Terrifying results from online test

I did this test, which simulates an unknown Trojan attack on a windoze
computer. The program successfully bypasses my beloved (and well
configured) Kerio firewall. It also evades my universities hardware
firewall, which is configured very well (the admins are the block all
apart from port 80 type )
Check out PCAudit from http://www.pcinternetpatrol.com/page/view/49
The program works by causing applications that have the privileges to
connect to the internet to upload data to their server.
I thought I would be safe because I configure kerio so it only permits
outbound connections to IP addresses of the resources that I connect
to, for example smtpserver:25, nntpserver:119, pop3server:110 and
proxy:8080
PCAudit appears to scan its way out. Even when I click deny it gets
through!
The company behind PCAudit have publicised a vulnerability that affects
almost all firewalls. Their PCAudit program could easily be reverse
engineered by crackers, and then a real and more malicious Trojan could
be produced that bypasses almost all firewalls.

What do you guys think of this? Did you pass the test (without
unplugging your internet wire/blocking all traffic Lol)?

spamme2@mailinator.com

wrote:
> I did this test, which simulates an unknown Trojan attack on a windoze
> computer. The program successfully bypasses my beloved (and well
> configured) Kerio firewall. It also evades my universities hardware
> firewall, which is configured very well (the admins are the block all
> apart from port 80 type )
> Check out PCAudit from http://www.pcinternetpatrol.com/page/view/49
> The program works by causing applications that have the privileges to
> connect to the internet to upload data to their server.
> I thought I would be safe because I configure kerio so it only permits
> outbound connections to IP addresses of the resources that I connect
> to, for example smtpserver:25, nntpserver:119, pop3server:110 and
> proxy:8080
> PCAudit appears to scan its way out. Even when I click deny it gets
> through!
> The company behind PCAudit have publicised a vulnerability that affects
> almost all firewalls. Their PCAudit program could easily be reverse
> engineered by crackers, and then a real and more malicious Trojan could
> be produced that bypasses almost all firewalls.
>
> What do you guys think of this? Did you pass the test (without
> unplugging your internet wire/blocking all traffic Lol)?
>

Yes I passed the test(s) (my computer would not(it refused) allow the
software to run ). I have actually met Mr. Gibson at GRC No I did
not have to disconnect. Any inappropriate software allowed to run
inside "can" compromise security often invisible to the user. One can
"hide" processes and files on a computer that are not easy to discern.

One can attach files to other legitimate processes or programs using
alternate data streams that can really make life an adventure. The key
is keeping crap out. If one runs inside a VM it is an easy matter to
identify what, where, who, and how and throttle/kill the offending
processes.

The code you allow to run inside is only as trustworthy as the
individual who wrote the code, and the security of the code.

If you are using IE as your default browser you have many more issues to
worry about. My current count is 5 known unpatched vulnerabilities in IE
where the system can run code of the attackers choice at varying
permission levels. One should constrain where IE is allowed to talk
(Microsoft was right you break things when you remove it) as well as how
it can communicate.

The default browser should not be "allowed" to run with system level
permissions. The browser should not be run as an administrator of a
system, nor even permissions of a standard user but only with restricted
permissions required to meet the user requirement securely.

Winged

winged

>What do you guys think of this? Did you pass the test (without
>unplugging your internet wire/blocking all traffic Lol)?

I passed the test by not downloading and running the program. That is the only
effective defense against a Trojan.
--
Dave "Crash" Dummy - A weapon of mass destruction
?subject=Techtalk (Do not alter!)
http://lists.gpick.com

\Crash\ Dummy

winged wrote:

> wrote:
>> I did this test, which simulates an unknown Trojan attack on a windoze
>> computer. The program successfully bypasses my beloved (and well
>> configured) Kerio firewall. It also evades my universities hardware
>> firewall, which is configured very well (the admins are the block all
>> apart from port 80 type )
>> Check out PCAudit from http://www.pcinternetpatrol.com/page/view/49
>> The program works by causing applications that have the privileges to
>> connect to the internet to upload data to their server.
>> I thought I would be safe because I configure kerio so it only permits
>> outbound connections to IP addresses of the resources that I connect
>> to, for example smtpserver:25, nntpserver:119, pop3server:110 and
>> proxy:8080
>> PCAudit appears to scan its way out. Even when I click deny it gets
>> through!
>> The company behind PCAudit have publicised a vulnerability that affects
>> almost all firewalls. Their PCAudit program could easily be reverse
>> engineered by crackers, and then a real and more malicious Trojan could
>> be produced that bypasses almost all firewalls.
>>
>> What do you guys think of this? Did you pass the test (without
>> unplugging your internet wire/blocking all traffic Lol)?
>>
>
> Yes I passed the test(s) (my computer would not(it refused) allow the
> software to run ). I have actually met Mr. Gibson at GRC No I did
> not have to disconnect. Any inappropriate software allowed to run
> inside "can" compromise security often invisible to the user. One can
> "hide" processes and files on a computer that are not easy to discern.
>
> One can attach files to other legitimate processes or programs using
> alternate data streams that can really make life an adventure. The key
> is keeping crap out. If one runs inside a VM it is an easy matter to
> identify what, where, who, and how and throttle/kill the offending
> processes.
>
> The code you allow to run inside is only as trustworthy as the
> individual who wrote the code, and the security of the code.
>
> If you are using IE as your default browser you have many more issues to
> worry about. My current count is 5 known unpatched vulnerabilities in IE
> where the system can run code of the attackers choice at varying
> permission levels. One should constrain where IE is allowed to talk
> (Microsoft was right you break things when you remove it) as well as how
> it can communicate.
>
> The default browser should not be "allowed" to run with system level
> permissions. The browser should not be run as an administrator of a
> system, nor even permissions of a standard user but only with restricted
> permissions required to meet the user requirement securely.
>
> Winged

If there are people reading this who are new to security, re-read the last
paragraph. Then re-read it again.....

