[60608] in North American Network Operators' Group
Re: Microsoft to ship new versions with firewall enabled
daemon@ATHENA.MIT.EDU (Omachonu Ogali)
Thu Aug 14 15:40:51 2003
Date: Thu, 14 Aug 2003 15:41:29 -0400
From: Omachonu Ogali <nanog@missnglnk.com>
To: Richard Cox <Richard@mandarin.com>
Cc: nanog@merit.edu
In-Reply-To: <20030814172555.0879.RICHARD@mandarin.com>
Errors-To: owner-nanog-outgoing@merit.edu
On Thu, Aug 14, 2003 at 05:37:44PM +0100, Richard Cox wrote:
> What I do like in the latest release of Zone Alarm Pro is that it will
> stop ANY program from connecting outbound on Port 25 unless that program
> has been specifically authorised to send mail. It was quite informative
> to see which programs were trying to mail information back to their base!
Zone Alarm Pro is very stupid as well. When a machine makes an outbound
connection attempt, yes, you'll see a dialog that pops up asking you
whether to allow that SINGLE connection or not, I guess this is what
you mean...
BUT on every single occasion I get that dialog box, it's telling me
that the program is trying to access my ISP's DNS servers, which is
correct, I click yes to allow that SINGLE connection, and it lets
the program go ahead and connect to port 22 (putty is the application
in this instance), instead of asking me about port 22 next.
Reasons why this is bad?
A) Semi-savvy user sees 'DNS' and their ISP's nameservers and clicks
yes not knowing it's a trojan trying to resolve the hostname for
trojan base.
B) Trojanned program operates semi-normally, makes the initial
connection to the proper host, you ok it with ZoneAlarm because it
looks legit, but ZoneAlarm goes ahead and lets the program connect
to whatever it wants after the inital OK, (example scenario: buffer
overflow), so the trojan connections are concealed.
C) It's bothersome. Ask the user every time they fire up the program
whether they want to let it connect to something, and they're going
to click the "please don't ask me about this crappy program ever
again" checkbox, and be done with it, again, concealing trojan
connections in the event the program gets modified later down the
road.
