Right, first thing... Get a comfy chair, this is going to be a long post, it's also 6am, and I've been working all night, so, don't expect this to be perfect, I've probably left huge chunks out... BAH
...
First, a slight note, I've been asked by a lot of people why they need a firewall if they own a router with NAT. Well, this post, and the tool I supply with it, should explain it. But, as a quick explanation, NAT only prevents incoming connections, not outgoing.
Now, onto the main topic, firewalls...
I'm not going to be talking much about a firewalls ability to keep 'hackers' out (although the scare tactics used by some which count port scans as 'Attacks' do annoy me), rather, the ability (or lack) of the firewall to stop a program connecting to the Internet. Why is this so important? Well, every time you download an exe, the first thing it could do is to collect data about you (very easy) and then send it back to a server. That process would take less than a second normally, meaning you have no way to stop it unless you have a firewall...
So, let's extend on that and use it as an example;
0.You have downloaded a small application, thinking it was a game
1. Because it is relatively new/unknown, it is not picked up by your anti virus
2. It brings up a game to distract you
3. It checks the windows registry, browser logs, etc for data
4/5. It creates a connection to it's owners server
4/5. It sends the data
Starting at 0, there is little you can do, if it's advertised as a game, it looks innocent.
Then, moving onto 1 we see the first major myth: Most viruses are picked up by scanners. This is simply wrong, a scanner can only detect known threats and use basic heuristics meaning that if someone where to make a virus today, not one anti virus would detect it. It is essential that you keep your anti virus updated, and that you are using a service which is updated in the first place.
2. A simple tactic, while you watch/play, it delivers it's payload (3, 4 and 5)...
3. These checks won't be detected by any registry 'protection' software, as it does not write to the registry, only read. As mentioned, this step will take less than a second to complete if the code is optimised.
4. This is the first (and ONLY) chance your firewall gets to stop the application. If you do not have a firewall, or it fails to detect this stage it will go straight to 5, otherwise you will be prompted as to the action you want to take, this is the main function I will be talking about.
5. If a connection is made, then, in literally no time, the data is sent, and whatever information the attacker wanted, is theirs.
Now, at step 4, a lot of things happen, and there are a lot of ways those things can happen.
The overall idea of step 4 is to connect to, and send (as part of step 5) the requested information, the simplest way is for the application to try and connect directly and send the data directly too, but, of course, this is picked up by firewalls, and promptly rejected (Assuming the user does not think the program needs to access the internet (Which comes under 'rules' which I will discuss later)). However, there are several other ways for the program to get it's 'message' sent. It could launch your favorite browser, and send the data like that (Again, that will be covered in rules), or, it could launch any application on your computer and use that to send the data, all of this can be done silently too.
Now, rules, they are designed to make your life easier, but, I personally despise them. For example, you allow Firefox.exe access to the internet so it doesn't bug you every time you browse to a page. Well, what if the attacker programmed the application to run Firefox to send the data back? Then, you have a problem, one that, as far as I am aware, is not solvable... You could ask your firewall to ask every time Firefox connects to anyhere, for EVERY connection, but, no one has that much patients. How about allowing Firefox only until you close the browser? That's fine unless you have Firefox open when you run the application, which if you had just downloaded it, you probably would have.
So, you see, ONE rule, for ONE application, especially a browser, is a huge security risk.
I have made a small application, using the Microsoft .NET 2 Framework (
http://www.microsoft...5&DisplayLang=en ) which is designed to test what I call 'Water Bombing', the act of making your firewall, useless to an extent by using multiple methods. It's worth noting that this application is only 113 lines of code, and it does not affect your system in ANY way... If this were a real 'phone home' device, it would have functions to kill firewalls/anti viruses etc... It will attempt to connect a page on my server using normal methods for tests 1 and 2, but 3, 4 and 5 use browsers, to show the potential problem. Finally, 6, the 'Water Bomb' attack uses a combination of all the above techniques to try to connect. If your firewall fails just one of those tests, you need to think seriously about the implications...
http://tanyvska.co.uk/Water%20Bomb (You only need the exe, the txt is the file the program tries to get to (check the source))
Please do post your results of the application, and the firewall you use.
