Slashdot Mirror
Zone Alarm Vs 180 Solutions: Zango hooks?
Sub-Seven writes "Found at Vitalsecurity.org, they detail how a Microsoft MVP pulled the Zango file to pieces, and discovered some interesting facts about exactly what a "simple" fun and games application does to a machine that its running on. Hooking into Windows OneCare and Microsoft Antispyware? What's that all about? "
Is it just me, or is the friggin slashdot summary got more information than the linked article?
Thats gotta be a first...
It wouldn't surprise me if 30% of my IT company's income came from user stupidity combined with software such as the XCP, spywared games, and other fun entertainment products. Yet this is just the market at work. Loopholes are found, usually because of click-through-licensing. Companies will always attempt to build their markets and consumers will always find the bad seeds.
It is very important to realize that as long as end users continue to install these programs, marketing companies will feed their needs. You could ague for laws against these backdoor programs, but it wouldn't solve anything and in fact might make the problem worse as companies find sneakier ways to get into your desktop.
The only way to make a smart consumer is to inform them of the bad things. This means getting the word out, telling others to be careful, and even offering training for groups. My company makes a good profit on spyware, but we offer completely free training days for companies that want to save money by training their employees in safe web browsing. I don't think the answer is "Install Linux and Firefox and the problem will go away!" If Linux/Firefox occupied 90% of desktops, the marketing companies would find a way to take advantage of that platform.
Smart users are informed users are users who won't continue making the same mistakes. Finding band-aids through legislation or discrete installation of anti-spyware software isn't going to solve the problem.
As a sidenote -- the reason for training my customers in smart browsing techniques is a selfish one. As we reduce a company's cost of doing business, our referral rate skyrockets. The less we work/bill, the more work we have to bill. If you're a consultant and you're not seeing a decent increase in your customer base every year, you're not doing a good enough job. There is more work in the U.S. than is being tapped, and it is usually because companies aren't seeing things getting better.
That's a pretty arrogant statmenet. Software firewalls have a legit use in controlling internet access at the application level regardless of what ports the application uses.
Just because you don't have a use for them doesn't mean they don't serve a purpose.
Um...not sure what's going on here...but I think software firewalls have to be one of the silliest 'security products' out there. I still can't believe cable companies don't distribute modem/routers to users and remotely configure them to block the commonly exploited ports and protocols.
Errr... because quality software firewalls (like ZoneAlarm) and home hardware firewalls/routers protect against two entirely different problems?
Home Routers/Firewalls protect your machine against INBOUND, unsolicited connection requests. This makes you immune to attemts to exploit server-type services, like file-sharing, IIS holes, etc. This lets me run VNC, Apache, whatever on my home machine and not have to worry about keeping patches up to date (or even setting a password, for that matter.)
Software firewalls protect you against OUTBOUND connections you did not authorize. Port-blocking does nothing to stop this because a nefarious software vendor can't be stopped from sending an outbound request on port 80 by an external firewall.
I can't count how many programs (even legit ones) that shouldn't be talking to the internet keep requesting outbound connections. (This is all caught by ZoneAlarm.)
SirWired
searching arroung I was able to find, and http://www.spywareguide.com/product_show.php?id=50 7
http://www.benedelman.org/spyware/180-affiliates/
Why link to some guys blog with inane comments, when you can link to the page he refers to? Lots more information there.
What is it with blog pages that link to another blog, which links to another blog, and so on? If this is how things are done in the blogosphere, then my already low opinion of bloggers just slipped a little. Just provide a link to the original f**king information!</rant>
Hi I think this text shed some lights: http://blog.180solutions.com/PermaLink,guid,5795b8 5d-feea-4656-93e1-d788a01f760a.aspx
Poor people @180solutions that suddenly found their spy-ware being detected by Zone-lab's Zonealarm. Zonealarm is obviously a great piece of software. So when 180Solutions became aware of this, they saw their business-model go the way of the dinosaurs.
180 is suing ZoneLabs for a very specific and narrow statement as far as I can tell. ZoneLabs says 180 is monitoring key and mouse info, 180 says it is not.
The analysis linked from TFA explains that he found evidence of setting a windows hook. The question is, does Zango use that hook to collect mouse and key info, even for a short time, or are they using the hook for other purposes? What would those purposes be?
[...] unless you can figure out a way to block ports on my modem.
Done and done. Other types of "dial-up routers" exist, but this is the one I re-found first. Again, nothing wrong with software firewalls, as I like knowing when programs try to use the network, but they aren't a magic bullet.
