Using Firewalls As Weapons

[herme3]

Within the past year, my computers have been attacked by multiple viruses and trojans that appear to hijack my ZoneAlarm Pro firewall and us it as a weapon against my computer. They all seem to break into my computer and download themselves, they don't appear to come from any web sites or e-mails I access. The firewall's main control panel application will not work, but the core application will be running and active. The core will start protecting the virus, and performing other functions for the virus.

 

When you think about it, it makes sense why the creators of viruses might do this. ZoneAlarm Pro's core application is very difficult to terminate. If you try to terminate it using the Windows task manager or similar programs, you will get an "Access Denied" error message. The firewall also has the capability of blocking Internet access to any program except for the virus. Therefore, it will be impossible to access the Internet and download a patch, but the virus will still be trying to send itself to other computers. The firewall's core also seems to have a lot of other power, such as locking access to certain files on your computer.

 

The question is, why are the firewalls so easy to hijack? ZoneLabs is always releasing security updates for their products, but wouldn't the ability to hijack the program be one hole somewhere? I don't know anything about ZoneAlarm Pro's programming, but wouldn't it be fairly simple to find this hole and patch it so only the firewall's control panel will have access to the core application?

 

I've e-mailed ZoneLabs about this, and they informed me that it was my AntiVirus program's responsibility to prevent this, not theirs. They said the firewall is designed to protect against hackers, not viruses and trojans. I have Symantec AntiVirus, and I have its automatic updates feature enabled. I'm not really sure what else I can do.

[Cap'n Refsmmat]

Within the past year, my computers have been attacked by multiple viruses and trojans that appear to hijack my ZoneAlarm Pro firewall and us it as a weapon against my computer. They all seem to break into my computer and download themselves, they don't appear to come from any web sites or e-mails I access. The firewall's main control panel application will not work, but the core application will be running and active. The core will start protecting the virus, and performing other functions for the virus.

I'd caution you against saying they "download themselves." It is very likely it comes from websites exploiting Internet Explorer, or perhaps one virus that has been dormant on your computer and has not been completely removed yet.

 

The question is, why are the firewalls so easy to hijack? ZoneLabs is always releasing security updates for their products, but wouldn't the ability to hijack the program be one hole somewhere? I don't know anything about ZoneAlarm Pro's programming, but wouldn't it be fairly simple to find this hole and patch it so only the firewall's control panel will have access to the core application?

I've had a Norton installation completely destroyed, and I still haven't figured out what caused the problem.

 

I've e-mailed ZoneLabs about this, and they informed me that it was my AntiVirus program's responsibility to prevent this, not theirs. They said the firewall is designed to protect against hackers, not viruses and trojans. I have Symantec AntiVirus, and I have its automatic updates feature enabled. I'm not really sure what else I can do.

ZoneLabs is right. You need to restart in safe mode and run a complete scan for viruses, set on the deepest, most thorough mode Symantec will do. Hopefully you'll get whatever is hijacking Zone Alarm.

[encipher]

Ok, first off, symantec products aren't all that good. If you want a real good anti-virus, go with Kaspersky. Secondly, it sounds like the trojan hooked into the windows LSP chain and has debug privleges. What I would do is boot into safe mode, load the services (start -> run, then type "services.msc") and disable all services you don't recognize. Then you need to remove the application from the LSP chain. How you do that is up to you. I would also kill the executable and delete it at this point (or send it to me and i can take a look at it). If you still cant kill it.. i would boot up a windows installation CD and choose repair mode. You will get a command prompt (After selecting that option) rename the exe and restart your pc.. and boot it up. I'd suggest you try some good anti-spyware / adware programs like Spybot Search & Destroy. Before you do any of this make sure you are completely aware of what you are doing sine messing with LSP chains can seriously mess up your system. Same goes with services. Good luck!

 

Edit: Oh, and about why firewalls are so easy to hijack. Software based firewalls are fairly easy to, thats because once you get the trojan / virus onto your comptuer and its running on ring 0 / kernel level.. it has control over everything and can "take over" (system wide API hooks) anything it wants to. It's fairly common in the more advanced viruses and trojans these days. You have Microsoft to thank for this, windows is very unsecure. Oh and if you use internet explorer, stop and switch over to Firefox or Opera, even if you dont like either one of them. This is because IE is intergrated into the windows shell, which in itself is a VERY BIG security issue. (this is aside from the fact that IE is loaded with bugs and security holes). I'm not saying that firefox or Opera are bug free, they arent.. but there are much more secure than IE will ever be.

