BackStealth

Hey, javacool.

You run this little goodie on a system with BackStealth on it (especially one of the supposedly vulnerable firewalls)?

Just curious as to what, if anything, turned up.

GT7697 over in DSLR Security Forum is a bit curious about this.

 

You mean run my FileChecker, checking important system files (and the firewalls) to check and see if the firewalls/system files are modified or changed by BackStealth?

No, I have not personally tried BackStealth, but FileChecker WILL detect ANY changes made to any files in its watch list. If you (or anyone else) wants to make sure this BackStealth program doesn't modify your firewall, adding your firewall (and its associated dlls) to FileChecker will let you know if it does get changed (even if it is edit "in secret" and file attributes are faked, the checksumming feature will detect any changes).

My recommendation would be to run FileChecker, add your firewall files, add system files like winsock.dll, and then make sure checksum detection is turned on, and set for a 25 second delay, or so (depending on the number of files). Make sure you see the FileChecker window title (maximized of course) change to "FileChecker --> COMPUTING CHECKSUMS" at least once (the interface will freeze for a bit also. This will ensure a baseline checksum has been made of those files. Then you can go ahead and run BackStealth to see if changes are mde to any of them. (Wait enough time after BackStealth exits for FileChecker to do its checksumming again.)

Hope this helps out.

-javacool

 

Hi Javacool,

Will it also detect a new .dll file?
I'm not quite sure whether I understood it right, but maybe that's what BackStealth is doing: putting a new .dll file in the memory-space of your firewall...
Well, even if I didn't understand that right, it would be good to know  

Thanks, Jan.

 

If the dll file is loading into the memory space of your firewall, then FileChecker would not detect it (as this is not really what FileChecker was made to do - although that could be an idea for a new program).

If the dll modified any of the files placed in the FileChecker watch-list, then it WOULD be detected. Modifying those applications in memory, would NOT be detected. (FileChecker detects modifications of the files on disk.)

While FileChecker would not detect the situation you described (as, again, that is not what it was made to do), it could not hurt to use it to watch your firewall's files on disk.

-javacool

 

OK, thanks Javacool !