If you're going to get someone to run the mytrojan.exe file, why not just have it add itself to the exception list for you? I've said it a million times, and here is a million-and-one: When a statement starts off with "If I get someone to run X on their their system, I can," then it doesn't matter how it ends. t On 3/24/06 2:34 AM, "edubp2002@xxxxxxxxxxx" <edubp2002@xxxxxxxxxxx> wrote: > Windows XP firewall had improvements after SP2 and it display alerts about > programs trying to listen on a port (acting as a 'server') to the users. It > doesnt display the path for the file nor the last extension, instead, it only > displays its description or name without the final extension. > > if u place a trojan with 'no name' in some dir, windows firewall will > mistakenly alert about a 'folder name\', this can be misused to trick people > into giving access to a malicious application thinking it is a legitim one. > example below will make people think Internet Explorer is asking for access, > when actually,it is not! : > > ==============example============================ > in a cmd prompt: > copy mytrojan.exe "\program files\Internet Explorer\.exe" > cd \program files\internet explorer > start .exe > ================================================= > An alert will show up saying 'Internet Explorer\' has been blocked and will > ask if you want unblock it when it should alert about '.exe'.This could trick > most people into thinking the firewall alerted about a well known legitim > application. > > another issue with the firewall is using NTFS alternate data streams. if u > execute a file that is 'forked' to another one, no alerts will show up, not at > all, but I dont think this is a security issue since on the computers I tested > I wasnt able to direct connect. > example: > > =============================================== > in a cmd prompt: > type c:\mytrojan c:\windows\notepad.exe:mytrojan.exe > start c:\windows\notepad.exe:mytrojan.exe > =============================================== > no alerts ;) > > ps: every exploit code or details about a vulnerability here in Securityfocus > are not found. > when you click in the exploit menu of any vulnerability and there is some kind > of exploit code attached it will return an error such as 'the document you are > looking for cannot be found' ... just like a broken link. and this issue is > happening for some weeks. is this an error ?... waiting feedback on this > issue. > cheers, > Edu > > > > > > > > > > >
