Internet Connection Security for Windows Users |
by Steve Gibson, Gibson Research Corporation Last Updated: May 04, 2013 at 18:21 |
How to Use Version 1.x
If you know anything about me, it's probably that I love technology and that I'm easily annoyed by "marketing bozos in suits". I have been involved with Internet security since long before it became the fashionable "big business" it is today, and I've been saddened to see so much confusing junk suddenly appearing on the market. It has all apparently been created by marketeers rather than technologists. Most of it is just a pretty pile of flash and glitter leaving much to be desired in the way of providing anything like true security.
to know how their firewalls perform so that they can make a well-informed decision. It has also become painfully clear that unless we all bring some pressure to bear on the vendors of these bad firewalls, poor products will continue to sell and be used (due to their marketing, NOT their technology). People will be purchasing inferior products without understanding how they compare and that most of them are just no good. |
What's Wrong With Some Firewalls? When LeakTest v1.0 was first released, all but ONE firewall on the market was much too easy to fool and bypass. Trojan horses, viruses, and spyware are rapidly becoming "firewall aware" and are beginning to circumvent the weaker firewall defenses. But first, let's back up a bit:
External Intrusion versus Internal Extrusion |
Introducing LeakTest: To download LeakTest click on image above or the link below. https://www.grc.com/files/LeakTest.exe
LeakTest is a safe and small (27k bytes), completely benign "chameleon utility" which can be used to simulate the presence and effect of Trojan horses, viruses, and adware/spyware running in your computer. It simply and quickly tells you whether it has been able to slip out past your firewall's outbound Trojan/Virus/Spyware protections and establish a standard TCP connection with our NanoProbe server. dedicated to the discussion of this important topic. LeakTest pretends to be an FTP client application which attempts to connect to port 21 (FTP) of one of our servers within the grc.com domain. It verifies the connection by receiving a short string of 13 random characters, then it immediately disconnects. The server connected is not a true FTP server, it is simply a custom-built component of our forthcoming NanoProbe technology. NO DATA OF ANY SORT IS EVER SENT TO US, AND NO RECORD OF ANY SORT IS MADE OR RETAINED OF YOUR USE OF THE PROGRAM. We have no ulterior motive of any sort. As with ShieldsUP!, this is a pure public service. |
Using LeakTest With Popular Firewalls LeakTest v1.x is used by RENAMING it from LeakTest.exe to some other program filename to simulate the behavior of malware which could easily alter its own name in order to masquerade as a valid and permitted application. I have not invested more time in automating and further polishing this process because this vulnerability is so serious that I expect every firewall vendor to quickly close this gaping hole. Many have indicated that they will do so promptly. Here are a few of the typical ways LeakTest can be used to test the security of popular personal firewalls:
Perform a LeakTest: intended to permit to access the Internet. That is NOT secure. Note: Some firewalls, like Symantec/Norton and AtGuard, restrict which ports their permitted programs may use. Since LeakTest uses remote port 21 (pretending to be an FTP client) you should rename LeakTest to the name of another permitted program which has FTP access. I have learned that ZoneAlarm (and optionally the Tiny Personal Firewall) goes the extra mile of generating a "Cryptographic Signature" for every permitted program. This signature is then regenerated and compared before any program of that name is again allowed access. This completely prevents this simple form of trusted program impersonation, but NO OTHER FIREWALLS OFFER THIS CAPABILITY.