On a side note, the XP SP2 firewall, yay or nay? NAY... Here is a simple code snippet in C++ which would render the XP firewall useless (but NOT disable it, so, no warning messages)
for(int i=1; i<65536; i++) {
system("netsh firewall add portopening ALL " + i + " Windows");
}
There, 3 lines of code, and your beloved XP SP2 firewall is rendered _totally_ useless...
Back on to 'Water Bombing', I asked mouser to test this program first, and, using traditional methods, it would have failed on 3, 4 and 5... However, mouser is a clever little devil, and used his BrowserTraySwitch application to defeat it from loading a real browser and I assume he had otherwise disabled IE. However, when the 'Water Bomb' test was run, it managed to get through, in his own words:
"first firewall leak test to beat me in fact"
This is not an issue to be taken lightly, the attacker does not need to know a huge ammount of a language to make an application that uses these techniques.
As for a solution to 'Water Bombing', well, I don't see one... But, rest assured, the first firewall to protect a user against these tactics without huge amounts of configuration/hassle will be getting a nice little review.
Relying on a firewall is dangerous, I hope this has made people see that.
Whew! All done, Thank you for your time, I hope I've given you something to think about, and, who knows, if mouser doesn't mind me spamming his forum ever week or so, I might do something like this every now and then.
Oh, and here is the source to the 'Water Bomb' testing program...
#include "stdafx.h"
using namespace System;
using namespace System::Diagnostics;
using namespace System::Net::Sockets;
int main(array<System::String ^> ^args)
{
Console::Title = "Water Bomb [1.00] by PhilKC";
String^ mainMenu = "Water Bomb firewall tester, created by PhilKC [1.00]\n\nModes of operation:\n\n0: Info\n1: Try to access the internet directly using a TCPClient\n2: Try to access the internet directly using a WebClient\n3: Try to access the internet via the default browser\n4: Try to access the internet via IE\n5: Try to access the internet via IE being launched via CMD\n6: 'Water Bomb' test (Methods 1, 2 and a special browser call)\n\nA malicious program trying to 'Phone home'\nwould probably be best replicated using 6\n\nPlease select your choice: ";
String^ checkURL = "http://tanyvska.co.uk/Water%20Bomb/Data.txt";
Start:
Console::Clear();
Console::Write(mainMenu);
String^ method = Console::ReadLine();
if (method == "0") {
Console::Clear();
Console::WriteLine("This application is designed to dispel myths that firewalls or routers\ngive 'enough' protection...\n\nIf this application can produce the word 'FAILED', just once,\nthen it consider this:\n\nNO information is sent from your PC (only requests for pages on my server),\nhowever, the data that is sent (As part of the requests), could have\nbeen passwords, credit cards, anything...\n\nIf you do find a firewall which protects you against the level 6 'Water Bomb'\nplease E-mail me:
[email protected] as I'm always interested\nto know which firewalls do the best...");
Console::WriteLine("\nPress Enter to continue");
Console::ReadLine();
goto Start;
}
else if (method == "1") {
String^ method1Text;
TcpClient^ Client = gcnew TcpClient();
try {
Client->Connect("tanyvska.co.uk", 80);
method1Text = "Data transmitted and recieved (FAILED)";
}
catch (SocketException^ Ex) {
method1Text = "No data retrevied (PASS) Full error:\n" + Ex->ToString();
}