I can't count how many programs (even legit ones) that shouldn't be talking to the internet keep requesting outbound connections. (This is all caught by ZoneAlarm.)
For OS X users, try A href="http://www.obdev.at/products/littlesnitch/in dex.html">Little Snitch for the same functionality. Some of the outbound connections Adobe software attempts to make (weird out of country IP addresses) are scary.
Um, you certainly don't need to give pro-Microsoft answers to become an MVP. I've given plenty of answers berating .NET or Visual Studio in comparison with Java or Eclipse (where appropriate) but have still been awarded as a C# MVP three times.
You're right that it's a participation award, however - it's definitely people who are helpful to the community rather than *necessarily* the brightest stars. You don't necessarily have to be a genius to help a lot of people. That doesn't mean there aren't plenty of extremely bright people in the programme though.
Software Firewalls are useless! I can configure my cheap-ass 5 year old netgear router/hub to deny outgoing connections on specific ports just as I can control incomming.
If your PC is compromised enough that you have un-wanted programs sending data to third parties...you've got much bigger problems. If that malicious code is already running on your machine, your 'software firewall' is just as vulnerable as any other program.
Blar.
You are picking nits...
A NAT box does indeed protect from incoming connections (provided that you do not use DMZ and port forwarding). This may indeed be considered to be a side-effect, but that does not mean that it does not work. How well these routers work for gaming is another matter entirely. And as far as gaming goes, I am certainly not an expert as I am not into on-line games, but each game should specify which ports it uses so that you can open those ports in your NAT box. Having to use DMZ for a game is silly and dangerous.
As what the GP post said is correct. Software firewalls offer outbound protections. You are right that their first purpose is to protect from inbound threats, but if you have a NAT, you have NO inbound threats (except perhaps for those ports used for games when your game software is not running). Filtering outbound connections is the only reason that I use a software firewall. In fact, my software firewall has NEVER had to block an incoming connection since I built my present computer over a year ago, thanks to my NAT box.
"-1 Troll" is the apparently the same as "-1 I disagree with you."
The shot about MVPs is unwarranted, in my opinion.
I didn't intend to make a shot at MVPs (and I'm sure there are a lot of kick-ass, very talented people with the designation. Usually it's one of their many designations). All I was doing was questioning whether it really gives any additional weight to the submission (most of the people who are linked have a BSc - how many times do submissions say "BSc holder John Topley says that...". A BSc is a much greater accomplishment than a MVP).
There are any number of accomplishments that people in this field have achieved, but unless they are pertinent they really don't usually get mentioned in a Slashdot submission. In this case the "Microsoft MVP" thing just looked ridiculous (especially outside of a Microsoft only forum).
The disadvantage of using a router for outbound filtering/blocking/security is that the Application data is not availalbe. While a software firewall can determine which application if trying to make/recieve the connection. Many software firewalls check to see if the program accessing the net has changed and lets you decide if you want the new version to have access.
I concur. Little Snitch is a great product -- it's actually one of the few pieces of OS X shareware that I think is absolutely worth the money for anyone with a Mac (PithHelmet is the other easy choice).
I think it's actually superior to ZoneAlarm on the PC, because it provides more flexible options for blocking outbound connections. When an application that's not on the whitelist tries to initiate a connection, you get the option of allowing it to connect to any server on any port, any server but only on one port, or only to a specific server and on a specific port. Plus you can have that setting remembered either only for a single session, or permanently. Although the interface is pretty simple, over time you can build up a pretty complicated scheme of custom preferences. Personally I err on the strict side; unless I can think of a good reason why an application needs to connect to 'any server' (e.g., it's a browsing app of some sort), I always set it to "only this server and port" and then approve every server that it's trying to connect to.
And you're absolutely right, Adobe software has struck me recently as being extremely creepy in both how often it tries to call home, and where it calls "home."
The one downside to Little Snitch is that it's so well known on the Mac that some rootkits actually go out of their way to check and see if it's installed and disable it. It's therefore not a replacement for caution and good use practices, however it does make users a lot more aware about what software does stuff without them giving it permission.
Frankly, I think it's ridiculous that something like this isn't built into the OS kernel. Maybe there are technical barriers to doing it that I'm not aware of, but for a consumer OS these days, it seems borderline irresponsible to allow any program to initiate any network connection to any server and to any port that it wants, without any checking of user intent.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."