Zone Alarm Vs 180 Solutions: Zango hooks?

Sub-Seven writes "Found at Vitalsecurity.org, they detail how a Microsoft MVP pulled the Zango file to pieces, and discovered some interesting facts about exactly what a "simple" fun and games application does to a machine that its running on. Hooking into Windows OneCare and Microsoft Antispyware? What's that all about? "

Software firewalls?!

[FatSean]

Um...not sure what's going on here...but I think software firewalls have to be one of the silliest 'security products' out there. I still can't believe cable companies don't distribute modem/routers to users and remotely configure them to block the commonly exploited ports and protocols.

My conspiracy theory is that they have big investments in the software firewall companies...and in existing non-router cablemodems.

SO we suffer.

Re:Wow first post?

[Anonymous Coward]

Basically after RTFA seems to me that 180 and friends are trying to deny what the app actually does, It was interesting to see the M$ explaination of the Procedure call.

TBH 180 and all those other search / tool bar(ish) things are spyware to improve your popups and help slow your PC to a crawl.

--

This is worse than Spyware

[HexaByte]

From the article:

180Solutions was complaining that "ZoneAlarm was advising that our 180search Assistant "is trying to monitor your mouse movements and keyboard strokes" well let's see after reading the above ... that description looks right to me.

This is worse than spyware. This could be used to transmit your account codes and PINs, passwords, etc.

Sounds like stealware(TM) to me!

Re:Removing spyware in applications

[dada21]

I've found this applies to whatever business you're in. I've started, grown, and sold 4 different companies, in completely unrelated industries. The more we were able to make ourselves unnecessary, the more work we got.

Succinctly put. What you just said is about 1/3rd the reason I became a libertarian and then became an anarchocapitalist. I realized that businesses that exist to grow and tread new markets are what makes this world wonderful. I saw how some corporations (not businesses) fought to stay the same, and wanted to make a law to enforce the status quo. I've been a businessman since I was 13/14, and I never really thought about "What is legal?" I thought "What is moral?" I didn't need the law to tell me what my customers wanted and what I could provide. I didn't need the law to tell me when a product I made was harmful to my customers. I just knew. As I left my teens, I realized that almost all my businesses were just stepping stones to new ones. I'm always focusing on what will replace me, and then seeing what will replace other industries. Those are the businesses to be in before the masses start investing in IPOs -- which are already too late to the scene.

Re:What's the hook being used for?

[Ytsejam-03]

The question is, does Zango use that hook to collect mouse and key info, even for a short time, or are they using the hook for other purposes? What would those purposes be?

Yes, my thoughts exactly. The longer 180 fails to disclose this information, the more it looks like they are doing something nasty.

That said, I see no evidence that Zango is specifically targeting Windows OneCare or Microsoft Antispyware as TFA implies. The fact that zangohook.dll is being loaded into these processes is *NOT* evidence of this. Zango is setting a system-wide hook, which means that their hook DLL (zangohook.dll) will be automatically loaded into every process in the system that generates one of the events they are trying to hook.

There are legitimate uses for system-wide hooks. Many Single Sign-On products use them, for instance. The real question is, why exactly does Zango need to set a system-wide hook in the first place? I can't think of any legitimate reasons.

Re:It's not just you

[Anonymous Coward]

The shot about MVPs is unwarranted, in my opinion. At least for C++, I thought they did a reasonable job of vetting them -- all of my experience with the other C++ MVPs showed them to be very knowledgeable about the language. Certainly, the standard was higher than merely "high school graduate." And Microsoft had an obvious incentive for that to be so, both because they spent money on the program, and because the MVPs were sort of a proxy support group for MS and their quality reflected back on the company.

Personal bias -- I was a VC MVP for two years, and I earned that status by providing a lot of good, free advice on C++ programming with VC in the newsgroups. My status lapsed after I had a significant downturn in involvement in the groups.

Re:Oh my - A Microsoft MVP!

[value_added]

For anyone who doesn't know, you become a Microsoft MPV largely by being an unemployed loser - the more time you can waste away providing pro-Microsoft answers on Microsoft's message boards ...

The MCSE jokes on /. are admittedly funny at times, but this is as unfunny as it is unfair. First, only web weenies would refer to news groups as message boards. Second, those groups are an invaluable resource, being freely available, active, and representing a wide cross section of experience, they're one fo the few places where you can find honest and up-to-date information. And third, while Microsoft does offer a pseudo subscription-based pricing for "guaranteed responses" (from the MVPs, among others), most posts are the result of volunteer efforts.

Perhaps the next time you send a question off to debian-users, for example, hoping for an answer from one of the "regulars", you avoid suggesting that any of them must be an unemployed loser for bothering to respond. Unless playing the part of a troll is somehow more rewarding.

If it sounds like I'm pissed off, yeah, I am. Having to defend something Microsoft related on /. is annoying enough without being forced to justify the efforts of those trying to help others, irrespective of the venue or their individual capacity.

As for anyone else using Windows and is unfamiliar with usenet, I'd suggest exploring the ms.public hierarchy with whatever news client you have available, and get into the habit of reading a few of them before applying the latest patch or service pack, or are otherwise trying to resolve an issue or trying to learn something. The top posting is murder, but the information is free and unlikely to be available to the same extent anywhere else.

