Internet Connection Security for Windows Users
by Steve Gibson, Gibson Research Corporation
Last Updated: May 04, 2013 at 18:21

How to Use Version 1.x

!!!  VERY IMPORTANT  !!!

In our grc.leaktest newsgroup several very vocal, self-proclaimed gurus, have been loudly criticizing the "simplicity" of these first versions 1.x of LeakTest. So that YOU are not confused if you should read their postings, I would like to explain that they are completely correct, but that they have apparently missed the whole point.

This first release of LeakTest IS ridiculously
simple — and that IS the whole point:

This first versions 1.x of Leaktest simply demonstrate how any TRIVIAL malicious program can easily bypass any current software firewall! The only exception to this is ZoneLabs' free ZoneAlarm, because ZoneAlarm is the only firewall to cryptographically certify the identity of executable programs.

Therefore, version 1.x of LeakTest is only meant to quickly and convincingly demonstrate an alarming flaw that currently exists in the vast majority of personal computer software firewalls. Because this is a serious problem, EVERY firewall manufacturer (except ZoneLabs) is currently working to correct this glaring deficiency.

I will certainly post a note to the GRC Corporate News Blog as soon as the next, far more comprehensive, version 2.0 of LeakTest is first available. You are invited to subscribe to the GRC Corporate News Blog (which you can easily leave at any time.)

Question:When is a firewall NOT a firewall?
Answer:When it DOESN'T DO ITS JOB.

If you know anything about me, it's probably that I love technology and that I'm easily annoyed by "marketing bozos in suits". I have been involved with Internet security since long before it became the fashionable "big business" it is today, and I've been saddened to see so much confusing junk suddenly appearing on the market. It has all apparently been created by marketeers rather than technologists. Most of it is just a pretty pile of flash and glitter leaving much to be desired in the way of providing anything like true security.

Because I strongly prefer to not say anything bad about anyone, I have waited for more than a year for the marketing-driven firewall vendors to fix their products and clean up their acts. But it's getting rapidly worse, not better. My next-generation "NanoProbe" Internet security testing technology will go a long way toward exposing these bad firewalls, but I don't want to rush the development of that technology and the current problem really can't wait.

So I have written a new firewall testing program called: LeakTest.

Readers of this page have a need and a right
to know how their firewalls perform so that
they can make a well-informed decision.

It has also become painfully clear that unless we all bring some pressure to bear on the vendors of these bad firewalls, poor products will continue to sell and be used (due to their marketing, NOT their technology). People will be purchasing inferior products without understanding how they compare and that most of them are just no good.



What's Wrong With Some Firewalls?

When LeakTest v1.0 was first released, all but ONE firewall on the market was much too easy to fool and bypass. Trojan horses, viruses, and spyware are rapidly becoming "firewall aware" and are beginning to circumvent the weaker firewall defenses. But first, let's back up a bit:

External Intrusion versus Internal Extrusion
It is great to have a firewall protecting your system from external intrusion, but the fact is, if you are not actively offering public access services and if you have closed the major Windows file sharing security holes, there's really not much an outsider can do to you. However, Windows is so insecure and shabby, with new vulnerabilities being created and discovered every day, that erecting a wall to keep outsiders out is certainly worthwhile.

However, in my opinion the typical Internet user is under much greater threat from the malicious intent of programs which are inadvertently loaded into their machines. Trojan horses, eMail viruses, and Adware/Spyware are flying across the Internet with ever-increasing frequency and they are becoming much more clever. And, predictably, the latest ones have now become "firewall aware" and are using some simple tricks to penetrate personal firewalls! Therefore, any truly useful firewall must be able to not only block external intrusion, but also internal extrusion.

All but one firewall which purports to prevent outbound leakage does such a laughably poor job that I created LeakTest so that you could see it for yourself.



Introducing LeakTest:

(8,017,158 copies downloaded so far)

Click to download LeakTest (27k)

To download LeakTest click on image above or the link below.


https://www.grc.com/files/LeakTest.exe

NEXT VERSION — LEAKTEST v2.0

Version 1.0 of LeakTest is just the start and I guarantee you
will not want to miss the second version of LeakTest! This first
version does not expire, so it's up to you to check back and
pickup an updated copy of LeakTest. Please do!

