he/she can press OK.Analysis: User is angry, uses another firewall. Or, "This is a Trojan.exe" gets an upgraded brain, and tries to connect to the Internet when the user isn't using the computer (eg. at night, or when the user's in the bathroom)
2. Firewall uses some random title string so "This is a Trojan.exe" can't find its window Analysis: There are other means of detecting the firewall dialog box than just using the title string. Eg., it could check if the dialog has buttons with certain strings, etc.
3. Firewall stops "This is a Trojan.exe" and all its threads right before displaying the dialog box Analysis: "This is a Trojan.exe" could launch a separate process that can do the same thing as the thread. And it doesn't need to launch the process itself, it could let Windows launch it at startup so that it wouldn't be possible for the firewall to also stop all processes launched by "This is a Trojan.exe".
4. Firewall doesn't allow programs to send commands to its dialog boxAnalysis: Not possible due to Windows' messaging architecture. Any window can send any command to any other window, and the destination window has no way of knowing if the key press was sent by a program or if it actually was the user pressing enter.
_________________________________________________________________Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- How to easily bypass a firewall... Sir Humpsalot (Jul 28)
- RE: How to easily bypass a firewall... Nate Johnson (Jul 28)
- RE: How to easily bypass a firewall... compguruman (Jul 29)
- Re: How to easily bypass a firewall... Kain (Jul 29)
- Re: How to easily bypass a firewall... Karl DeBisschop (Jul 29)
- RE: How to easily bypass a firewall... compguruman (Jul 29)
- RE: How to easily bypass a firewall... Nate Johnson (Jul 28)
- <Possible follow-ups>
- RE: How to easily bypass a firewall... Schmehl, Paul L (Jul 29)
- Re: How to easily bypass a firewall... CHeeKY (Jul 29)
- RE: How to easily bypass a firewall... Sir Humpsalot (Jul 29)