In The Wild malwares
  > CATEGORIES
  LEAK TESTING
  KILL TESTING
  ADVICES
  DOCUMENTS
  REWARDS
  > IN THE WILD
  > LINKS
  > FAQ
  > TOOLS

     SCAN YOUR COMPUTER

     TEST YOUR BROWSER
Often, after to have read the content of the website, the reader wonders : "are these various leaktests tricks used by the malwares in the wild ?".

Althought the leaktests are working and effectively able to bypass some personal firewalls, it is legitimate to wonder if they are really used and if they are as efficient as they appear to be.

One important point is that the leaktests was designed for most to be theoritical/pratical demonstrations, they were written from scratch, with the only purpose to demonstrate some weaknesses in the personal firewalls, they were never done to be convenient and an easy way to build a real trojan or to be added to an existing one.

Because there is nothing to guess from the leaktests, let's take the facts and reality speak by themselves. Below is a quick list I done of real malwares using firewall bypass methods demonstrated by the leaktests :



SUBSTITUTION :
leaktests : LeakTest
malwares : W32.Welchia.Worm, The Beast



LAUNCHER :
leaktests : Tooleaky, FireHole, WallBreaker, Ghost, Surfer
malwares : W32.Vivael@MM


HIDDEN RULES
leaktests : Yalta
malwares : none I know of


DIRECT NETWORK INTERFACE USE
leaktests : Outbound, Yalta (test avancé), MBtest
malwares : none I know of


DLL INJECTION
leaktests : PCAudit, FireHole, PCAudit v2
malwares : The Beast, Proxy-Thunker, W32/Bobax.worm.a


PROCESS INJECTION
leaktests : Thermite, CopyCat
malwares : Flux trojan


TIMING ATTACK
leaktests : Ghost
malwares : none I know of


RECURSIVE REQUEST
leaktests : DNStester
malwares : none I know of





As you can see, at least 4 categories on 8 are implemented in real malwares, at least that is a result from a quick research on Google and various AntiVirus websites.

However, these malwares does not represent the majority, usually worms just terminate security softwares, and directly connect to the outside.

In fact, I do not believe that tomorrow will see an explosion of leaktest exploits use in ITW malwares, because why to try to do something rather hard, when almost all of the computers on the Internet are running with Administrator privileges, and often do not have any personal firewall ?
For those who have one, the method used by ITW worms is rather simple even if brutal, they just kill your firewall process by launching a TerminateProcess() on it.

There is so easier ways for now to leak data out, that the leaktest exploits seems to not be for now a premium choice for the malwares writters.

However, even if the possibility to be attacked with such exploit is rather slim,

these exploits still exist and are fully functional and working

No further than the last week, I was myself playing with DLL injection against a firewall which is in my test page (I will not disclose which one because this article is not to bash any product), and I was still astonished how much it was easy to bypass a firewall by using this method. You just need to write your own DLL, then you can inject it by using CreateRemoteThread() in the mail client or the browser, or even in system processes, and the firewall I was testing didn't raise any alarm while I was sending data out this way.

So it's really up to you to take that possibility in count in your security or not.
Personally I think it's better to be safe than sorry, and that outbound protection is essential to any security.
Adding security layers in addition to your firewall will provide you a good security margin.

If you didn't read all the website before to read this page, you will find many ways to protect you against all of the leaktests in the following pages :
http://www.firewallleaktester.com/advices.htm
http://www.firewallleaktester.com/software.htm
http://www.firewallleaktester.com/faq.htm

The personal firewall is important, but is just a brick of the security wall.
Home      News      Contact      Online form      Mailing list