I will send a short note to the subscribers of our GRC Corporate
News Blog
when the next version is first available. You are
invited to subscribe to the GRC Corporate News Blog (which
you can easily leave at any time.)

LeakTest is a safe and small (27k bytes), completely benign "chameleon utility" which can be used to simulate the presence and effect of Trojan horses, viruses, and adware/spyware running in your computer. It simply and quickly tells you whether it has been able to slip out past your firewall's outbound Trojan/Virus/Spyware protections and establish a standard TCP connection with our NanoProbe server.

LeakTest can also operate in "stealth mode" by holding down either Shift key when testing, or adding the word "stealth" to the command line, to render it further invisible to some firewalls.

LeakTest is non-expiring freeware which I wrote, as I explained above, in order to empower you with the ability to test your own outbound Internet firewall defenses. You are invited to download it, play with it, and share it with your friends. I also hope you'll consider joining in our online discussion about LeakTest and the firewall leakage problem. Please see our "Discussions" page for details about our online newsgroups.

We have a special grc.leaktest newsgroup
dedicated to the discussion of this important topic.

LeakTest pretends to be an FTP client application which attempts to connect to port 21 (FTP) of one of our servers within the grc.com domain. It verifies the connection by receiving a short string of 13 random characters, then it immediately disconnects. The server connected is not a true FTP server, it is simply a custom-built component of our forthcoming NanoProbe technology.

NO DATA OF ANY SORT IS EVER SENT TO US, AND NO RECORD OF ANY SORT IS MADE OR RETAINED OF YOUR USE OF THE PROGRAM. We have no ulterior motive of any sort. As with ShieldsUP!, this is a pure public service.



Using LeakTest With Popular Firewalls

LeakTest v1.x is used by RENAMING it — from LeakTest.exe to some other program filename — to simulate the behavior of malware which could easily alter its own name in order to masquerade as a valid and permitted application.

I have not invested more time in automating and further polishing this process because this vulnerability is so serious that I expect every firewall vendor to quickly close this gaping hole. Many have indicated that they will do so promptly.

Here are a few of the typical ways LeakTest can be used to test the security of popular personal firewalls:



Masquerading as a Trusted Program
Most personal firewalls provide such weak "pseudo protection" that malicious software is beginning to take advantage of their users' false sense of security. For example, any Trojan, virus, or spyware can easily determine the name of your system's registered Internet browser or eMail program. It simply looks in the system registry to see which program handles URL and eMail links for the system. Then that malicious program simply needs to name itself the same as a trusted program to fool the firewall and gain unrestricted Internet access.

It's just THAT SIMPLE to fool most firewalls!

"Norton Personal Firewall 2001 can't distinguish between the real version of a program like Microsoft Internet Explorer and a renamed Trojan, such as the infamous Back Orifice 2000", says Tom Powledge, Symantec's senior product manager for consumer products.— Security Crusader Punches Holes in Firewalls, Sean Captain, PC World Magazine

Perform a LeakTest:
Look through your firewall's permissions for the filename of any program that is granted access through the firewall. Then simply rename LeakTest to that name (just as a Trojan, virus, and spyware would) and run it. EVERY SINGLE FIREWALL I've tested — with the sole exception of ZoneAlarm — will be fooled and allow LeakTest to connect to and receive a bit of data from the NanoProbe server! (The Tiny Personal Firewall from Tiny Software has an option for catching this, but it is currently disabled by default.)

Your firewall does NOT know that this was NOT the program you
intended to permit to access the Internet. That is NOT secure.

Note: Some firewalls, like Symantec/Norton and AtGuard, restrict which ports their permitted programs may use. Since LeakTest uses remote port 21 (pretending to be an FTP client) you should rename LeakTest to the name of another permitted program which has FTP access.

