|
Often, after to have read the content of the website, the reader wonders : "are these various leaktests tricks used by the malwares
in the wild ?".
|
Althought the leaktests are working and effectively able to bypass some personal firewalls, it is legitimate to wonder
if they are really used and if they are as efficient as they appear to be.
One important point is that the leaktests was designed for most to be theoritical/pratical demonstrations, they were
written from scratch, with the only purpose to demonstrate some weaknesses in the personal firewalls, they were never done
to be convenient and an easy way to build a real trojan or to be added to an existing one.
Because there is nothing to guess from the leaktests, let's take the facts and reality speak by themselves. Below is a quick list
I done of real malwares using firewall bypass methods demonstrated by the leaktests :
SUBSTITUTION :
leaktests :
LeakTest
malwares :
W32.Welchia.Worm,
The Beast
LAUNCHER :
leaktests :
Tooleaky,
FireHole,
WallBreaker,
Ghost,
Surfer
malwares :
W32.Vivael@MM
HIDDEN RULES
leaktests :
Yalta
malwares : none I know of
DIRECT NETWORK INTERFACE USE
leaktests :
Outbound,
Yalta (test avancé),
MBtest
malwares : none I know of
DLL INJECTION
leaktests :
PCAudit,
FireHole,
PCAudit v2
malwares :
The Beast,
Proxy-Thunker,
W32/Bobax.worm.a
PROCESS INJECTION
leaktests :
Thermite,
CopyCat
malwares :
Flux trojan
TIMING ATTACK
leaktests :
Ghost
malwares : none I know of
RECURSIVE REQUEST
leaktests :
DNStester
malwares : none I know of
As you can see, at least 4 categories on 8 are implemented in real malwares, at least that is a result from a quick
research on Google and various AntiVirus websites.
However, these malwares does not represent the majority, usually worms just terminate security softwares, and directly connect to the
outside.
In fact, I do not believe that tomorrow will see an explosion of leaktest exploits use in ITW malwares, because why
to try to do something rather hard, when almost all of the computers on the Internet are running with Administrator
privileges, and often do not have any personal firewall ?
For those who have one, the method used by ITW worms is rather simple even if brutal, they just kill your firewall
process by launching a TerminateProcess() on it.
There is so easier ways for now to leak data out, that the leaktest exploits seems to not be for now a premium choice
for the malwares writters.
However, even if the possibility to be attacked with such exploit is rather slim,
these exploits still exist and are fully functional and working
No further than the last week, I was myself playing with DLL injection against a firewall which is in my test
page (I will not disclose which one because this article is not to bash any product), and I was still
astonished how much it was easy to bypass a firewall by using this method. You just need to write your own DLL,
then you can inject it by using CreateRemoteThread() in the mail client or the browser, or even in system processes,
and the firewall I was testing didn't raise any alarm while I was sending data out this way.
So it's really up to you to take that possibility in count in your security or not.
Personally I think it's better to be safe than sorry, and that outbound protection is essential to any security.
Adding security layers in addition to your firewall will provide you a good security margin.
If you didn't read all the website before to read this page, you will find many ways to protect you against
all of the leaktests in the
following pages :
http://www.firewallleaktester.com/advices.htm
http://www.firewallleaktester.com/software.htm
http://www.firewallleaktester.com/faq.htm
The personal firewall is important, but is just a brick of the security wall.