Console::WriteLine("\n" + method1Text + "\n\nPress Enter to continue");
Console::ReadLine();
goto Start;
} else if (method == "2") {
Net::WebClient^ method2 = gcnew Net::WebClient();
method2->Headers->Add("user-agent", "Water Bomb (Method 1)");
String^ method2Text;
try {
method2Text = Text::Encoding::ASCII->GetString(method2->DownloadData(checkURL));
}
catch (Net::WebException^ Ex) {
method2Text = "No data retrevied (PASS) Full error:\n" + Ex->ToString();
}
Console::WriteLine("\n" + method2Text + "\n\nPress Enter to continue");
Console::ReadLine();
goto Start;
} else if (method == "3") {
Process^ method3 = gcnew Process();
method3->StartInfo->FileName = checkURL;
Console::WriteLine("\nNow launching...");
method3->Start();
Console::WriteLine("\nIf a browser did not open with \"Data transmitted and recieved (FAILED)\" then consider it a PASS\n\nPress Enter to continue");
Console::ReadLine();
goto Start;
} else if (method == "4") {
Process^ method4 = gcnew Process();
Microsoft::Win32::RegistryKey^ rk = Microsoft::Win32::Registry::LocalMachine->OpenSubKey("SOFTWARE\\Clients\\StartMenuInternet\\iexplore.exe\\shell\\open\\command");
method4->StartInfo->FileName = rk->GetValue("")->ToString();
method4->StartInfo->Arguments = checkURL;
method4->Start();
Console::WriteLine("\nIf a browser did not open with \"Data transmitted and recieved (FAILED)\" then consider it a PASS\n\nPress Enter to continue");
Console::ReadLine();
goto Start;
} else if (method == "5") {
Process^ method5 = gcnew Process();
method5->StartInfo->FileName = "CMD";
method5->StartInfo->Arguments = "/c \"\"%ProgramFiles%\\Internet Explorer\\iexplore.exe\" http://tanyvska.co.uk/Water Bomb/Data.txt\"";
method5->Start();
Console::WriteLine("\nIf a browser did not open with \"Data transmitted and recieved (FAILED)\" then consider it a PASS\n\nPress Enter to continue");
Console::ReadLine();
goto Start;
} else if (method == "6") {
TcpClient^ Client = gcnew TcpClient();
try {
Client->Connect("tanyvska.co.uk", 80);
Console::WriteLine("\nMethod 0: Data transmitted and recieved (FAILED)\n");
}
catch (SocketException^ Ex) {
Console::WriteLine("\nMethod 0: No data retrevied (PASS) Full error:\n" + Ex->ToString() + "\n");
}
Net::WebClient^ method61 = gcnew Net::WebClient();
method61->Headers->Add("user-agent", "Water Bomb (Method 1)");
try {
Console::WriteLine("Method 1: " + Text::Encoding::ASCII->GetString(method61->DownloadData(checkURL)) + "\n");
}
catch (Net::WebException^ Ex) {
Console::WriteLine("Method 1: No data retrevied (PASS) Full error:\n" + Ex->ToString() + "\n");
}
Microsoft::Win32::RegistryKey^ rk = Microsoft::Win32::Registry::LocalMachine->OpenSubKey("SOFTWARE\\Clients\\StartMenuInternet");
System::Collections::ArrayList keyList = gcnew System::Collections::ArrayList;
for each(String^ subkey in rk->GetSubKeyNames()) {
keyList.Add(subkey);
}
for(int i=0; i<keyList.Count; i++) {
rk = Microsoft::Win32::Registry::LocalMachine->OpenSubKey("SOFTWARE\\Clients\\StartMenuInternet\\" + keyList[i] + "\\shell\\open\\command");
Process^ method5 = gcnew Process();
method5->StartInfo->FileName = rk->GetValue("")->ToString();
method5->StartInfo->Arguments = checkURL;
method5->Start();
}
Console::WriteLine("If browsers did not open with \"Data transmitted and recieved (FAILED)\" then consider it a PASS\n\nPress Enter to continue");
Console::ReadLine();
goto Start;
}
else {
Console::WriteLine("\nInvalid selection" + "\n\nPress Enter to continue");
Console::ReadLine();
goto Start;
}
return 0;
}
PhilKC
Show Posts