I have learned that ZoneAlarm (and optionally the Tiny Personal Firewall) goes the extra mile of generating a "Cryptographic Signature" for every permitted program. This signature is then regenerated and compared before any program of that name is again allowed access. This completely prevents this simple form of trusted program impersonation, but NO OTHER FIREWALLS OFFER THIS CAPABILITY.



Masquerading as a "Standard" Program.
After Symantec purchased the AtGuard firewall from WRQ, they made it more "user friendly" by adding automatic rule generation for standard applications and enabled this feature by default. In doing so they reduced the excellent AtGuard firewall to a nearly useless — and very dangerous — toy. By default, any malicious program named the same as any one of the 878 "standard" programs in the Symantec database may gain immediate access to the Internet!

By no stretch of the term can this be called a secure firewall.

When it is installed, Symantec places a database of presumably "approved" applications under the \WINDOWS\APPLICATION DATA directory. My copy contains entries for 878 individual programs. But what's even more frightening is that the first version of Symantec's firewall database contained entries to permit the Aureate/Radiate adware/spyware to secretly access the Internet. The CURRENT version contains an entry to permit the "AllAdvantage" spyware browser viewbar to pass right through the firewall without even asking or notifying its user! So not only has Symantec done nothing to prevent Trojans, viruses, and spyware from pretending to be any one of 878 "pre-approved" programs, but they also decide for the user what those programs are — even if they are the sorts of controversial adware and spyware which the user may have purchased a firewall to control.

LeakTest easily demonstrates that the various Symantec/Norton
firewalls are among the least secure of all firewalls in the industry.

Perform a LeakTest:
Since the Symantec firewalls regulate the remote ports that applications may use, and since LeakTest pretends to be an FTP client connecting to port 21 on our server, you'll need to rename LeakTest to one of the pre-approved programs which uses port 21. A search through Symantec's database files for the string "ftp.alc:FTP" turned up 152 matches, thus you can rename LeakTest to any one of those 152 programs. My favorite was VAMPIRE.EXE, which seemed quite fitting under the circumstances, though you'll want to be sure your Symantec database contains an entry for that.

Some of my other favorites from the database are: BYTECATCHER.EXE, CUTEFTP32.EXE, DOWN.EXE, DREAMWEAVER.EXE, EXCEL.EXE, EXPLORER.EXE, FRONTPG.EXE, FTP.EXE, GAME.EXE, GETRIGHT.EXE, GO.EXE, LYNX.EXE, MOSIAC.EXE, MSACCESS.EXE, NETSCAPE.EXE, OPERA.EXE, PAGER.EXE, PICTURE.EXE, POWERPNT.EXE, REALDOWNLOAD.EXE, SETUP.EXE, SPLASH.EXE, VFTP.EXE, WAOL.EXE, WEBZIP.EXE, WINWORD.EXE, WUPDATE.EXE  . . . or any of the other 125 programs whose definitions contain the ftp rule string. The point is, it's obviously quite possible for a Trojan, virus, or spy to hide inside your computer, using any of those names, while the Symantec firewall gives it free reign.

Once LeakTest has been renamed, simply run it. If your copy of the Symantec/Norton firewall has "Automatic Rule Creation" enabled — as it will be for, perhaps, everyone — the renamed LeakTest will simply connect to our servers without your "firewall" raising the smallest dialog box. If you then go into the advanced settings and examine the firewall rule-set you will discover LeakTest's icon now among the rules since the firewall has been easily fooled and automatically created rules for your "spoofed" application.

If you are a current or prospective Symantec customer, please be sure to see their response to this on the Firewall Vendor Responses page!

It should be clear by now that not
all firewalls are created equal.

But some are particularly poor choices...



Slipping Right Under a Firewall
A number of first-generation personal firewalls can be easily bypassed through a simple manipulation for the Windows "sockets" networking interface. Leaktest incorporates a test for this disturbing exploit so that you can verify that your firewall doesn't (or does!) suffer from this well known vulnerability.

Dec. 14, 2000 — eSafe Desktop is every bit as insecure!

