matousec.com (site map)

Poll

Is leak(test) protection important?

  Yes, of course! (82.36%)

  I think so. (4.92%)

  I do not know. (3.04%)

  I do not think so. (1.94%)

  No, not at all! (7.77%)

more

results

Articles

Introduction to Firewall Leak-testing

by Carsten Fischer - Director of Product Marketing, Comodo
& David Matoušek – Analyst, DIFINEX LTD

Published: 2006/11/25

This article covers the basics of Firewall Leak-testing. If you do not know what leak-tests are, or why your firewall should be able to stop them, we recommend you to read this article. More skilled readers may be interested in the information about leak-testing techniques and/or in the list of currently available leak-testing software with download links.

Contents:


Back to contents

What is a Firewall?

Broadly speaking, a computer firewall is a software program that prevents unauthorized access to or from a private network. Firewalls are tools that can be used to enhance the security of computers connected to a network, such as a LAN or the Internet. They are an integral part of a comprehensive security framework.

Personal Firewalls are intended to isolate your computer from the Internet by inspecting each individual packet of data as it arrives at either side of the firewall - inbound to or outbound from your computer - to determine whether it should be allowed to pass or be blocked.

Firewalls have the ability to further enhance security by enabling granular control over what types of system functions and processes have access to networking resources. These firewalls can use various types of signatures and host conditions to allow or deny traffic. Although they sound complex, firewalls are relatively easy to install, setup and operate.


Back to contents

Why does a user need a firewall?

When your network is connected to a public network, it is potentially exposed to a number of threats including hackers, spyware and Trojan horse programs. The increasing ubiquity of always on broadband Internet connections means users need to be increasingly vigilant of security issues, as network traffic coming into the computer can cause damage to files and programs even when the user is away from the computer and the computer is idle. In a system that is not protected with any security measures, malicious code such as viruses can infect the system and cause damage that may be difficult to repair. The loss of financial records, e-mail, customer files, can be devastating to a business or to an individual. It can cause them to lose their identity.

Unfortunately, many of these malicious programs employ very advanced techniques to conceal their activities in an attempt to bypass the standard protection mechanism provided by most personal firewalls. These techniques are commonly known as leak techniques.


Back to contents

What is a firewall leak-test?

Leak tests are small, non-destructive, programs designed by security experts that deliberately attempt to bypass a firewall's outgoing security measures. The rationale behind them is painfully simple: "If this test can get past your computer's security defenses, then so can a hacker." Explicitly designed to help identify a firewall's security flaws, leak tests provide the invaluable function of informing the user whether or not their firewall is providing adequate protection. The tests pose no real threat to the security of a computer as they are harmless simulations of the attack techniques typically used by spyware and Trojan horse programs. There are many leak-testing programs available - each one designed to exploit a particular flaw and each using a particular attack technique to break a firewall's standard protection mechanisms.


Back to contents

Techniques employed by leak-testing software

There are many techniques that leak tests employ to break personal firewalls' standard protection mechanisms.

Credits for this section: The broad format used to identify 'Trojans that use this technique' and 'Leak Tests that emulate this technique' was inspired by information previously available at Firewall Leak Tester website. The naming convention for all leak test techniques, apart from 'Unhooking', was also inspired by this website. The malware listed as examples of a particular technique, apart from 'Unhooking', are also quoted from this website.

Substitution

This technique tries to present itself as a trusted application. There are a few different possibilities how to achieve this. For example the application can try to rename itself to a commonly known, safe application name such as iexplore.exe. As a result, firewalls that do not verify application signatures or verify too late fail to detect such attempts.

Trojans that use this technique: W32.Welchia.Worm, The Beast
Leak Tests that emulate this technique: LeakTest, Coat, Runner

Launching (Parent Substitution)

With this technique, a program launches a trusted program by modifying its startup parameters such as command line parameters, to access the Internet. This type of penetration bypasses the firewalls that do not apply parent process checking before granting the Internet access.

Trojans that use this technique: W32.Vivael@MM
Leak Tests that emulate this technique: TooLeaky, FireHole, WallBreaker, Ghost, Jumper, Surfer, CPIL, CPILSuite1, CPILSuite2, CPILSuite3

DLL Injection

Being one of the most commonly used techniques by Trojans, this method tries to load a DLL file into the process space of a trusted application. When a DLL is loaded into a trusted process, it acts as the part of that process and consequently gains the same access rights from the firewall as the trusted process itself. Firewalls that do not have an application component monitoring feature fail to detect such attacks.

