Unexpected rescue... :D

In November last year, the guys from Matousec analyzed and compared the techniques used in their (leak) test with the techniques used by real malware: Proactive Security Challenge vs. real malware (2010/11/01 09:00)
Their conclusion: "If a security product is able to block techniques of our tests, it can also block most of the real malware's behavior."
Well, you don't really need to buy any HIPS products to pass those tests. Let's assume that you don't have an anti-executable or a sandbox, and both your anti-executable + sandbox are bypassed.

Most of the tests consist of "autorun" tricks; if autorun is safely disabled, you pass them. The rest (but one), you can block by:
1) working in a limited account
2) making IE your default browser and block it in a rule-based firewall (no HIPS required), additionally setting limited allow rules for a limited number of programs to a limited number of remote ports. DNS service disabled, so that each application has to make the DNS request itself.

Now I had an interesting experience with one test called "Firehole" by Robin Keir. Even though I set IE as the default system browser (for all users), Firehole was still able to get out; it determined somehow that the browser I really use is Firefox, even when it is not launched and it is not the default browser (!)

[sidenote]I've always experimented with removing default stuff. I am especially interested in disabling "automagical" behavior based on file extensions. For example: I removed the mailto-protocol from my computer (effectively disables automatic mail client behavior), my system also doesn't know how to automatically open .pdf documents, and so on.[/sidenote]

Then an idea occurred to me and I checked the file extensions for browser-related protocols (.htm, .html and .shtml) and saw that they were marked as "Firefox HTML". Browsers tend to do that, probably not so much for user convenience, but to apply their business-models. If you have Opera installed, those extensions will be marked "Opera HTML", if you have Chrome installed - "Chrome HTML" etc.

I decided to remove those file associations from the registry (doing a search starting from "Classes" to the last specific user ID - Software - Classes and delete .htm, .html and .shtml) so that the system would not know how to open such formats. I then rebooted the computer and lo! Here's what I got:


Folder open. Executable firehole.exe allowed in Parental Controls


This is what you get when you double-click the executable.


We can also see that the double-click generates an additional .dll file that is not blocked, although it was not white-listed.

Now, when I click "start", I get this:


Surpise, surprise! Firehole can't find my default browser and can't send my data to its creator. I get this message even when Firefox is already on-line...

This measure does not influence browsing. The only side-effect is that you can no longer launch the default browser when you click on a link in another application. You have to copy the link and paste it into the address bar (+Enter).

Am I good now, or do keyloggers have any other ways of sending your passwords and other data to their creators?
P.S.: Unless they kill my Default Deny firewall (which will not be easy from a limited user account), they can't send mail, they can't send FTP, and they can't open connections themselves. Windows Vista (Win7) in-built firewall with Advanced Security doesn't alert for changes in permissions, and its settings can't be changed from a limited account if you don't know the admin password.

Paul

p2u wrote:Am I good now, or do keyloggers have any other ways of sending your passwords and other data to their creators?

Correct me if I'm wrong, but they don't have to use HTTP to send data. A TCP connection isn't mandatory a connection via HTTP. They can establish a Socket connection for example.

Ruhe wrote:

p2u wrote:Am I good now, or do keyloggers have any other ways of sending your passwords and other data to their creators?

Correct me if I'm wrong, but they don't have to use HTTP to send data. A TCP connection isn't mandatory a connection via HTTP. They can establish a Socket connection for example.

Here are my firewall rules:
svhost DHCP - (remote UDP port 67 from local UDP port 68) allowed
Explorer - DNS - (remote UDP port 53) allowed (only to my provider's addresses)
System - L2TP - UDP over port 1701 (VPN)
Firefox - DNS - (remote UDP port 53) allowed (only to my provider's addresses)
Firefox - HTTP/HTTPS (remote TCP 80/443) allowed
The rest is blocked dead. I've experimented extensively, also with sockets, but nothing can get out. Vista SP2, limited user, pretending he doesn't know the admin password.
P.S.: Flash and Java not supported (removed).

Paul

It seems you have a hacker & keylogger unfriendly system

Do I understand correctly that if I disable the DNS service, then svchost.exe will not legitimately use DNS (remote UDP port 53)?

If I do this, what other common applications will fail to access DNS instead of accessing DNS using their own executable? I use Firefox and Thunderbird.

Binky wrote:Do I understand correctly that if I disable the DNS service, then svchost.exe will not legitimately use DNS (remote UDP port 53)?

