Spyware allows penetration beyond Zonealarm

Printable View

June 19th, 2004, 11:45 AM
pooh sun tzu

Spyware allows penetration beyond Zonealarm

It would seem that a certain form of spyware new to the scene is able to force zonealarm (free and pro) to accept it's outgoing connection. I have always spoken against using Zone Alarm due to not only it's limited ability without payment (or piracy, shame on you) but it's childishly simple ways of getting around the inbound filtersHere is yet another case in point.. While it is already in spybot, I wanted to bring this to the forfront attention because of how incredibly hard it is to get rid of, prevent, and detect.

Quote:

From spybot description notification
Product: ClientMan
Threat: Malware/Possibly spyware

Functionality
Unknown

Description
Unknown how it gets onto a computer, or what the exact damage it does is, but it is surely bad, as it automatically forces ZoneAlarm to accept it's connect, without giving the user a choice.

Quote:

From symatec
Spyware.ClientMan is a spyware application that submits various Internet usage information to a server, including email and instant messaging details. It also submits personal information, such as IP address, browser used, and user details retrieved from other installed applications on the system.

---------
For the sake of network security, get rid of zonealarm and migrate to different firewall. I personally recommend kerio because of the amount of indepth functionality it has (and a built in IDS, come on.. beat that) while others recommend symatec.

More information on the spyware:
http://www.doxdesk.com/parasite/ClientMan.html
http://securityresponse.symantec.com...clientman.html
http://www.pestpatrol.com/PestInfo/c/clientman.asp
http://www.spysweeper.com/removing-clientman.html
June 19th, 2004, 12:38 PM
TidaLphasE23

pooh sun tzu, I am using Norton Internet Security Professional 2004 and
Sygate Personal Firewall. Do you think that this is adequate protection from
this threat? Does it only affect Zonealarm? What signs/ traces does this leave
behind to determine if you have been affected?

Thanks TidaL.....
June 19th, 2004, 12:46 PM
pooh sun tzu

I've seen many reports across google of it being allowed past the Norton Firewall, but sygate seems to pick up on the threat and notify you. Sygate should be safe, but keep an eye on that Norton program, lest it get infected.

To see what files to keep an eye out for, read the links provided above :)
June 19th, 2004, 03:00 PM
valhallen

pooh sun tzu : bowing down to your more complete knowledge of this area than me ;) would you recomned that I migrate then from using Outpost (free edition) to the same free personnal edition of kerio?

v_Ln
June 19th, 2004, 03:08 PM
pooh sun tzu

Quote:

bowing down to your more complete knowledge of this area than me

That is incorrect. And the first peice of advice I can give is for you to never do that again. I am like you, still learning and will continue learning. I am like everyone else here, a student. I value your insight and advice as much as the next person, so I ask you to please never put yourself below anyone here :)

On other news, I say give kerio free edition a shot. It may seem difficult to use at first but it's like the difference between windows and linux. Just a different way of thinking about it. If you end up enjoying it and finding that extra power/control to your liking, then so be it. If not, you will at least have experienced a new firewall.
June 19th, 2004, 03:41 PM
Spyder32

I just recently downloaded Outpost Agnitium and so far I'm pretty impressed. A wee bit different than most firewall's to me and it sorta puzzled me at first, but it's working quite well.
June 19th, 2004, 04:47 PM
moxnix

I have or am in the process of trying most all of the free firewalls. Of the ones I have tried, I believe that kerio is the best so far, although I am just starting to try out the outpost one, and it seems (so far) to be a very good one.
I think that the IDS function of kerio does give it a slight edge though.
June 19th, 2004, 05:03 PM
Soda_Popinsky

I am currently using NIS because it came with a free subsciption with my mobo. When it comes to free firewalls, kerio is outstanding. Although I am 0/2 with successful installations of it. Both times Kerio interfered with more than it should have. It gave me horrible program startup problems on a ME and XP machine, even when it was disabled. But when it would work, everything about kerio's configurability rocked, and I wish I could use it.

Does IPtables exist for windows?
June 19th, 2004, 05:07 PM
valhallen

Quote:

That is incorrect. And the first peice of advice I can give is for you to never do that again. I am like you, still learning and will continue learning. I am like everyone else here, a student. I value your insight and advice as much as the next person, so I ask you to please never put yourself below anyone here

am not putting myself below anyone - just saying that you have more experience in this area than me - which i feel to be quite accurate....now if we were taling webdesign (esp flash) things may be different - i think anyways ;)

v_Ln
June 19th, 2004, 05:23 PM
Negative

I have Outpost Pro installed on my laptop, and Kerio on our desktop.
The problem with Outpost (although it's not really a problem) is that the free version is still at Version 1.0. while the Pro version is at Version 2.1. I've been using Outpost since the very first beta was released, and it's always been my choice since then. The free version is limited, and if you really want to compare Kerio with Outpost, you should compare both the paying versions.
Comparing the fully-functional version of Kerio (Kerio is fully functional for the first 30 days, after that you'll loose the content filtering capabilites) with Outpost Free version isn't really fair :)
Note that the Pro version of Outpost is free for 30 days as well.