Trojans that use this technique: The Beast, Proxy-Thunker, W32/Bobax.worm.a
Leak Tests that emulate this technique: pcAudit, pcAudit2, FireHole, Jumper, CPILSuite3, AWFT

Process Injection

This technique is the most advanced and difficult to detect penetration case that many personal firewalls still fail to detect although it is used by Trojans in the wild. The attacker program injects its code into process space of a trusted application and becomes a part of it. No DLL or similar component is loaded.

Trojans that use this technique: Flux trojan
Leak Tests that emulate this technique: Thermite, CopyCat, CPIL, DNStest, AWFT

Default Rules

Certain personal firewalls try to allow full Internet access rights to vital specific traffic such as DHCP, DNS and netbios. Doing so blindly may cause malicious programs to exploit these rules to access the Internet.

Trojans that use this technique: Unknown
Leak Tests that emulate this technique: YALTA

Race Conditions

While filtering the Internet access requests per application, personal firewalls need the process identifier (pid) of a process to perform its internal calculations. Attacker programs may try to exploit this fact by changing their process identifiers before personal firewalls detect them. A robust personal firewall should detect such attempts and behave accordingly.

Trojans that use this technique: Unknown
Leak Tests that emulate this technique: Ghost

Own Protocol Driver

All network traffic in Windows operating systems is generated by TCP/IP protocol driver and its services. But some Trojans can make use of their own protocol drivers to bypass the packet filtering mechanism provided by personal firewalls.

Trojans that use this technique: Unknown
Leak Tests that emulate this technique: None

Recursive Requests

Some system services provide interfaces to applications for common networking operations such as DNS, Netbios etc. Since using these interfaces is a legitimate behavior, a Trojan can exploit such opportunities to connect to the Internet.

Trojans that use this technique: Unknown
Leak Tests that emulate this technique: DNStester, BITStester

Windows Messages

Windows operating system provides inter process communication mechanism through window handles. By specially creating a window message, a Trojan can manipulate an application's behavior to connect to the Internet.

Trojans that use this technique: Unknown
Leak Tests that emulate this technique: Breakout

OLE Automation, DDE

Windows operating system also provides inter process communication mechanism through COM interfaces. By using a COM interface hosted by a server application, a Trojan can hijack the application to connect to the Internet. Another similar mechanism for inter process communication is Direct Data Exchange (DDE).

Trojans that use this technique: Unknown
Leak Tests that emulate this technique: PCFlank, OSfwbypass, Breakout2, Surfer, ZAbypass

Unhooking

Personal firewalls commonly use so-called hooks to implement their protection mechanisms. There exist two major types of hooks - kernel mode hooks and user mode hooks. If the self-protection mechanisms are not implemented well by the firewall it may be possible to unhook its hooks. As a result, some or all protection mechanisms of the firewall are disabled.

Trojans that use this technique: Unknown
Leak Tests that emulate this technique: FPR


Back to contents

Description of leak-test software

The list of currently available leak-tests follows. You can download the archive, which contains all the below mentioned leaktests.

Atelier Web Firewall Tester 3.2 (AWFT)

Author: José Pascoa
Category: Process Injection, Parent Substitution, DLL Injection
Website: http://www.atelierweb.com/awft/
Download: AWFT.zip (evaluation version)

Atelier Web Firewall Tester contains 6 very effective leak tests each of which is used to calculate a grade over 10, for the personal firewall tested.

BITStester

Author: Tim Fish
Category: Recursive Requests
Website: -
Download: BITStester.zip

Since XP version there have been Background Intelligent Transfer Service (BITS) installed in the Windows OS by default. Using a tool called BITSadmin from the Microsoft Windows XP Service Pack 2 Support Tools it is possible to control this service and order it to connect to a specific URL and download a file from the Internet. BITStester is a batch script that performs necessary steps to download a file.

The first version of BITS_tester, which is available at Firewall Leak Tester website, is the result of Tim Fish's discovery and Guillaume Kaddouch's implementation. Our BITStester package contains a simple batch script that performs necessary steps to download a file using BITS.

Breakout

Author: Volker Birk
Category: Windows Messages
Website: http://www.dingens.org/
Download: Breakout.zip (source code included)

Breakout uses Windows Messages to control the Internet browser. It has two implementations, one for Internet Explorer and one for Mozilla or Firefox browsers. Using messages it is able to redirect the browser to the given location.