Not exactly.
If the DNS Client service is ENabled, then (as a rule) the firewall will allow svchost to do the query for all other applications. This is called a Global DNS rule. The risk that a Trojan gets out in such a situation is significantly greater because svchost is... Trusted, while it should never be trusted at all.

If you DISable the DNS Client service, then each program makes that DNS query itself. This is called a per-application DNS rule. Svchost will make the query only for itself [for example if you have Automatic Updates enabled]. This is actually the key to passing most leaktests without HIPS, especially if it is combined with hash checking.

Binky wrote:If I do this, what other common applications will fail to access DNS instead of accessing DNS using their own executable? I use Firefox and Thunderbird.

Firefox and Thunderbird will have to ask the firewall for permission to make that query themselves. The Vista and Win7 firewall with Advanced Security won't ask you anything; you'll have to add that rule per application. It goes like this:

Code:

Application: (Name of the application)
Protocol: UDP
Local Port: ANY
Remote Port 53
Direction: Outgoing (In Jetico firewall you have to set separate out and in rules for DNS as far as I remember)
Local address: ANY
Remote addresses: Your ISP's DNS server addresses or the addresses of the DNS service you use.

Then you set the other rules. Without DNS your programs can't go anywhere.
P.S.: I also log ALL outgoing traffic. Even if your firewall can't stop something, it will most likely log the traffic anyway, even traffic for unknown processes. This may be useful for diagnostics when you suspect unwanted traffic. Even if you can't work with those logs yourself, any pro will be very happy if you have them.

For firewall rules with different programs you can find a good guideline here:
A Guide to Producing a Secure Configuration for Outpost

Paul

I like the idea of each application doing DNS queries itself. Previously, I had firewall rules to allow all DNS queries to OpenDNS server addresses only for svchost.exe, Firefox and Thunderbird. Now, I am trying Paul's idea of disabling the DNS Client service and blocking svchost.exe DNS queries on my 32-bit Win7 PC to see what happens.

I see about four blocked DNS attempts by svchost.exe every minute. This is with Internet Time server synchronization disabled. Under \Event Viewer\Windows Logs\System, I see time-out warnings for access to teredo.ipv6.microsoft.com and www.msftncsi.com. This link explains how to disable the accesses to www.msftncsi.com
www.msftncsi.com-keeps-showing-up-in-firewall-logs-with-Vista-and-why-it-can-cause-problems-with-internet-captive-portals-and-WiFi-hot-spots.html" target="_blank" rel="nofollow">http://blog.tiensivu.com/aaron/archives/1509-Why-www.msftncsi.com-keeps-showing-up-in-firewall-logs-with-Vista-and-why-it-can-cause-problems-with-internet-captive-portals-and-WiFi-hot-spots.html

The queries to teredo.ipv6.microsoft.com occur even though I disabled IPv6 for my network adapter. Here is info on this issue, including how to disable the queries:
https://secure.wikimedia.org/wikipedia/en/wiki/Teredo_tunneling
http://technet.microsoft.com/en-us/library/cc722030%28WS.10%29.aspx

In \Control Panel\Windows Update\Change Settings\, I selected "Never check for updates". Thus, I only manually check for updates. The big problem for me with blocking DNS queries by svchost.exe is that Windows Update is broken. How do other people work around this problem?

Binky wrote:In \Control Panel\Windows Update\Change Settings\, I selected "Never check for updates". Thus, I only manually check for updates. The big problem for me with blocking DNS queries by svchost.exe is that Windows Update is broken. How do other people work around this problem?

In the in-built firewall with Advanced Security (Vista/Win7) you can give svchost access for Automatic Updates only and all the other services won't be able to go online. If you have XP or if you have another firewall and you still want to use Automatic Updates, then you have no choice but to allow DNS for svchost (it's all or nothing).
P.S.: You could try limiting TCP (80/443) for svchost to MS addresses only. The problem is that there are quite a few + MS also uses Amakai servers. Another option is to download your updates from the technet site manually, one by one and install them manually (my approach).
P.S.2: Maybe I haven't made myself clear, but THERE IS NO REASON FOR YOU TO REJECT Open DNS; it is not related to the DNS Client service. Your system may still use these addresses and all the benefits of that remote service. The only difference is that your firewall will force every application to ask first before allowing DNS queries or will block without asking if your settings are like mine.

