New Stealth Attack Found Against Personal Firewall

Discussion in 'other firewalls' started by Zhen-Xjell, Apr 29, 2002.

Thread Status:
Not open for further replies.
  1. Zhen-Xjell

    Zhen-Xjell Security Expert

    Joined:
    Feb 8, 2002
    Posts:
    1,397
    Location:
    Ohio
    A new technique for defeating personal firewall software has been discovered. But at least one firewall vendor said the trick poses little risk to computer users.

    Backstealth is a tool which bypasses outbound restrictions of personal firewalls by embedding a http client in a dll. Bypasses Kerio Personal Firewall, McAfee Personal Firewall, Norton Internet Security 2002, Sygate Personal Firewall Pro, and Tiny Personal Firewall.  

    Zone Alarm is not vulnerable.

    http://piorio.supereva.it/backstealth.htm?p
    http://www.newsbytes.com/news/02/176213.html
     
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Re: New Stealth Attack Found Against Personal Fire

    Quite so, Zhen,

    A quick test in regard to Kerio PF, Sygate PF and Tiny PF confirms the above. BlackICE v3.5 seems to stand the test.

    Worrysome indeed  :mad:

    regards.

    paul  
     
  3. FanJ

    FanJ Guest

    Re: New Stealth Attack Found Against Personal Fire

    I wonder which version of Zone Alarm.
    ZA Free and/or ZA Pro?
    And which version number of ZA Free and/or ZA Pro?
     
  4. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Re: New Stealth Attack Found Against Personal Fire

    Anybody test LnS? Pete
     
  5. Soul_Flame

    Soul_Flame Registered Member

    Joined:
    Apr 7, 2002
    Posts:
    41
    Re: New Stealth Attack Found Against Personal Fire

    spy1.....i tried it on my system and it won't execute if it can't find one of the 'supported' firewalls.

    Frankly, I wonder about the validity of 'tests' that make you first execute the thing, then click 'ok' on check boxes that say something like 'i'm going to attempt to do something malicious, is that ok with you?'.

    That said, I tried it on my configuration running both LnS and Tiny Trojan Trap and TTT caught it upon execution and allowed me to place it in a 'high restricted' category.  I would be quite surprised if after that it did anything other than spin its wheels and time out.  I was then going to test with LnS enabled and TTT disabled, but that ain't going to happen.

    Note:  I just did some further testing, and by placing backstealth into TTT's 'dangerous' category when it tried to execute, it could not load properly to even check for firewalls, and simply errored out.  Same thing happens to Firehole, and Tooleaky just disappears as if it was never loaded and does nothing.

    My respect for the sandbox concept is growing daily.
     
  6. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,995
    Re: New Stealth Attack Found Against Personal Fire

    I would guess they are referring to ZA Pro 3.0, which has the "component" detection feature (which detects dlls trying to access the internet through other programs).

    Just a word of warning: As far as I know, ZA Pro 3.0's "component" feature will not block this test UNLESS you take it out of "learning mode" (and had not already run the test - because learning mode will automatically add the injected dll to the "allowed" list).

    -javacool
     
  7. Zhen-Xjell

    Zhen-Xjell Security Expert

    Joined:
    Feb 8, 2002
    Posts:
    1,397
    Location:
    Ohio
    Re: New Stealth Attack Found Against Personal Fire

    Now that is interesting indeed.  I finally ugpraded one of my systems to ZAP 3 today.
     
  8. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,995
    Re: New Stealth Attack Found Against Personal Fire

    I would highly recommend, then, that you either take component control out of learning mode immediately (but I do warn that you will get LOTS of pop ups almost every time a program tries to access the internet to do a new thing - especially with MS programs), or you can let it stay in learning mode for a bit, run ALL your normal programs (including Windows explorer search if you have Windows XP - it needs many dlls to be placed on the "allowed list) and then change component control off of learning mode.

    You probably shouldn't run programs like LeakTest, etc while in learning mode.

    Learning mode is there as a convenience to beginners, or those who just don't have enough time to click through all the dialogs for every program.

    IMHO, a good feature for ZoneLabs to add to their next update would be a warning dialog after a month or so, telling you to change component control off of its "learning mode" setting. :)

    -javacool
     
  9. FanJ

    FanJ Guest

    Re: New Stealth Attack Found Against Personal Fire

    That's what I was thinking too !

    Very good warning! (I don't have ZAP).
     
  10. FanJ

    FanJ Guest

  11. FanJ

    FanJ Guest

    Re: New Stealth Attack Found Against Personal Fire

    I hope I am allowed to quote here a posting from IGGY at the above mentioned thread at DSLR:

     
  12. Time out

    Time out Guest

  13. FanJ

    FanJ Guest

    Re: New Stealth Attack Found Against Personal Fire

    Thanks Time out.

    As always the folks at DSLR are doing a great job  :)

    PS: I repaired your link to make it easier clickable.
     
  14. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    Re: New Stealth Attack Found Against Personal Fire

    I've been reading about this in threads all over the internet. It looks to me like nothing more than a poorly written quasi-trojan that the author askes you to run. I couldn't even download it. I haven;t seen 10% of the people that have been able to make it run. Some that got it to run, say a sniffers shows 0 traffic.
    Why is this thing getting so much publicity? Am I totally out to lunch here?
     
  15. xxxxxxx

    xxxxxxx Guest

    Re: New Stealth Attack Found Against Personal Fire

    oo
     
  16. Time Out

    Time Out Guest

  17. FanJ

    FanJ Guest

    Re: New Stealth Attack Found Against Personal Fire

    Thanks very much for that link, Time out !!!  :)

    Everything from Steve Friedl is always very interesting !

    Without having read it at the moment (be assured I will do !), I can highly advice everybody to read his postings !
     
  18. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    Re: New Stealth Attack Found Against Personal Fire

    Being a programmer, NOT, I get the feeling that this might be a rough draft, but has some potential for being real nasty with some refinement. If I am in error, please tell me, I really do want to know.
    I have read in a couple of threads where people are saying it should be adequate to block your firewall from internet access. Is this any help?
    Also, now we have fragroute? http://news.zdnet.co.uk/story/0,,t281-s2108835,00.html
    I don't know if this has been posted at Wilders yet. Maybe should be another thread.
    I'm about ready to unplug and go play. :)
    Sorry, its been a real bad day.
     
  19. FanJ

    FanJ Guest

Loading...
Thread Status:
Not open for further replies.