Breakout2

Author: Volker Birk
Category: OLE Automation
Website: http://www.dingens.org/
Download: Breakout2.zip (source code included)

Breakout2 creates HTML page on the local disk that points to the Internet server. Then, it enables Windows Active Desktop and set that HTML page to be the desktop wallpaper. As a result, Windows Explorer connects to the given URL.

Coat

Author: www.matousec.com
Category: Substitution
Website: http://www.matousec.com/
Download: Coat.zip (source code included)

The Coat leak-test rewrites its own memory and tries to establish an Internet connection. It rewrites its image base, image name, command line, Windows title etc. and it also changes the information of the main module in the module list. All these data reside in the address space of its process. All the data are changed to match the image of the default browser. Then, it tries to establish the Internet connection.

Firewalls that are not able to handle this trick suffer from a serious design bug because they trust ring 3 data of malicious processes. They do not have their internal list of running programs and obtain this information when it is needed. This gives malicious processes enough time to modify these data before they execute privileged actions. Such firewalls (as well as many other programs - e.g. Process Explorer from Sysinternals) then see the malicious process as something else - e.g. the default browser - and allow the execution of privileged actions without any questions.

CopyCat

Author: bugsbunny [at] e-mail.ru
Category: Process Injection
Website: http://syssafety.com/
Download: CopyCat.zip

CopyCat uses Windows API SetThreadContext to take control over the thread of a trusted process. This technique was invisible to personal firewalls for a long time and even today many firewalls are not able to handle it.

CPIL

Author: Comodo
Category: DLL Injection
Website: http://personalfirewall.comodo.com/cpiltest.html
Download: CPIL.zip

CPIL test locates the executable file called explorer.exe and patches its memory loading its own DLL. Then, it tries to use the default browser to transfer the data from your computer to the Internet server.

CPIL Test Suite (CPILSuite)

Author: Comodo
Category: Process Injection
Website: http://personalfirewall.comodo.com/cpiltest.html
Download: CPILSuite.zip

The CPIL suite contains three separate tests especially developed by Comodo engineers to test a firewall's protection against parent injection leak attacks. Each of the three tests involves the user typing some random text into a text box which CPIL will attempt to transmit to the Comodo servers.

DNStest

Author: Jarkko Turkulainen
Category: Process injection
Website: http://www.klake.org/~jt/dnshell/
Download: DNStest.zip (source code included)

DNStest attempts to launch and then infect svchost.exe that is usually a trusted application that can connect to the Internet because the default Windows DNS client service resides in svchost.exe.

DNStester

Author: Jarkko Turkulainen
Category: Recursive Request
Website: http://www.klake.org/~jt/dnshell/
Download: DNStester.zip (source code included)

DNStester uses Windows DNS API functions to make a recursive DNS query to the Internet server. DNS packets can be used to transfer extra data and this is why they should be controlled by firewalls as any other packets.

FireHole

Author: Robin Keir
Category: Launcher, DLL Injection
Website: http://keir.net/firehole.html
Download: FireHole.zip

FireHole attempts to launch the default browser and then it uses Windows API SetWindowsHookEx to inject its own DLL into the browser's process. From inside of the browser it then establishes the Internet connection.

Fake Protection Revealer (FPR)

Author: www.matousec.com
Category: Unhooking
Website: http://www.matousec.com/
Download: FPR.zip (source code included)

The Fake Protection Revealer is implemented to reveal fake anti-leak protection. For this purpose we define the fake protection as the protection which is implemented only to pass leaktests instead of fixing the real causation. FPR is implemented to reveal fake protection which is based on ring 3 hooks.

Firewalls that are not able to handle leaktests run by FPR are cheating on leaktests! This means not only that they do not protect their users properly but they try to cover their impotency and generally do offer a fake sense of security to their users. You can recognize the fake protection revealed by FPR easily. If you have a leaktest that was not able to bypass the tested firewall and you run it using FPR, then the tested firewall implements fake ring 3 protection if the leaktests succeed. Succeeding or failing leaktests run by FPR that are able to bypass the tested firewall without FPR means nothing at all!

FPR is implemented to be used with other leaktests. This means you have to obtain another software to be able to test your firewall against FPR. FPR loads the given leaktest in its memory, unhooks all ring 3 hooks and then executes the code of the given leaktest.

Ghost

Author: Guillaume Kaddouch
Category: Parent Substitution, Race Conditions
Website: http://www.firewallleaktester.com/
Download: Ghost.zip

Ghost tries to confuse firewalls by shutting down its own process and restarting itself. The reason for this is to change its Process Identifier (PID) so that the firewall is not able to identify its new process correctly. Then, it sends the information via the default browser to the Internet server.

