NIS Wackiness: Only One Type Of Trojan Can Attack?

Giganews Newsgroups
Subject: NIS Wackiness: Only One Type Of Trojan Can Attack?
Posted by:  Harold (harold…@yahoo.com)
Date: 14 Jan 2004

I have Norton Internet Security 2004.  It comes with default firewall
rules for Trojans, which you can change.

I changed the default rules for what NIS calls Backdoor/Subseven so
that instead of checking for TDP attacks soley on the pre-selected,
"usual" ports, it will alert of a Subseven probe on *any* port.  The
result?  Suddenly, NIS is telling me that ALL Trojan probes on my
machine are from Subseven...averaging about 2-3 an hour.  They are
directed at both the known ports and just about any others you can
think of.

So after a few days of this, I also change the default rule for Netbus
to allow alerts for TCP probes on ANY port.  And what happens?  NIS
immediately switches over to telling me that every single Trojan probe
on my machine -- still about 2-3 an hour -- is from Netbus.  And ONLY
Netbus.  A few of these are coming from the expected Netbus ports, but
most aren't.

So a day later I put the three pre-selected ports back into the rules
for Netbus, and -- you guessed it -- NIS promtly goes back to telling
me the machine is being probed by Subseven, and ONLY Subseven, about
2-3 times an hour.

NIS seems to be protecting my system well, based on tests such as
ShieldsUp and Symantec's own web test page.  But the NIS behavior I
describe seems very weird to me.  If it's just a reporting quirk of
the program, I don't know why I can't find any similar experiences
posted online.

Does anyone have any idea what might be going on?  I would note that
Netbus is listed higher up in NIS's rules hierarchy than Subseven, so
perhaps that relates to why NIS chooses Netbus as the Trojan that
"wins" 100% of the (supposed) Trojan-intrusion "credit" after I allow
any-port detections for both Netbus and Subseven.  But I still don't
comprehend why is behaving as I described.  It just doesn't seem to
make any sense.

This, plus some other oddities (one of which I posted about
previously), has got me on the verge of trying a different brand of
software firewall and/or buying a router.

TIA for any thoughts.

Replies