BTW: Agnitum is making the same unfair comparison by comparing their Pro version to the Kerio personal (limited) version here. It's still a good chart, though.
June 19th, 2004, 11:14 PM
pooh sun tzu

Quote:

BTW: Agnitum is making the same unfair comparison by comparing their Pro version to the Kerio personal (limited) version here. It's still a good chart, though.

Agreed, but I do think Kerio holds it's own even against the Pro one in quite a few areas :) Now, with both purchased and full version of the software, I'm sure they would stand toe to toe if not beyond (in kerio's name). I may just be biased though.

edit:

Let me also say how much I hate firewalls that preform web filtering, popup blocking, active x fixing, and other non-firewall related things. I enjoy having a firewall without it taking the incoming HTML (which slows it down) and recoding it (view the source, especially on zone alarm, it comments changes) to remove things. If I want to get rid of ads I will use the appropriate browser rather than extend the firewall to more aspects (thus a higher memory footprint) in terms of bloat and more features to find exploitable (ie zone alarm and older sygates for html ad parsing)
June 20th, 2004, 03:46 AM
Soda_Popinsky

PST-

If I remember correctly, kerio comments changes as well? It's either that or sygate, but I'm pretty sure kerio does it.

Another thing- to get by the ZA firewall, does it exploit the software? You say there are reports of it getting past the NIS firewall as well. Would this be a specific attack by the adware against ZA and NIS, or a technique in general that allows it to slip past all software firewalls?

It sounds like the mythical jpeg virus that infects all picture viewers, which is "impossible". It would have to cater to all forms of software that open it, making it unrealistic. Does this spyware target ZA, and possibly NIS, or use a method that sneaks past the concept of a firewall?
June 20th, 2004, 04:45 AM
pooh sun tzu

Quote:

If I remember correctly, kerio comments changes as well? It's either that or sygate, but I'm pretty sure kerio does it.

Not kerio, because kerio doesn't filter or touch incoming HTML data since it doesn't bother with pop up or ad blocking (thankfully)

Quote:

Another thing- to get by the ZA firewall, does it exploit the software? You say there are reports of it getting past the NIS firewall as well. Would this be a specific attack by the adware against ZA and NIS, or a technique in general that allows it to slip past all software firewalls?

Using API call checking (AFAIK) it knows when the designated popup window for ZA and NIS comes up to ask for permission of the software to connect to the internet. Upon seeing that it is up, it clicks the button and changes so quickly the user hardly notices.

source:

Quote:

from http://www.spywareguide.com/product_show.php?id=517
First reported as suspicious, it became clear soon that it will pass the ZoneAlarm firewall without user consent. When it tries to connect to the Internet, and ZoneAlarm displays it's dialog whether the program should be allowed to connect or not, ClientMan will auto-click the 'Yes' button after checking the 'Always' checkbox. This way, it grants itself Internet Access without the user even noticing more than a short flash of the ZA dialog.

It bypasses norton is a similar manner, by automagically allowing itself to the "allow list" by directly editing the list. (source- http://www.spysweeper.com/removing-clientman.html)

For an even more indepth article on this particular peice of spyware:
http://www.pestpatrol.com/PestInfo/c/clientman.asp

Quote:

It sounds like the mythical jpeg virus that infects all picture viewers, which is "impossible". It would have to cater to all forms of software that open it, making it unrealistic. Does this spyware target ZA, and possibly NIS, or use a method that sneaks past the concept of a firewall?

Just like how debuggers of C and C++ use window tools to gather than names of loaded windows along with currently loaded strings, the creator of this must have done the same. By gather the window names according to the program as well as the proper strings, they could detect when those "allow program outbound, and remember" popups occured from the firewalls. That's ZA specific, but the way it got around NIS was by merely adding itself to the list which was vunerable to direct manipulation. No myth here :( It can't breach sygate or kerio AFAIK
June 20th, 2004, 05:00 AM
Soda_Popinsky

I'm about to look for the allow list that clientman edits in NIS. I have NIS password protected, and I have always expected that it would encrypt the allow list somehow with it. If it doesn't, then I see no point to passwording my firewall or AV if all it takes is a text edit to manipulate it.

Sygate and Kerio have window program alerts AFAIK, I don't see why the next generation clientman will manipulate them too. A quick fix would be to password protect the windows (password required) and pass encrypt the files the blocks are stored in.
June 20th, 2004, 05:14 AM
pooh sun tzu

Quote:

Sygate and Kerio have window program alerts AFAIK

They do, but either have not been targeted yet or there is something in the way they were coded as to not allow a hijack attempt. The exact method of hijacking is of course just speculation, as the programming of the spyware certainly isn't willing to talk.

edit In your post above mine you said "comments" and I wonder if you meant commits? kerio doesn't do HTML comments because it does not filter html. but it does have the ability to commit files to the allow list, if that is what you meant?