[Meltdown]

Actually if you read the security advisory firewalls won't block it. It's a "feature" of IE for cross domain operation which is built in. Firewalls prevent stuff from coming in generally that you don't request. This stuff comes through a normal webpage, using regular WC3 HTML tags (htmlinner and the like) and makes your computer do legitimate requests from within itself. Basically it operates everything as being in the "My Computer" domain, which basically gives full access to everything and it's dog. Interesting thing is it can force you computer to run java and activeX scripts even if you have them disabled because it essentially makes it like the local computer is requesting it to be ran rather than the webpage. So not even firewalls will stop it.

And actually the whole reason I ran across this is because at work we suddenly ran into a problem with a rash of systems suddenly not running their login script. The Kix script box wuold pop up but just hang. We were trying to figure out what was doing it, and it turned out that somehow ad software was getting installed on these stations regardless of the fact that their Java, ActiveX and various "zones" were set to maximum restrictions and our firewall completely locked down except for the HTML and secure ports and those had limited access (banks require heavy filtering due to Federal regulations). Turned out this was how it was happening, and once we removed the software and made the registry change the problem went away. Gotta love the interweb....

[toetag]

(banks require heavy filtering due to Federal regulations)

How do you guys handle rule17a4?

[GroovyDude]

Quote:

Originally Posted by Meltdown

It's a "feature" of IE for cross domain operation which is built in. Firewalls prevent stuff from coming in generally that you don't request.

That's true. If it's coming in through http traffic on port 80, you can't block it on the firewall or router without blocking all http traffic.

Quote:

Originally Posted by toetag

I know just about every trojan,malware,spyware,and monitoring software made and know this kind of crap.

You wouldn't happen to know what "i-stream" is would you? Someone was asking me the other day because their ZoneAlarm keeps popping up with the message that "i-stream is attemping to connect to the Internet". I've never heard of i-stream and wasn't able to find much on the Internet.

[toetag]

I have read that It's written in the executable file itself. If you open the executable in a hex editor and have it display ASCII equivalents, you may see it in there somewhere


And

http://www.bugnet.com/analysis/0203/sftakebackxp.html

Has a mention to it.

If i were to guess, its embedded in ZAP to keep track of the license.

A lot of companies now have embedded programs to check in with a licensing server in order to keep piracy down some. It can even go as far as remotely disabling the software if it is outside of the licensing agreement.

The sucky part is that nobody knows what port it sends and even though you close all of your ports, it still gets thru because it sends the info over prot 80 most of the time. Unless you are on a proxy or something port 80 is almost always open.

The i do not think he could search for the file name because it is embedded in the code of ZAP.

[Packetloss]

Quote:

Originally Posted by Meltdown

Actually if you read the security advisory firewalls won't block it. It's a "feature" of IE for cross domain operation which is built in. Firewalls prevent stuff from coming in generally that you don't request. This stuff comes through a normal webpage, using regular WC3 HTML tags (htmlinner and the like) and makes your computer do legitimate requests from within itself. Basically it operates everything as being in the "My Computer" domain, which basically gives full access to everything and it's dog. Interesting thing is it can force you computer to run java and activeX scripts even if you have them disabled because it essentially makes it like the local computer is requesting it to be ran rather than the webpage. So not even firewalls will stop it.

Thats my point. Unless you know exactly what you are filtering and why, its going to be more hassle than its worth. Bring in a little basic security thought - ie 'why is this whole porn site free' or 'wow, why would someone spend so much money inventing an app that makes a girl dance on my screen for FREEE?'

Pay attention here:
Does this make you vulnerable? Maybe. Most spyware writers these days are using the above IE trickery - If i have you pull a file that replaces mplayer.exe, then trigger mms:// that then talks on port 80, or 53/udp, how will you ever know?

[Meltdown]

Yup Packet, and again nothing a swift kick in the balls of the people that do it wouldn't fix....

And Toe I wouldn't know though I could check with that portion of network services, I'm in technical services which handles planning and integration, handles scripting, server installtion/configuration/maintenance, email, etc. Network services handles the backups, laying of lines, telecomm equipment maintenance, and data center. I'll check Monday with the head manager over the data center and find out for you though.

[Packetloss]

id have to ask our 'MIS/IT' guys - Apparently my division doesnt conver workstations anymore - Just the nearest layer 3 device

We're just making a huge move on macs - nice and secure