From Matousec.com : The Coat leak-test rewrites its own memory and tries to establish an Internet connection. It rewrites its image base, image name, command line, Windows title etc. and it also changes the information of the main module in the module list. All these data reside in the address space of its process. All the data are changed to match the image of the default browser. Then, it tries to establish the Internet connection.
Firewalls that are not able to handle this trick suffer from a serious design bug because they trust ring 3 data of malicious processes. They do not have their internal list of running programs and obtain this information when it is needed. This gives malicious processes enough time to modify these data before they execute privileged actions. Such firewalls (as well as many other programs - e.g. Process Explorer from Sysinternals) then see the malicious process as something else - e.g. the default browser - and allow the execution of privileged actions without any questions.
|