As a general rule, su to root when needed then exit (translated for Windoze
users, you should not login as administrator unless you are installing
something, etc).

Michael J. Pelletier

Symantic reports the program as spyware;
http://securityresponse.symantec.com...e.pcaudit.html

--
Ken Russell


Remove yourhat to reply by e-mail
..

<> wrote in message
news: ups.com...
>I did this test, which simulates an unknown Trojan attack on a windoze
> computer. The program successfully bypasses my beloved (and well
> configured) Kerio firewall. It also evades my universities hardware
> firewall, which is configured very well (the admins are the block all
> apart from port 80 type )
> Check out PCAudit from http://www.pcinternetpatrol.com/page/view/49
> The program works by causing applications that have the privileges to
> connect to the internet to upload data to their server.
> I thought I would be safe because I configure kerio so it only permits
> outbound connections to IP addresses of the resources that I connect
> to, for example smtpserver:25, nntpserver:119, pop3server:110 and
> proxy:8080
> PCAudit appears to scan its way out. Even when I click deny it gets
> through!
> The company behind PCAudit have publicised a vulnerability that affects
> almost all firewalls. Their PCAudit program could easily be reverse
> engineered by crackers, and then a real and more malicious Trojan could
> be produced that bypasses almost all firewalls.
>
> What do you guys think of this? Did you pass the test (without
> unplugging your internet wire/blocking all traffic Lol)?
>

Ken Russell

Got my IP address wrong!

Joe

On 9 Dec 2004 18:15:16 -0800, wrote:

> I did this test, which simulates an unknown Trojan attack on a windoze
> computer. The program successfully bypasses my beloved (and well
> configured) Kerio firewall. It also evades my universities hardware
> firewall, which is configured very well (the admins are the block all
> apart from port 80 type )
> Check out PCAudit from http://[deliberately munged]pcinternetpatrol.com/page/view/49
> The program works by causing applications that have the privileges to
> connect to the internet to upload data to their server.
> I thought I would be safe because I configure kerio so it only permits
> outbound connections to IP addresses of the resources that I connect
> to, for example smtpserver:25, nntpserver:119, pop3server:110 and
> proxy:8080
> PCAudit appears to scan its way out. Even when I click deny it gets
> through!
> The company behind PCAudit have publicised a vulnerability that affects
> almost all firewalls. Their PCAudit program could easily be reverse
> engineered by crackers, and then a real and more malicious Trojan could
> be produced that bypasses almost all firewalls.
>
> What do you guys think of this? Did you pass the test (without
> unplugging your internet wire/blocking all traffic Lol)?

It's called a dll injection attack. It's nothing new or a big secret.

http://securityresponse.symantec.com...e.pcaudit.html
http://www.pestpatrol.com/pestinfo/p/pcaudit.asp
http://www.zonelabs.com/store/conten...echNote_10.jsp
http://www.google.com/search?hl=en&l...on&btnG=Search

It sounds like an ugly bit of salesmanship. After reading the above
there's no way I would load that thing onto my machine. The only important
question here is: after you loaded this thing on your machine and gave it
permission to do pretty much as it pleased--did it *really* connect out
without your permission or did it just "appear" to connect out?

TB

Technobarbarian

>>
>> The default browser should not be "allowed" to run with system level
>> permissions. The browser should not be run as an administrator of a
>> system, nor even permissions of a standard user but only with restricted
>> permissions required to meet the user requirement securely.
>>
>> Winged
>
> If there are people reading this who are new to security, re-read the last
> paragraph. Then re-read it again.....
>
> As a general rule, su to root when needed then exit (translated for
> Windoze
> users, you should not login as administrator unless you are installing
> something, etc).
>
>

Hello Michael,

Thanks for the advice. I have changed my default login to a "user" rather
than an "administrator". Do you know how to configure groups? For instance,
if I want to create a group with certain privileges, how would I do this?

Thanks

Stuart

Stuart M

wrote:

> I did this test, which simulates an unknown Trojan attack on a windoze
> computer. The program successfully bypasses my beloved (and well
> configured) Kerio firewall. It also evades my universities hardware
> firewall, which is configured very well (the admins are the block all
> apart from port 80 type )
> Check out PCAudit from http://www.pcinternetpatrol.com/page/view/49
> The program works by causing applications that have the privileges to
> connect to the internet to upload data to their server.
> I thought I would be safe because I configure kerio so it only permits
> outbound connections to IP addresses of the resources that I connect
> to, for example smtpserver:25, nntpserver:119, pop3server:110 and
> proxy:8080
> PCAudit appears to scan its way out. Even when I click deny it gets
> through!
> The company behind PCAudit have publicised a vulnerability that affects
> almost all firewalls. Their PCAudit program could easily be reverse
> engineered by crackers, and then a real and more malicious Trojan could
> be produced that bypasses almost all firewalls.
>
> What do you guys think of this? Did you pass the test (without
> unplugging your internet wire/blocking all traffic Lol)?


THIS PRODUCT INSTALLS SPYWARE!!!!!!!!!!!!
DO NOT USE!!!!!!!!!

Michael J. Pelletier