Jumper

Author: Guillaume Kaddouch
Category: DLL Injection, Launcher
Website: http://www.firewallleaktester.com/
Download: Jumper.zip

Jumper attemps to infect Windows Explorer with its own DLL. At first, it tries to modify the registry value AppInit_DLLs and then it terminates Windows Explorer. When the Windows Explorer is run again it loads DLLs specified in AppInit_DLLs to its process. Jumper's DLL running from the Windows Explorer process launches Internet Explorer and controls its behaviour to connect to the Internet server.

LeakTest

Author: Steve Gibson (Gibson Research Corporation)
Category: Substitution
Website: http://grc.com/lt/leaktest.htm
Download: LeakTest.zip

LeakTest is the oldest leak test program implemented to bypass stone-age firewalls that rely only on the name of the executable module when identifying applications.

OSfwbypass-demo (OSfwbypass)

Author: Debasis Mohanty (a.k.a. Tr0y)
Category: OLE Automation
Website: http://www.hackingspirits.com/
Download: OSfwbypass.zip

Using OLE automation, OSfwbypass tries to load HTML page with Javascript into Internet Explorer. Javascript simply redirects Internet Explorer to the Internet server.

pcAudit

Author: Internet Security Alliance
Category: DLL Injection
Website: -
Download: pcAudit.zip

pcAudit implements typical DLL injection technique. It tries to load library into trusted process to be able to establish the Internet connection without any alerts from the firewall.

pcAudit 6.3 (pcAudit2)

Author: Internet Security Alliance
Category: DLL Injection
Website: http://www.pcinternetpatrol.com/pcaudit/
Download: pcAudit2.zip

Like pcAudit, its newer version called pcAudit2 attempts to load its own DLL to other processes to bypass the protection of firewalls from the trusted process.

PCFlank

Author: PCFlank
Category: OLE Automation
Website: http://www.pcflank.com/
Download: PCFlank.zip

PCFlank attempts to control a running instance of Internet Explorer using OLE automation to transfer information to the Internet server.

Runner

Author: www.matousec.com
Category: Substitution
Website: http://www.matousec.com/
Download: Runner.zip (source code included)

The Runner finds the default browser's executable and renames it. Then it copies itself to the file of the original default browser's executable. It runs this copy, renames it, copies the original executable of the default browser back and then it tries to establish an Internet connection.

Firewalls that are not able to handle this trick either do not verify the integrity of the default browser, or their verification occurs when the privileged action is executed instead of the moment of the fake executable execution.

Surfer

Author: Jarkko Turkulainen
Category: DDE, Launcher
Website: -
Download: Surfer.zip (source code included)

Surfer creates a hidden desktop and runs Internet Explorer on it, then it uses Direct Data Exchange (DDE) to control its behaviour and transfer data to the Internet server.

Thermite

Author: Oliver Lavery
Category: Process Injection
Website: -
Download: Thermite.zip (source code included)

Thermite attempts to find a running instance of Internet Explorer, inject tiny infection code and create a remote thread in it. From the Internet Explorer process it then tries to establish socket connections and transfer information to the Internet server.

TooLeaky

Author: Bob Sundling
Category: Parent Substitution
Website: http://tooleaky.zensoft.com/
Download: TooLeaky.zip (source code included)

TooLeaky attempts to launch a hidden instance of Internet Explorer with the URL in the command line parameter. Personal data may be transfered in the URL to the Internet server.

WallBreaker

Author: Guillaume Kaddouch
Category: Parent Substitution
Website: http://www.firewallleaktester.com/
Download: Wallbreaker.zip

The WallBreaker contains 4 separate tests.

YALTA

Author: Soft4ever
Category: Default Rules, Own Protocol Driver
Website: http://www.soft4ever.com/security_test/En/
Download: YALTA.zip

YALTA attempts to send a UDP packet to a specific IP address and port. Some firewalls may not control connections to ports of specific services like DNS and trust the connections that use these ports.

ZAbypass

Author: Debasis Mohanty (a.k.a. Tr0y)
Category: DDE
Website: http://www.hackingspirits.com/
Download: ZAbypass.zip

ZAbypass was implemented to bypass old versions of ZoneAlarm PRO but it works against many other firewalls today. It uses Direct Data Exchange (DDE) to communicate with Internet Explorer and transfer data between its process and the Internet server. Back to contents