RE: Bug in Norton FireWall 2003

["Kayne Ian (Softlab)" <Ian.Kayne () softlab co uk>]

->
> > From: nowak.a () pg com [mailto:nowak.a () pg com] 
> > Sent: Monday, August 11, 2003 5:15 PM
> >
> >
> > > I suppose a simple defense for "personal firewall" vendors 
> > > against this sort of thing would be to use hard-to-guess window
> > > titles for their popups...
> >
> > This simple defense may not be enough, as there are ways to 
> > find out the names of all "child" windows belonging to specific
> > process.

You'd have to change all the window classes too. It wouldn't be too
difficult, depending on how the app works. You could just generate a random
string to pre/post-fix.


> to require that the window be visible when the event is 
> received, and have
> been visible for some minimum time (even on the order of a 
> few seconds),
> which would allow an alert user to see the trojan in action, anyway.

Another way could be to track mouse movements, or keypresses. The problem
is, there is just no way to prevent another app from "spoofing" user input
directly into the messagepump (unless you use GetAsyncKeyState() etc, but
that's a very unreliable way to check for input in a win32 app). Also,
consider the case of TweakUI, where you can configure it to pop the mouse to
the OK (default) button of any messagebox. Just trying to force the prompt
to be visible leaves a whole bunch of other possibilites out too - resize it
to 1 pixel, move it offscreen etc...


> Is there a reliable mechanism in Windows for distinguishing 
> between real and
> spoofed events?  I've never looked into the subject, as I 
> avoid GUI-mode
> programming like the plague (which is an apt description, in my book).

As I said above, no, not reliably. You can throw whatever you want into a
process' message pump.

One way may be to totally randomise the more important messageboxes.
Randomly generate a title and string for the buttons, and alter the tab
order and default button (similar to how the unregistered version of Winzip
swaps it's buttons around). That would probably double the frustration for
the user, but would make it harder for the prompt to be automatically
dismissed.

I can think of another possibility too. Instead of automatically dismissing
the messagebox, the malicious app could just rewrite the caption text in the
prompt. "Spyware detected, allow access?" could become "Would you like some
ice cream?". Now who could say no to that....

Ian Kayne
Technical Specialist - IT Solutions
Softlab Ltd - A BMW Company






******************************************************************** 
This email and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to whom 
they are addressed. 

If you are not the intended recipient or the person responsible for 
delivering to the intended recipient, be advised that you have received 
this email in error and that any use of the information contained within 
this email or attachments is strictly prohibited. 

Internet communications are not secure and Softlab does not accept 
any legal responsibility for the content of this message. Any opinions 
expressed in the email are those of the individual and not necessarily 
those of the Company. 

If you have received this email in error, or if you are concerned with 
the content of this email please notify the IT helpdesk by telephone 
on +44 (0)121 788 5480. 

********************************************************************