Firewall Leak Test Techniques

Master Head

Will my security software prevent my confidential data from being transmitted to a hacker?

Will my security software stop a virus from corrupting or destroying my important documents?

TEST YOUR SECURITY SOFTWARE & find an answer to these questions right here. Learn more.

Let your voice be heard!!

Test your security software and publish your results on this website.

By purposeful design, leak test programs are coded to conceal their simulated malicious activities so that they bypass your security software. This page is a short overview of the main techniques used by these tests (and the malware they simulate) to avoid detection and make an outbound connection.

Unhooking

Firewalls commonly use hooks to implement their protection mechanisms. There are two major types of hooks - kernel mode hooks and user mode hooks. If the self-protection mechanisms are not implemented well by the Firewall it may be possible to unhook its hooks. As a result, some or all protection mechanisms of the firewall may be disabled.

Leak Tests that emulate this technique: FPR

Substitution

This technique tries to present itself as a trusted application by renaming itself to a commonly known, safe application such as iexplore.exe. As a result, firewalls that do not verify application signatures fail to detect such attempts.

Leak Tests that emulate this technique: LeakTest 1.2

Launching (Parent Substitution)

With this technique, a program launches a trusted program by modifying its startup parameters such as command line parameters, to access the Internet. This type of penetration bypasses firewalls that do not apply parent process checking before granting internet access.

Leak Tests that emulate this technique: Tooleaky, FireHole, WallBreaker, Ghost, Surfer, Jumper, CPIL, CPIL Suite Tests 2 and 3

DLL Injection

One of the most commonly used techniques by Trojans, this method tries to load a DLL file into the process space of a trusted application. When a DLL is loaded into a trusted process, it acts as part of that process and consequently gains the same access rights from the firewall as the trusted process itself. Firewalls that do not have an application component monitoring feature fail to detect such attacks.

Leak Tests that emulate this technique: PCAudit, FireHole, PCAudit 2, Jumper, CPIL Suite Test 3

Process Injection

This technique is the most advanced and difficult to detect. In fact, many personal firewalls still fail to detect and prevent process injection although it is used by Trojans in the wild. Process injection attacks work by having the attacker program injects its code into the process space of a trusted application and become a part of it. No DLL or similar component is loaded.

Leak Tests that emulate this technique: Thermite, CopyCat, CPIL

Default Rules

Certain firewalls try to allow full access internet access rights to specific traffic considered vital to normal operation such as DHCP, DNS and netbios. Blind allowance may cause malicious programs to exploit these rules and gain access to the Internet.

Leak Tests that emulate this technique: Yalta

Race Conditions

When filtering Internet access requests from an application, firewalls need the process identifier (pid) of the process to perform internal calculations. Attacker programs may try to exploit this fact by changing their process identifiers before the firewall detects them. A robust firewall should detect such attempts and behave accordingly.

Leak Tests that emulate this technique: Ghost

Own Protocol Driver

All network traffic in the Windows operating systems is generated by the TCP/IP protocol driver and its services. Some Trojans can make use of their own protocol drivers to bypass the packet filtering mechanism provided by firewalls.

Leak Tests that emulate this technique: Outbound, Yalta

Recursive Requests

Some system services provide interfaces to applications for common networking operations such as DNS, Netbios, etc. Since using these interfaces is a legitimate behavior, a Trojan can exploit such opportunities to connect to the Internet.

Leak Tests that emulate this technique: DNSTester, BITSTester

Windows Messages

The Windows operating system provides inter process communication mechanisms through window handles. By specially creating a window message, a Trojan can manipulate an application's behavior and connect to the Internet.

Leak Tests that emulate this technique: ZAbypass

OLE Automation

The Windows operating system also provides an inter process communication mechanism through COM interfaces. By using a COM interface hosted by a server application, a Trojan can hijack the application to connect to the Internet.

Leak Tests that emulate this technique: PCFlank, Osfwbypass

Credits for this section: The broad format used to identify 'Leak Tests that emulate this technique' is inspired by that used at http://www.firewallleaktester.com/malwares.htm . The naming convention for all leak test techniques, apart from 'Unhooking', is that used on Firewall Leak Tester (http://www.firewallleaktester.com/categories.htm). Credit for 'Unhooking' as a name; for development as a leak-testing technique and the named 'Leak Tests that emulate this technique' goes to Matousec. Transparent Security. (www.matousec.com)

How well protected is your PC?

Test My PC Security has a wide range of downloadable firewall leak and HIPS tests so you can find out just how good your security software is.

Download All Tests (zip file)          See the full list of tests