[ISN] New Stealth Attack Found Against Personal Firewalls

From: InfoSec News (isnat_private)
Date: Tue Apr 30 2002 - 02:03:15 PDT

  • Next message: InfoSec News: "[ISN] [defaced-commentary] c4iweb.spawar.navy.mil defaced by The Deceptive Duo"

    By Brian McWilliams, Newsbytes
    29 Apr 2002, 2:41 PM CST
    A new technique for defeating personal firewall software has been
    discovered. But at least one firewall vendor said the trick poses
    little risk to computer users.
    Backstealth, a demonstration program that bypasses the outbound data
    filters in firewalls from Symantec, McAfee, and other firms, was
    posted last week to Packetstorm, a popular security tools site.
    According to Backstealth's author, Paolo Iorio, the program is
    designed to access a remote Web site and download a harmless text file
    without detection by the user's firewall.
    Iorio said Backstealth's network connections are invisible to many
    firewalls because it operates in the same space in the computer's
    memory that is allocated to the firewalls.
    The utility is able to defeat outbound blocking by Kerio Personal
    Firewall, McAfee Personal Firewall, Norton Internet Security 2002,
    Sygate Personal Firewall Pro, and Tiny Personal Firewall, according to
    A representative of Tiny Software said Tiny Personal Firewall version
    3, which was released last week and includes a new application
    "sandbox" feature, is not vulnerable to programs such as Backstealth.
    The popular ZoneAlarm personal firewall is also not susceptible to the
    attack, according to Iorio.
    Last November, security researchers published several techniques for
    evading some firewalls' guards against unauthorized leaks. Tools named
    TooLeaky and FireHole demonstrated how attack programs could
    piggy-back on applications with approved access to the Internet.
    Iorio said Backstealth is unique because it does not commandeer a
    trusted program, but instead uses a Windows function called
    VirtualAlloc to inject itself into the firewall's memory space.
    According to Symantec product manager Tom Powledge, Backstealth is an
    "interesting proof of concept," but poses no risk to users of Norton
    Internet Security, which includes Norton AntiVirus.
    "Hackers are always going to come out with new ways to get around
    firewalls. But they all rely on executing code on your system. And
    that means they can be detected by anti-virus software," if the
    programs perform malicious activity, said Powledge.
    A representative of ICSA Labs, which last year certified four of the
    vulnerable products, said the testing firm was still evaluating
    Backstealth is available from
    Packet Storm's page on Backstealth is at
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Apr 30 2002 - 12:50:23 PDT