Paul

p2u wrote:
P.S.: You could try limiting TCP (80/443) for svchost to MS addresses only. The problem is that there are quite a few + MS also uses Amakai servers.

It's not too bad after several have been noted, then it's a matter of figuring out CIDR or subnet masks for them to simplify things, providing a network/host range of common MS update server ip addresses.

When I did a Windows Update today, my firewall log shows a TCP out to 63.110.246.41 on port 80. I wonder if this address is not in wat0114's list because I am in the US. We could start a topic to create and update a list of addresses for Microsoft update servers (with CIDR and subnet masks).

My goals for a firewall strategy include:
1. No pop-ups or blocked functionality for my non-technical spouse
2. On a LUA with SRP, nothing is allowed out that malware could hijack (after Sandboxie deletes Firefox's sandbox)
3. Same solution for my WinXP and Win7 PCs (for ease of maintenance)

With Paul's tips on disabling the DNS client, I have a solution that seems to be working. Using the links from my earlier post in this topic, my PC boots a little faster, and svchost.exe no longer accesses DNS during normal PC usage (for my spouse). I now have two firewall rules for svchost.exe's normal PC usage:
a. Allow UDP out from port 68 to 255.255.255.255 port 67 (DHCP)
b. Block UDP out to 224.0.0.252 port 5355 (what Windows setting disables this?)

I use the Comodo firewall because, among other reasons, it works the same on WinXP and Win7. I have it set to ask me what to do for an internet access attempt not covered by the firewall rules. It has default deny if the user doesn't answer in time. When I manually check for Windows Updates once every weekend, Comodo Firewall throws 2 pop-ups for DNS accesses and 3 pop-ups for TCP accesses by svchost.exe. I answer Allow but Don't Remember to the pop-ups. I need no list of TCP addresses for Windows Update servers because I know by the context of doing Windows Updates that it is OK to allow them.

One of the advantages of this strategy is that I get a pop-up when malware tries to access the internet, either directly or under svchost.exe. I can then take immediate action to disinfect the PC. If I used silent firewall blocking and logging instead, malware could do other damage before I discovered it.

I may try downloading Windows Updates manually from technet.microsoft.com. What is the exact web page for finding them? How do I know which updates apply to my PC? This may not be simple since I have installed "Compatibility Pack for the 2007 Office System" and "Office File Converter Pack".

Binky wrote:When I did a Windows Update today, my firewall log shows a TCP out to 63.110.246.41 on port 80. I wonder if this address is not in wat0114's list because I am in the US. We could start a topic to create and update a list of addresses for Microsoft update servers (with CIDR and subnet masks).

Yes, I think it depends entirely on the region a person's located in, as to which ip address/masks can be used reliably. MS must have hundreds, probably thousands of available ip's worldwide. A topic might be okay, but obviously what works for one, may not work for others.

On a related note, this may seem extreme, even absurd, but I've managed, with a little time and patience, heh, heh...to restrict my main browser to all my favorites, and then some...

Binky wrote:When I did a Windows Update today, my firewall log shows a TCP out to 63.110.246.41 on port 80. I wonder if this address is not in wat0114's list because I am in the US. We could start a topic to create and update a list of addresses for Microsoft update servers (with CIDR and subnet masks).

Does Comodo understand this notation?
http://*.update.microsoft.com/
https://*.update.microsoft.com/
http://download.windowsupdate.com/

Binky wrote:I answer Allow but Don't Remember to the pop-ups.

You could allow and remember just those addresses, and not allow ANY.

I may try downloading Windows Updates manually from technet.microsoft.com. What is the exact web page for finding them? How do I know which updates apply to my PC? This may not be simple since I have installed "Compatibility Pack for the 2007 Office System" and "Office File Converter Pack".

In your case, it will be more convenient to leave Automatic Updates on.

Paul

Ruhe wrote:I shake my head about all this security fanaticism. The best all these maniacs should do, they should shutdown the PC and keep it off. This "Uhhh, all are watching me, all out there is bad" is sick and paranoia. And later they cry or wonder why the system or application X isn't working correctly anymore. Of course, it's malware, hrhr. That they configured their system to dead doesn't come into their mind.

This is actually corporate practice, Ruhe. You yourself may not understand the use of a strict default deny egress filtering policy, but that doesn't give you the right to apply such remarks to people who try what they think is best. I could give you hundreds of examples where this kind of rules actually help when all your other protection systems have failed. When an exploit succeeds (the malware is not yet on the computer), the first thing you'll see is an attempt to download nasties throug a trusted process, and one of the favorite applications to abuse for that purpose is svchost. That's why you would want to limit it to MS sites only.

