Results 1 to 5 of 5

Thread: ZoneAlarm users

  1. #1
    Fizban
    Guest

    Question ZoneAlarm users

    Well it looks like that post was deleted from grc's board. It was just a message pasted there from comp.security.firewalls. Here it is. Comments?

    I have been very interested in the suggestion tonight by Ed Starry in
    comp.security.firewalls that Zone Alarm may be a trojan disguised as a
    firewall. That's a bold suggestion, but maybe the guy's got a point. The
    posts have been brief, and not too focussed, but it got my curiosity up. So
    I've been checking it out. I here report my preliminary findings.

    Let us learn from the Aureate affair. The Aureate "spyware" was essentially
    the advertising plugin advert.dll (there were apparently others, but this is
    the only one that slipped onto my system unannounced and without an
    uninstall program). So tonight I have looked to see what DLLs the process
    known as Zone Alarm actually uses. It's too early to say that Zone Alarm
    *is* a trojan....er... sorry..... "media plugin"....disguising itself as a
    firewall, but I for one have found out enough tonight to concern me
    considerably. I have taken the precaution of improving my Conseal ruleset
    and have got rid of Zone Alarm altogether.

    At the end of this post I include a complete list of the DLLs used by Zone
    Alarm on my own system.

    Preliminary thoughts: VSMONAPI.DLL is described as "TrueVector Client
    Interface"; VSUTIL.DLL is "TrueVector Service"

    The technology used by Zone Alarm, made by Zone Labs, is "TrueVector". Now,
    according to their own very telling webpage at the Zone Labs site: http://www.zonelabs.com/presspatent.htm
    "Licensees of TrueVector include Media Metrix, Inc. (NASDAQ: MMXI), the
    pioneer and leader in Internet and Digital Media Measurement, as well as
    Tibco Software, Inc."

    I've just visited the Media Metrix website: http://www.mediametrix.com/About/Aboutwwx.html
    Quote from the above webpage: "Media Metrix will provide the ability to
    gauge Internet audience behavior on a worldwide scale - a critical tool for
    effective advertising and marketing planning for any global company today."

    Now look at this, another direct quote: "The company utilizes its patented
    metering methodology to measure actual Internet and digital media audience
    user behavior in real-time - click-by-click, page-by-page,
    second-by-second."

    How would they manage that then? Hmmmmm..........

    More about Media Metrix: "Over 600 clients - advertising agencies, media
    organizations, marketers, technology providers and financiers - use Media
    Metrix data regularly to plan, buy and sell new media advertising; develop
    advertising, marketing and e-commerce strategies; understand consumer
    behavior; gain competitive market intelligence; and for investment
    decisions."

    They sound like our friends don't they, hmmmmmm...........

    According to the page at Zone Labs: "We chose to incorporate TrueVector into
    our product because its technology was capable of telling our program when
    another Internet application is in the foreground," said Mark L. Lambert,
    Senior Architect, TIBCO Software, Inc. "This allows us to improve our user
    experience by pushing data down to the client only when the user isn't
    actively browsing the Web."

    pushing data down to the client.....? hmmmm.......

    Gregor Freund, President of Zone Labs, says: "TrueVector is the first
    client/server platform to meet these demands as it offers the most flexible
    and effective method of building Internet intelligence into applications."

    Building Internet intelligence into applications??? What exactly does that
    mean?

    Apparently it means:
    "Built with a focus on time-to-market and ease of integration, TrueVector
    provides its advanced Internet sensing and traffic monitoring features in a
    modular fashion, which can be adapted to a variety of specific customer
    needs. Using TrueVector lets developers focus their efforts on building
    innovative new solutions, rather than on the mechanics of monitoring
    Internet activity."

    hmmmm.... not looking good so far

    now Ed Starry pointed out the Iamdb.rdb file to be found under
    Windows/Internet Logs, that swells and swells for no apparent reason (seeing
    as Zone Alarm 2 [not the new beta] does not have a logging function in the
    sense that we would understand of a traditional firewall). My iamdb.rdb file
    is already 487KB and is full of encoded data about ALL of the applications
    running on my PC, even those that don't have any internet activity. Some
    may say, well it needs info on all applications, it's a firewall--but does
    it, Conseal doesn't have such an interest in all the applications on my PC.
    To repeat, according to TIBCO, TrueVector technology "was capable of telling
    our program when another Internet application is in the foreground". But why
    should that be important to them? Take another look: "This allows us to
    improve our user experience by pushing data down to the client only when the
    user isn't actively browsing the Web." Remember, Zone Alarm is geared at
    those who have their internet connections open all the time. So they are
    monitoring when you are actively browsing the web, waiting for a time when
    you are not--READ: so they can do something when you aren't looking. So, to
    Tibco, TrueVector technology is of great interest to them simply because it
    tells them this. And what was that the President of Zone Labs said:
    "....advanced Internet sensing and traffic monitoring features...." Is that
    a firewall he's talking about d'you think? A firewall monitors for US, but I
    get the impression Zone Alarm is monitoring for THEM, with an idiot's
    firewall thrown in to make you want to use it.

    From the Zone Labs URL given above: "TrueVector provides a flexible and
    scalable method to conduct real-time monitoring of all Internet data
    exchanges on a personal computer. Due to the granularity of information
    collected and the fine-grained level of control that TrueVector allows...."

