Below are some penetration techniques I recently came across in the agnitum firewall guide. I thought I would share it with all who are doing some sort of tests of their firewall or just FYI.
1. Components injection
Windows operating system by design enables installing system interceptors (hooks) through which foreign code can be injected into other processes. Usually this technique is used to perform common, legitimate actions, for example, switching the keyboard layout or launching a PDF file within the web browser window. However, it can be likewise used by malicious programs to embed malicious code and thus hijack the host application. An example of leak test using such technique to stage a simulated attack is a PC Audit program (http://www.pcinternetpatrol.com/).
Outpost Firewall Pro controls the installation of a hook interceptor in a process’s address space. This is implemented via the interception of functions that are typically used by malicious processes (Trojans, spyware, viruses, worms etc.) to implant their code into legitimate processes (i.e. Internet Explorer or Firefox). The behavior of a DLL file invoking such functions is considered suspicious and triggers legitimacy verification.
2. Control over another application
DDE technology is used to control applications. Most famous browsers are DDE servers and can be used by malicious programs to transfer private information into the network. One example of this technique is Surfer leak test (http://www.firewallleaktester.com/leaktest15.htm). ZABypass is another example of a leak test using this method.
With Outpost Firewall Pro, every attempt to use the DDE intercommunication is monitored with no exclusion, whether the process is open or not. DDE inter process communication control enables Outpost Firewall Pro to control the methods used by applications to get control over the legitimate processes. It prevents malware from hijacking the legitimate program and checks whether such DDE-level interactivity is allowed to be performed upon the network-enabled applications. In case such attempt is detected, it triggers legitimacy verification.
Leave a Reply