Leaktest information
|
Website : |
http://www.firewallleaktester.com |
Author : |
myself : Guillaume Kaddouch |
Dates : |
July 2004 (v1.1) |
Categories : |
: launcher, : timing attack |
Download : |
Ghost.exe (View EULA) |
MD5 |
E2C81855695E3D3A25BE0484F6DF5FDD |
SHA-160 |
DF3328F9944867C3C5E147EACDE42F504F2E8C73 |
Operating System : |
Windows 9x/Millenium/NT4/2000/XP |
|
Leaktest description
|
Generally, when an application access the Internet,
firewall uses Windows API to retrieve the parent PID and name (the executable which launch
the trusted application) and when they have it, they freeze it (suspend) and ask you
what to do (allow/deny).
To prevent to be seen, Ghost once it has given information to send to the default browser,
change of PID by shuting down itself and restarting itself to continue to send data.
Ghost just try to reach one page sending a string to it.
|
Meaning
|
If the test is a success, this means that your firewall "parent/child network
access monitoring" is checking too late that an executable is launching another
one to access the Internet.
If Ghost.exe is seen and apparently freezed but that the first page is reached,
this means that your firewall "parent/child network access monitoring" is near to
be good, but it's still checking too late.
A page reached = could be in theory the send of your credit card number.
If no information can be sent, and no page are reached at all, and Ghost.exe
seen by the firewall, you have a strong "parent/child network access monitoring".
|
(View EULA)
|
|