 |
 Personal Firewalls vs. Leak Tests: Part II: "Leak Tests Win Again!"
August 7, 2003
Leak tests descriptions
LeakTest by Steve Gibson
http://www.grc.com/lt/leaktest.htm
The grandpa of all leak tests created by the owner of GRC.com, Steve Gibson.
While the majority of firewalls rely on application trust levels set by the user, it was shown that just replacing a trusted application with a malicious agent of the same name would often make a firewall allow the outbound traffic from the malicious program with all the privileges granted to the real app.
Recent versions of most firewalls have this bug fixed by performing checksums on the trusted applications and warning the user if a dissimilar copy of the application is identified.
TooLeaky by Bob Sundling
http://www.tooleaky.zensoft.com
This is another veteran test that uses a more advanced technique than Gibson’s test.
It uses the system's web browser to transmit information without the knowledge of the user.
The tool opens your default web browser with the following command line:
iexplore.exe http://grc.com/lt/leaktest.htm?PersonalInfoGoesHere
The browser window is hidden so the user doesn’t notice it. If the web browser is allowed to access port 80 by the firewall then any personal data can be transmitted to the remote address (GRC.com in this case). This info can be anything including the user's passwords, credit card information and much more.
FireHole by Robin Keir
http://www.keir.net/firehole.html
Firehole—created by Robin Keir, the lead network security programmer of Foundstone—uses the default web browser to transmit data to a remote host, but its technique is much more sophisticated than TooLeaky’s.
"FireHole" installs a DLL file (having an intercept function) on the user's computer. This DLL gets loaded up with any subsequent program and is treated as being in the same process space as the other program. So, "FireHole" uses the process space of the system's default browser and as a result is almost certainly trusted by the firewall.
Yalta by Soft4Ever
http://www.soft4ever.com/security_test/En/index.htm
Yalta was created by the developers of Look'n'Stop firewall. Yalta acts as a Trojan trying to send a message to a remote address, bypassing all firewall filters.
Yalta is two tests: the Classical Leak Test and the Enhanced Leak Test. We tested all firewalls with Yalta's Classical Leak Test.
pcAudit by Internet Security Alliance
http://www.pcinternetpatrol.com/
This is a relatively new tool that uses a DLL injection technique to hide its presence from a firewall. pcAudit injects its code into a DLL of a trusted application and then attempts to call back to a remote computer. Some firewalls allow all communications from trusted applications and do not spot a malicious DLL.
Atelier Web Firewall Tester (AWFT) 3.0
http://www.atelierweb.com/awft/
AWFT consists of six tests, each giving points to a firewall if it passes. The maximum amount of points you can get is 10.
AWFT tests are similar to the other leak tests; “DLL injection”, “address space injection”, “hidden browser window” are all used.
Thermite by Oliver Lavery
Download link: http://perso.wanadoo.fr/jugesoftware/firewallleaktester/eng/leaks/thermite.exe
Author email: oliverlavery@hotmail.com
Thermite is tiny, but a very tricky tool that does not use DLL injection. Instead, it injects itself into the address space of a trusted process (application). Most firewalls cannot detect it as this technique makes malicious code almost totally invisible to the firewall! Being undetected Thermite can send out any info from your PC.
CopyCat
Download link: http://mc.webm.ru/copycat.exe
CopyCat, like Thermite, also injects itself into the address space of a trusted process. However, CopyCat enables the user to select the application that CopyCat is to be injected into.
Previous:
Introduction
Next:
Results of the tests
|
|