Paul

Yep, I do this sort of thing purely out of interest, as a hobby, not because because I'm paranoid or a maniac. Fact is, I surf some 15-20 the majority of the time, so I really see nothing wrong with this approach. Paul has kindly and correctly pointed out some facts, as well. My logic, right or wrong, is an approach that mitigates (realizing it does not necessarily eliminate) the possibility of re-directs to rogue ip addresses.

I don't think Ruhe means to get personal, but I think he's trying to suggest that "paranoia" is relative (as is practically everything in life). Am I "paranoid" about my computer security relative to the average computer user? I would say yes. Of course, the term "paranoia" has such stigma to it, hence why we get sensitive about it etc. Anyway, enough of that in this particular thread. Please feel free to use this thread instead haha:
https://ssj100.forumotion.com/t6-discuss-security-setups-and-approaches-here

Nothing personal taken, only trying to understand the intent of the comment at the time, but it doesn't matter You are right, ssj, most of us in this and similar forums could be perceived as paranoid compared to the general pc user. In reality, we're (most of us) really not that paranoid, just interested in securing our machines in usually a non-conventional, and in most cases, a more effective and efficient manner (minimizing 3rd party apps, utilizing what's already built-in to the O/S, disabling unneeded services, etc...) than what's typically recommended and used by the average pc user. My limited ip/CIDR mask is simply a customized and personalized approach in the firewall. BTW, I'll take a longer look at the thread you linked to. Looks interesting

I think keeping a secure PC is pretty important and interesting, especially since I have become computer experienced. But I have to disagree with domain name blacklisting and all that. This is way too much to keep track of and even if you do, it doesn't make sense when even visiting a legit site with poisoned ads is still enough to hose your system.

So my advice is to not look for technologies that restrict the internet or what sites you visit but implement a secure mechnism on your host that will deal with everything and anything that comes on to your system. That way you can enjoy your experience and remain headache free at the same time.
Hint: Use Sandboxie! just like me, Ruhe and SSJ

Rico wrote: But I have to disagree with domain name blacklisting and all that. This is way too much to keep track of and even if you do, it doesn't make sense when even visiting a legit site with poisoned ads is still enough to hose your system.

Right, so I use a whitelist. It's far easier to maintain for my mostly tightly defined surfing habits. BTW, I realize I don't even need to go this far, and it's far from conventional, for sure. It's just experimental, to see if, for my purposes, it's practical.

Binky wrote:I may try downloading Windows Updates manually from technet.microsoft.com. What is the exact web page for finding them? How do I know which updates apply to my PC? This may not be simple since I have installed "Compatibility Pack for the 2007 Office System" and "Office File Converter Pack".

Any help on this? I have been looking around Microsoft's site, and I haven't found the right page. If folks outside the US give me the link for their country, I can replace the region with "en-us" in the link.

Binky wrote:
Any help on this? I have been looking around Microsoft's site, and I haven't found the right page. If folks outside the US give me the link for their country, I can replace the region with "en-us" in the link.

I'm not sure about a technet downloads page, but here's one for security updates:

-http://www.microsoft.com/downloads/en/resultsForCategory.aspx?displaylang=en&categoryId=7&stype=n_dc

They can be sorted by release date or popularity. Hope this helps.

wat0114 wrote:I'm not sure about a technet downloads page, but here's one for security updates:

-http://www.microsoft.com/downloads/en/resultsForCategory.aspx?displaylang=en&categoryId=7&stype=n_dc

They can be sorted by release date or popularity. Hope this helps.

Perfect. Thanks!

For technet manual downloads you go here:
http://technet.microsoft.com/en-us/security/default
Just as an example: The Security Advisory for January 2011 is here:
http://www.microsoft.com/technet/security/bulletin/ms11-jan.mspx
There you can click on the MS11 downloads that may apply to you:
http://www.microsoft.com/technet/security/bulletin/MS11-001.mspx
http://www.microsoft.com/technet/security/bulletin/MS11-002.mspx
There you pick your operating system and you get a link to download (just click download).
P.S.: I always do this with Firefox and scripts disabled. If you have scripts enabled, you may be redirected. If you want to download something manually and you are presented with a choice, ALWAYS choose the links "for professionals", not "for home users". Hope this helps.

Paul

Thanks Paul. I found your info helpful too.