Zone Labs: Anatomy of a Coverup

How angels stay clean and scandals stay silent.

Part Sixteen - Beta Update

Gregor now sent a beta update of Zone Alarm Pro to Tom Liston. It indeed stopped outbound traffic when the Internet Lock was on - in fact it crashed computers.

Tom was able to identify the 'bug fix' as well. With or without low-level filtering, Zone Alarm had previously assumed that all TCP traffic would originate in the Microsoft Winsock (Application) layer. The 'bug fix' was simply a hook which looked for unidentified traffic with protocol 6 (TCP) attempting to leave the local machine.

Zone Alarm was already checking other protocols fairly well - but it had assumed that TCP could only originate with Winsock - which as we all know, thanks mainly to Steverino Gibson, is no longer true, as Windows XP now allows 'raw sockets'!

Yet these programs that had got through were doing so on a variety of Windows platforms - anything but XP. Zone Alarm had offered its users no basic protection against illicit traffic of this nature all these years - and it was only discovered by accident - 'innocence personified'.

Liston immediately tested this theory by changing the protocol of the programs to 51 and then running them again. Although they could be shut down by Zone Alarm's Internet Lock, there were no more system crashes. Freund had implemented a simple 'hack' to put Liston off the scent.

Prev | TOC | Next