[Dak]

Have you got haxdoor again herme?

 

It's not so much that firewalls are so easy to tinker with as -- in the case of haxdoor, your previouse two infections -- that haxdoor is a very well constructed piece of shit.

 

hmm... haxdoor can infect either IE or the windows explorer-shell (forget which), and i remember that you dropped out of the thread on the first instance that you had haxdoor before it was certain, to my mind, that you had completely cleared it from your pc.

 

If it's the same pc, i'd have to condier the possibility that you've had haxdoor once, and it's never been properly shifted.

 

for the record: symantec are amongst the best AVs in lab tests. The reason they're oftern slated is cos of their high resorse profile.

 

And herme: Do not delete anything from your LSP stack as encypher suggested without also modifying the stack in the registry, otherwise you will not be able to access the internet.

 

I've never had to do it, but i hear that fixing the registry entries for the winsock LSP is very difficult.

 

ZoneLabs is right. You need to restart in safe mode and run a complete scan for viruses, set on the deepest, most thorough mode Symantec will do. Hopefully you'll get whatever is hijacking Zone Alarm.

 

If it's haxdoor -- which seems to be herme's favorite -- it wont, 'cos haxdoor hides itself with a root-kit.

[concrete_hed]

Another way to check if any unwanted programs are executed on startup is to check the registry folder HKEY_Local_Machine (or HKEY_CURRENT_USER)\Microsoft\Windows\Current Version\Run. If you see any programs you shouldnt see then i sugest you remove the key. Playing with the registry can be dangerous if you dont know what your doing but no matter what you delete in the RUN folder it wont screw up your computer, the worst thing that could happen is your sound card or graphics card drivers wont load up, if you delete something, write it down so you can restore it if needed. Also check the startup folder in the startmenu for programs also

[olifhar]

Another way to check if any unwanted programs are executed on startup is to check the registry folder HKEY_Local_Machine (or HKEY_CURRENT_USER)\Microsoft\Windows\Current Version\Run. If you see any programs you shouldnt see then i sugest you remove the key. Playing with the registry can be dangerous if you dont know what your doing but no matter what you delete in the RUN folder it wont screw up your computer, the worst thing that could happen is your sound card or grlook aphics card drivers wont load up, if you delete something, write it down so you can restore it if needed. Also check the startup folder in the startmenu for programs also

 

I think the "Advanced" mode of SpyBot S&D allows you to see that part of the registry as a checklist, and thus removing the unwanted programs is as simple as deselecting the line in the list (unchecking the box.)

[herme3]

Ok, I've looked at my computer more and it doesn't appear to be Haxdoor. Unlike what I thought, it doesn't appear that my firewall has been hijacked again. I don't seem to have a virus or trojan that I can find.

 

I found out that many of my system services were disabled. This included many of the Windows services required to connect to the Internet, and also my firewall. I started all of the services that were supposed to be running, and my computer started working normally again. I ran several Anti-Virus and Anti-Spyware programs, and none of them could find anything.

 

I also looked through my running processes and the system folders on my hard drive. Unlike when my computer was infected with other viruses, I couldn't find anything that looked unusual. None of the Windows files had been modified recently.

 

Now, my computer will start normally but I will get an error message that says "Generic Host Process" crashed. My start menu and the top title bars on each window will look different. It almost looks like I'm using the Windows classic theme, when I actually have the Windows XP theme enabled. Does anyone have any suggestions?

[Klaynos]

The only way to make a system secure after it has been infected, is to reformat and reinstall, I have stated this opinion before, and feel this is a good time to state it again... BTW that could just mean that you've got a clever virus this time that knows how to hide itself...

[herme3]

The only way to make a system secure after it has been infected, is to reformat and reinstall, I have stated this opinion before, and feel this is a good time to state it again...

 

I never reformatted my other computer when it was infected with Haxdoor, and I haven't had any problems with it.

 

BTW that could just mean that you've got a clever virus this time that knows how to hide itself...

 

Yes, but even Haxdoor was visible when I enabled all the hidden files and looked in the System32 folder. How can I find this new virus if it does exist?

[Klaynos]

I never reformatted my other computer when it was infected with Haxdoor' date=' and I haven't had any problems with it.

[/quote']

 

In my mind that is not a trusted box anymore...

 

Yes' date=' but even Haxdoor was visible when I enabled all the hidden files and looked in the System32 folder. How can I find this new virus if it does exist?

[/quote']

 

tbh, I don't know. It was just speculation...

[ydoaPs]

herme3, try this.

[Cap'n Refsmmat]

YDOAPS, this thread is for helping him fix his current problem, not advertising your favorite Linux distribution.

[ydoaPs]

Doesn't it fix his current problem?

[Cap'n Refsmmat]

No, it just bypasses it.

[herme3]

Doesn't it fix his current problem?

 

No, it just creates more problems. I already have another version of Linux that I sometimes use, but I need Windows XP for this computer. I created a program that I need for my online advertising, and it won't install on Linux.

 

Try downloading my program at http://www.surftabs.com and tell me how I can make it work with Linux.

[Cap'n Refsmmat]

What language is SurfTabs written in? If it's .NET, Mono should let you run it on Linux.

[1veedo]

I'd format the hard drive. Just back up anying you want before hand.

 

Your case just sounds like windows has been crapping out for a while. It's always like this, and we dont ask questions. Like the sun and the tides: reboots and formats.

 

The more you add to Windows and the longer you use it, the worse it gets. There's probably no viruses or anythign of that sort. Windows is just stupid like that. It goes through a similar cycle when you freshly boot. Windows just gets slower and slower and slower until finally it crashes. After you reboot things run a lot faster.

 

My windows computer gets formated about once every 3 months cause it gets all slow. I even have a list of apps I install every time. You never realize how slow it gets until you have a clean install again.

 

 

Too bad you couldn't like freeze your computer in a purpetual state. That way when things get slow and crappy, like what's happening with herme3, you'd just have to reboot into a nice shinny Windows. Tto save Windows from it's own stupid self, a special folder could be mounted w/ the equivilent of unionfs to C:/. Eevery time you reboot it would get removed. Of course you'd have a folder that the user has write access to so you could save documents and the like.

 

I dont know, maybe even make a special user that had write access to the disk. That way if you felt like installing a program, you'd just sudo as that user and modify the system.

[herme3]

What language is SurfTabs written in? If it's .NET, Mono should let you run it on Linux.

 

Yes, I think it is written in .NET because I created it with VisualStudio. What is Mono?

 

Your case just sounds like windows has been crapping out for a while. It's always like this' date=' and we dont ask questions. Like the sun and the tides: reboots and formats.

 

The more you add to Windows and the longer you use it, the worse it gets. There's probably no viruses or anythign of that sort. Windows is just stupid like that. It goes through a similar cycle when you freshly boot. Windows just gets slower and slower and slower until finally it crashes. After you reboot things run a lot faster.

 

My windows computer gets formated about once every 3 months cause it gets all slow. I even have a list of apps I install every time. You never realize how slow it gets until you have a clean install again.[/quote']

 

This is something that just started happening. It was working fine, then suddenly half of the services started getting disabled each time I start my computer.

 

I have noticed that Windows gets slower when you don't reformat after a while. However, I heard that Windows XP can only be installed about 5 times then it won't let you install it again. Is this true?

[Cap'n Refsmmat]

Yes, I think it is written in .NET because I created it with VisualStudio. What is Mono?

It's an implementation of .NET for Linux. With a few changes (if any) to your program, it would work easily on Linux.

[Klaynos]

herme3, does your prog require the IE rendering engine?

[herme3]

herme3, does your prog require the IE rendering engine?

 

Yes, that is another reason why I think the program will require Linux. However, it only requires the rendering engine, not the iexplore.exe file. In fact, my program will delete iexplore.exe while my program is running. When you close my program, it will copy iexplore.exe back to your computer. I discovered that deleting iexplore.exe will block pop-ups better than any pop-up blocker, and it also solves some other security issues.

[Dak]

The only way to make a system secure after it has been infected, is to reformat and reinstall, I have stated this opinion before, and feel this is a good time to state it again... BTW that could just mean that you've got a clever virus this time that knows how to hide itself...

 

I dont see the point in most cases. It's easy enough to unregister and delete a BHO or a toolbar, which accounts for a large percentage of infections. Even viruses, worms, and trojans aren't that difficult to be pretty sure that you've gotton rid of, unless they're particularly bitching/new.

 

Although: if this is a busness PC, that kinda changes things.