    HANG ON! STOP THERE!!!

    *the granularity of information collected*....... ?? So it collects
    information? Let me see if I've got this, they give out a free firewall to
    protect us from attacks by hackers and malicious trojans, and, in return,
    because there is no such thing as a free lunch, TrueVector collects
    information....presumably via the two DLL "media plugins" mentioned above.
    Have I got that right.... and the firewall stops Trojans right? So.... am I
    getting this, it collects information, but there's no way for Media Metrix
    or Tibco to get their hands on it because.... we've got a firewall
    right....? Clever! And, as Steve Gibson points out, if we have Zone Alarm we
    don't need any *other* firewall because ZA is fully stealthed, he in fact
    uses it on its own he's so impressed. We can see how good it is for
    ourselves by doing a Shields Up! and Ports Probe test at his website. How
    much is he worth these days? The Zone Alarm site has a link to Gibson's
    site. Not that I'm suggesting..... far be it from me to say.....

    Starry says: "I installed ZA v2.1.1 yesterday and the <Iamdb.rdb> file
    already exceeds 155 KB. After installing and configuring ZA this file was
    only 54 KB. What is this extra 100 KB being used for, it surely isn't needed
    for
    configuring because that's already been done."

    He should think himself lucky, I have over 400KB of extra data and didn't
    even know about the Iamdb.rdb file until tonight. Perhaps someone would care
    to decrypt their Iamdb.rdb and let us all know what it says. Oh, and does
    Iamdb stand for "I am database"? Just a thought.......

    Let's go and visit Tibco Software Inc. Oh, the CEO's written a book: http://www.powerofnow.com/
    Ranadive authored "The Power of Now: How Winning Technologies Sense and
    Respond to Change Using Real-Time Technology."

    And he's been interviewed: ""In the infrastructure space, there's a whole
    stack of software you need if you're selling goods and services online," he
    says. "We've greased the whole value chain. Our technology, for instance,
    slides right into an Oracle database. It's being embedded right into Cisco's
    routers and hubs.
    "http://cbs.marketwatch.com/archive/20000128/news/current/stwatch.htx?source
    =htx/http2_mw

    So, basically, our friendly firewall Zone Alarm is in bed with Tibco (who
    like greasing the whole value chain and embedding real-time technology) and
    Media Metrix (who want to know you on a click-by-click basis). As for Steve
    Gibson, well...........


    [This message has been edited by Fizban (edited 03-16-2000).]

  2. #2
    downhill
    Guest

    Angry

    Dang,
    Looks like you did a lot of research,Fizban.

    An @home bill of rights? Looks more like we need a net privacy bill of rights. Whats next?


  3. #3
    GeneticDrift
    Guest

    Post

    interesting indeed let me know what that says once you decrypt,decipher, that baby

  4. #4
    TonyT
    Guest

    Post

    Interseting. I have zone alarm installed but only ran it a couple times, been using BID instead , and don't run the msclient. The Iamdb.rdb file in c/windows/internetlogs is about 57 KB, but only 3 lines of sparce txt!

    Is it possible that zone labs is just using a part of that overall technology that they developed & call "true vector" to enable the product to "sense" which apps are running & to prompt the user for permissions? And if it really is a sort of trojan then which app sends the data upstream when we are not looking? Zone Alarm? Then try adding zone alarm to the list of apps that do not have permission to send/receive data via tcp/ip.
    Or run another firewall product to have it detect transfers from ZA.

    The ZA press release re TrueVector is just that! A press release. A PR statement. Not a technical statement.

    "We chose to incorporate TrueVector into our product because its technology was capable of telling our program when another Internet application is in the foreground," said Mark L. Lambert, Senior Architect, TIBCO Software, Inc. This allows us to improve our user experience by pushing data down to the client only when the user isn't actively browsing the Web."

    http://www.tibco.com

    The above is the site where Mark L. Lambert is from. Seems they are not in the advertising business but offer products related to networking apps on wams & lans. And by "pushing data" I think they are referring to clients running specific apps & network protocols.

    Zone Alarm's big money seems to be coming from companies like that. As well as advertising companies. How much do you think TIBCO pays for liscencing? I would bet it's phenominal! True vector is the heart of ZoneLabs' business.

    But I sure hope it's not foul & gets developed into an unwelcome product. And I would think that a few crackers out there would have picked it apart by now, reverse engineering the program, looking for ways to beat it. Maybe you should send your findings to Lopht Heavy Industries & see what they have to say.




    ------------------

    Coming soon to a desktop near you!

  5. #5
    Criminal Master Mind ExarKun's Avatar
    Join Date
    Dec 1999
    Location
    Under The Police Station
    Posts
    1,118

    Cool

    After reading this post, I took most of last night to completeley rip Zonealarm down to the bare code.
    I haven't found anything yet that seems questionable to me , only thin g that is kind of werid is when yuo regerster it (try's) to pull info from any saved msinfo 32.exe, system information files, but it cant if you have never saved one in the first place.
    Thats About it,Thanks For The Original Post


    ------------------
    You Do Not Know The True Power Of The DarkSide
    "Quoted By ExarKun From Dark Lords Of The Sith " 4000 Years Before Vader Said It

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •