New Stealth Attack Found Against Personal Firewall

A new technique for defeating personal firewall software has been discovered. But at least one firewall vendor said the trick poses little risk to computer users.

Backstealth is a tool which bypasses outbound restrictions of personal firewalls by embedding a http client in a dll. Bypasses Kerio Personal Firewall, McAfee Personal Firewall, Norton Internet Security 2002, Sygate Personal Firewall Pro, and Tiny Personal Firewall.  

Zone Alarm is not vulnerable.

http://piorio.supereva.it/backstealth.htm?p
http://www.newsbytes.com/news/02/176213.html

 

Re: New Stealth Attack Found Against Personal Fire

I wonder which version of Zone Alarm.
ZA Free and/or ZA Pro?
And which version number of ZA Free and/or ZA Pro?

 

Re: New Stealth Attack Found Against Personal Fire

Anybody test LnS? Pete

 

Re: New Stealth Attack Found Against Personal Fire

spy1.....i tried it on my system and it won't execute if it can't find one of the 'supported' firewalls.

Frankly, I wonder about the validity of 'tests' that make you first execute the thing, then click 'ok' on check boxes that say something like 'i'm going to attempt to do something malicious, is that ok with you?'.

That said, I tried it on my configuration running both LnS and Tiny Trojan Trap and TTT caught it upon execution and allowed me to place it in a 'high restricted' category.  I would be quite surprised if after that it did anything other than spin its wheels and time out.  I was then going to test with LnS enabled and TTT disabled, but that ain't going to happen.

Note:  I just did some further testing, and by placing backstealth into TTT's 'dangerous' category when it tried to execute, it could not load properly to even check for firewalls, and simply errored out.  Same thing happens to Firehole, and Tooleaky just disappears as if it was never loaded and does nothing.

My respect for the sandbox concept is growing daily.

 

Re: New Stealth Attack Found Against Personal Fire

I would guess they are referring to ZA Pro 3.0, which has the "component" detection feature (which detects dlls trying to access the internet through other programs).

Just a word of warning: As far as I know, ZA Pro 3.0's "component" feature will not block this test UNLESS you take it out of "learning mode" (and had not already run the test - because learning mode will automatically add the injected dll to the "allowed" list).

-javacool

 

Re: New Stealth Attack Found Against Personal Fire

Now that is interesting indeed.  I finally ugpraded one of my systems to ZAP 3 today.

 

Re: New Stealth Attack Found Against Personal Fire

I would highly recommend, then, that you either take component control out of learning mode immediately (but I do warn that you will get LOTS of pop ups almost every time a program tries to access the internet to do a new thing - especially with MS programs), or you can let it stay in learning mode for a bit, run ALL your normal programs (including Windows explorer search if you have Windows XP - it needs many dlls to be placed on the "allowed list) and then change component control off of learning mode.

You probably shouldn't run programs like LeakTest, etc while in learning mode.

Learning mode is there as a convenience to beginners, or those who just don't have enough time to click through all the dialogs for every program.

IMHO, a good feature for ZoneLabs to add to their next update would be a warning dialog after a month or so, telling you to change component control off of its "learning mode" setting.

-javacool

 

Re: New Stealth Attack Found Against Personal Fire

That's what I was thinking too !

Very good warning! (I don't have ZAP).

 

Re: New Stealth Attack Found Against Personal Fire

Very interesting thread at the DSLR-Security-forum:

http://www.dslreports.com/forum/remark,3165727~root=security,1~mode=flat

 

Re: New Stealth Attack Found Against Personal Fire

I hope I am allowed to quote here a posting from IGGY at the above mentioned thread at DSLR:

 

Re: New Stealth Attack Found Against Personal Fire

FanJ,
Here is another thread started today on the same subject.. trying to put it all in a synopsis form ,for all the firewall that have been tested by members so far and what they have found out.



http://www.dslreports.com/forum/remark,3174897~root=security,1~mode=flat

 

Re: New Stealth Attack Found Against Personal Fire

Thanks Time out.

As always the folks at DSLR are doing a great job  

PS: I repaired your link to make it easier clickable.

 

Re: New Stealth Attack Found Against Personal Fire

I've been reading about this in threads all over the internet. It looks to me like nothing more than a poorly written quasi-trojan that the author askes you to run. I couldn't even download it. I haven;t seen 10% of the people that have been able to make it run. Some that got it to run, say a sniffers shows 0 traffic.
Why is this thing getting so much publicity? Am I totally out to lunch here?

 

Re: New Stealth Attack Found Against Personal Fire

oo

 

Re: New Stealth Attack Found Against Personal Fire

http://www.dslreports.com/forum/remark,3191090~root=security,1~mode=flat

Here is the analysis of Backstealth

 

Re: New Stealth Attack Found Against Personal Fire

Thanks very much for that link, Time out !!!  

Everything from Steve Friedl is always very interesting !

Without having read it at the moment (be assured I will do !), I can highly advice everybody to read his postings !

 

Re: New Stealth Attack Found Against Personal Fire

Being a programmer, NOT, I get the feeling that this might be a rough draft, but has some potential for being real nasty with some refinement. If I am in error, please tell me, I really do want to know.
I have read in a couple of threads where people are saying it should be adequate to block your firewall from internet access. Is this any help?
Also, now we have fragroute? http://news.zdnet.co.uk/story/0,,t281-s2108835,00.html
I don't know if this has been posted at Wilders yet. Maybe should be another thread.
I'm about ready to unplug and go play.
Sorry, its been a real bad day.

 

Re: New Stealth Attack Found Against Personal Fire

http://www.dslreports.com/forum/remark,3191090~root=security,1~mode=flat~start=60#end

In the meantime there have been posted some very interesting postings at that thread at DSLR.
In particular Steve Friedl has done an outstanding good job; see his posting about ZA/ZAP. I'm sure there will be more postings about that in that thread.