When it is installed, Symantec places a database of presumably "approved" applications under the \WINDOWS\APPLICATION DATA directory. My copy contains entries for 878 individual programs. But what's even more frightening is that the first version of Symantec's firewall database contained entries to permit the Aureate/Radiate adware/spyware to secretly access the Internet. The CURRENT version contains an entry to permit the "AllAdvantage" spyware browser viewbar to pass right through the firewall without even asking or notifying its user! So not only has Symantec done nothing to prevent Trojans, viruses, and spyware from pretending to be any one of 878 "pre-approved" programs, but they also decide for the user what those programs are even if they are the sorts of controversial adware and spyware which the user may have purchased a firewall to control. firewalls are among the least secure of all firewalls in the industry. Perform a LeakTest: Since the Symantec firewalls regulate the remote ports that applications may use, and since LeakTest pretends to be an FTP client connecting to port 21 on our server, you'll need to rename LeakTest to one of the pre-approved programs which uses port 21. A search through Symantec's database files for the string "ftp.alc:FTP" turned up 152 matches, thus you can rename LeakTest to any one of those 152 programs. My favorite was VAMPIRE.EXE, which seemed quite fitting under the circumstances, though you'll want to be sure your Symantec database contains an entry for that. Some of my other favorites from the database are: BYTECATCHER.EXE, CUTEFTP32.EXE, DOWN.EXE, DREAMWEAVER.EXE, EXCEL.EXE, EXPLORER.EXE, FRONTPG.EXE, FTP.EXE, GAME.EXE, GETRIGHT.EXE, GO.EXE, LYNX.EXE, MOSIAC.EXE, MSACCESS.EXE, NETSCAPE.EXE, OPERA.EXE, PAGER.EXE, PICTURE.EXE, POWERPNT.EXE, REALDOWNLOAD.EXE, SETUP.EXE, SPLASH.EXE, VFTP.EXE, WAOL.EXE, WEBZIP.EXE, WINWORD.EXE, WUPDATE.EXE . . . or any of the other 125 programs whose definitions contain the ftp rule string. The point is, it's obviously quite possible for a Trojan, virus, or spy to hide inside your computer, using any of those names, while the Symantec firewall gives it free reign. Once LeakTest has been renamed, simply run it. If your copy of the Symantec/Norton firewall has "Automatic Rule Creation" enabled as it will be for, perhaps, everyone the renamed LeakTest will simply connect to our servers without your "firewall" raising the smallest dialog box. If you then go into the advanced settings and examine the firewall rule-set you will discover LeakTest's icon now among the rules since the firewall has been easily fooled and automatically created rules for your "spoofed" application. If you are a current or prospective Symantec customer, please be sure to see their response to this on the Firewall Vendor Responses page!
all firewalls are created equal. But some are particularly poor choices...
Perform a LeakTest:
No matter how you choose to do it, if you initiate a stealth mode LeakTest while your system is being "protected" by one of these vulnerable firewalls, LeakTest will immediately connect to our servers, effortlessly bypassing the firewall.
How is this done? What is LeakTest's "stealth mode" ? You probably know that I would love to tell you. But since I have no wish to help Trojan horse, virus, and spyware authors increase the power of their own firewall-penetrating technology, I can not provide details. Suffice to say, however, that some firewalls are so poorly written that they can be easily and completely circumvented with just a few simple lines of code regardless of the name of the penetrating program.
trick, ALL USERS OF VULNERABLE FIREWALLS will be COMPLETELY unprotected. |
Other Firewalls? The preceding examples were designed to provide some clear foundation and understanding to empower you to employ version 1.x of our firewall LeakTester in your own situation. As you have seen, the Symantec/Norton firewalls stand out due to their indefensible and incredibly insecure default "Automatic Rule Creation" feature. Other firewalls stand out due to their poor network-level design that renders them trivial to circumvent. And other firewalls such as BlackICE Defender, Conseal PC Firewall, and Lockdown 2000 were not even mentioned here because they offer NO PROTECTION and control against the very real threat represented by outbound Trojan, virus, and spyware communications. (LeakTest merrily communicates out through these firewalls without any trouble.) The "Personal Firewall Scoreboard" (see next page) compares this crucial aspect of firewall behavior for all presently tested firewalls. Don't forget to check in with our online LeakTest Internet discussion newsgroup! I have a feeling it's going to be an active and "happening" place! Simply click on the "Discussion" icon below to learn how to configure your system's built-in newsreader to access our public discussions, or you may access the "grc.leaktest" group through our web browser based interface!
|
Gibson Research Corporation is owned and operated by Steve Gibson. The contents of this page are Copyright (c) 2024 Gibson Research Corporation. SpinRite, ShieldsUP, NanoProbe, and any other indicated trademarks are registered trademarks of Gibson Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy. |
Last Edit: May 04, 2013 at 18:21 (4,176.45 days ago) | Viewed 14 times per day |