Re:What's the hook being used for?

[arkanes]

There are a number of things you might install a CBT hook for, even legitimate ones, but with the hook installed it absolutely is "monitoring" all keypresses and mouse moves. This is going to hinge on the definition of monitoring - Windows is calling a hook within the Zango code and notifying it of all the events it registered the hook for (which looks like system wide mouse and key events), however, Zango is quite likely ignoring everything except very specific events. Personally, I'd still call that monitoring.

Re:Impossible

[hal9000(jr)]

What you are suggesting is not just difficult - it is impossible (for well designed malware).

Huh? Sure it is possible. Application proxies have been around for a long, long time. Secure Computing has one, as does Cyberguard, and Symantec. Now in thier cases, "application level" enforces the layer 7 and downward protocols for some services, not all. For example, they all have HTTP, FTP, SMTP, IMAP, and POP3 application level proxies. Some support Oracle's SQL*Net V1 or V2. Others support H.323 but not SIP. Anyway, service level attacks such as trying to overflow a buffer, generally will not work through application level proxies because service level attacks tend to violate the protocol specification (binary data where RFC-822 data should be) or violates sane behavior of the protocol, like a HTTP/1.1 host: header longer than 100 characters.

So your wondering about SSL? How about using an HTTP/SSL Proxy and forcing all outbound connections through the proxy and examining the underlying protocols prior to exiting a perimeter firewall? Let's face, the way SSL is used today doesn't provide that much protection anyway (hint: how do you know the certificate from amazon.com is valid? Because you have the public signing certificate from Verisign that was used to sign teh certificate from amazon.com? How did you get Verisign certificate and how do you know *it* is valid? More importantly, how do you know a malicious signing certificate hasn't been inserted into your supposed trusted certificate store? Sorry, that isn't the hint, it's the answer) so you you really don't loose much by using an SSL proxy.

What is more difficult, is application level firewalls that protect web applications (instantiated within the HTML, XML, etc flying back and forth) from malicious use like SQL injection, cooking and field tampering, and yes, buffer overflows. But it can be done.

Re:We need a hybrid

[Rich0]

Somebody should design a server that listens on a privileged port. This server can be connected to by a remote server, and iterrogated for the username associated with any outgoing connections to that remote server.

Oh wait, we just described identd... :)

Give players the choice

[giafly]

1. Provide one set of servers where players can compete if they submit to anti-cheat scanning.
2. And different server(s) for the libertarians, script kiddies and cheaters.

Some extra info at gripe2ed.com

[Rob the Bold]

Ed Foster's Gripe Log is following the Zone Alarm v. 180 story, and he has a much more readable summary at his site: http://www.gripe2ed.com/scoop/story/2005/12/5/8255 5/7508 [gripe2ed.com]

False-positives

[Smallest]

We just discovered (last Friday, at 4:00pm of course) that "SpySweeper" is labelling one of our components (a general-purpose image processing library) as spyware. After a little digging, it turns out that a program called TrueActive Activity Monitor installs a file with the same name as our component.

But, we can't tell if it actually *is* our component or if they just have a file with the same name (not very likely) - because our anti-virus and anti-spyware apps freak out when we open the TrueActive installer to see what their version of the file actually is. Either way, SpySweeper says our component is an "activity monitor" and this is freaking out both our customers and our customers' customers.

We're talking with the people who write SpySweeper, to get this fixed, and they've been helpful so far. So hopefully, this will be resolved soon.

Re:Then again, how about anti-cheat mechanisms?

[Kadin2048]

How does it keep you from modifying the local database and replacing the "legitimate" hashes with the hashes for the compromised (cheater) software? It would seem that in order to be secure, the comparison has to be run on a trusted machine, which by definition the machine you're scanning for cheats shouldn't be.

I suppose they can send back a hash of the database to the server or something, but it just seems to me that if what you're describing really is the system, then i's inherently possible to compromise without a decryption-based (or dehashing-based) attack.

Re:Removing spyware in applications

[Anonymous Coward]

That's funny. I manufacture HVAC systems. For years I used to joke about our product being "Just good enough to move air", until one day I saw some of our competitor's units dismantled in one of our training areas.

When I saw what the competition was selling, I was like "woah, no wonder we cost the most, and no wonder we do so much business."

It's all relative. I'm something of a perfectionist, too. But having seen how good our "crap" is compared to theirs, I realized, I'm just anal.

Apparently my co-workers are right. It just has to work. :/

Posting AC for obvious reasons.

I'm not normally a MS basher or anything..

[bill_kress]

I'm starting to wonder how it's physically possible that an OS would allow ANY app to install a hook into something as important as a keyboard driver or monitor without catching it and asking the user (at least).

Perhaps we could, hmm, motivate MS by publishing this ability as a vulnerability in the OS.

In fact, maybe we should stop allowing the OS Manufacturers to specify what a vulnerability is and come out with a list of requirements/standards that we can validate consistently against all OSes to qualify and rate their security against each other.

Not that everyone wants to be bothered with every little app, but we should be able to turn off the ability to install dangerous hooks just like we can turn off the ability to set cookies.

Either that or just make M$ financially responsible for every time a keylogger steals a bank password.