In response to many questions about Aladdin's eSafe Desktop, I made time to check it out. It joins the Symantec firewall in being among the LEAST safe of any. LeakTest's "Stealth Mode" passes right through the e-UN-Safe Desktop like it wasn't there — eSafe Desktop doesn't even know it has happened — and it is also completely vulnerable to application masquerading.

Perform a LeakTest:
LeakTest can be named anything you like while testing for this vulnerability. Rename it Dracula, or just leave it named LeakTest. For this test, you must depress and hold either of your keyboard's "Shift" keys when you click on and release the "Test" button. The LeakTest window title will immediately change to confirm that it has recognized your request for "stealth mode" operation.

Note: LeakTest also recognizes the optional command-line term "stealth". You can provide this by starting LeakTest from a DOS Prompt Window, from the "Run..." option of the Windows Start menu, or by creating a program shortcut and adding the term "stealth" after "LeakTest.exe". (Using a shortcut lets you easily and always use LeakTest in stealth mode.)

Winsock 1.x versus 2.x:
LeakTest's stealth mode requires the use of Microsoft Windows Sockets (WINSOCK) version 2.0 or later. This has been "standard equipment" on all versions of Windows AFTER Windows 95. Because Winsock 1.x is literally riddled with significant and widely known Internet security holes, and is absolutely unsafe to use, Microsoft offers a FREE UPGRADE to all Windows 95 users:

FREE Microsoft Winsock 2.0 Upgrade for Win95

If you attempt to use LeakTest's stealth mode on a system using Windows Sockets version 1.x you'll receive a polite explanation of this requirement and a link to upgrade to version 2. You should do so IMMEDIATELY!

No matter how you choose to do it, if you initiate a stealth mode LeakTest while your system is being "protected" by one of these vulnerable firewalls, LeakTest will immediately connect to our servers, effortlessly bypassing the firewall.

The firewall doesn't even know it happened.   Whoops!

How is this done?  What is LeakTest's "stealth mode" ? You probably know that I would love to tell you. But since I have no wish to help Trojan horse, virus, and spyware authors increase the power of their own firewall-penetrating technology, I can not provide details. Suffice to say, however, that some firewalls are so poorly written that they can be easily and completely circumvented with just a few simple lines of code — regardless of the name of the penetrating program.

Once Trojans, viruses, and spyware pick up on this
trick, ALL USERS OF VULNERABLE FIREWALLS
will be COMPLETELY unprotected.



Other Firewalls?

The preceding examples were designed to provide some clear foundation and understanding to empower you to employ version 1.x of our firewall LeakTester in your own situation.

As you have seen, the Symantec/Norton firewalls stand out due to their indefensible and incredibly insecure default "Automatic Rule Creation" feature. Other firewalls stand out due to their poor network-level design that renders them trivial to circumvent. And other firewalls such as BlackICE Defender, Conseal PC Firewall, and Lockdown 2000 were not even mentioned here because they offer NO PROTECTION and control against the very real threat represented by outbound Trojan, virus, and spyware communications. (LeakTest merrily communicates out through these firewalls without any trouble.)

The "Personal Firewall Scoreboard" (see next page) compares this crucial aspect of firewall behavior for all presently tested firewalls.

Don't forget to check in with our online LeakTest Internet discussion newsgroup! I have a feeling it's going to be an active and "happening" place! Simply click on the "Discussion" icon below to learn how to configure your system's built-in newsreader to access our public discussions, or you may access the "grc.leaktest" group through our web browser based interface!

To continue, please see: Personal Firewall Scoreboard

You are invited to browse these LeakTest pages:

LeakTest
How to Use LeakTest 1.x

Personal Firewall Scoreboard

Firewall Vendor Responses

Vulnerability Disclosure Policy
Hardware Firewalls/NAT Routers

Tracking Firewall Updates

Frequently Asked Questions

LeakTest News & History

Jump to top of page
Gibson Research Corporation is owned and operated by Steve Gibson.  The contents
of this page are Copyright (c) 2016 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.
Jump to top of page

Last Edit: May 04, 2013 at 18:21 (1,417.96 days ago)Viewed 54 times per day