http://www.newsbytes.com/news/02/176213.html By Brian McWilliams, Newsbytes FLORENCE, ITALY, 29 Apr 2002, 2:41 PM CST A new technique for defeating personal firewall software has been discovered. But at least one firewall vendor said the trick poses little risk to computer users. Backstealth, a demonstration program that bypasses the outbound data filters in firewalls from Symantec, McAfee, and other firms, was posted last week to Packetstorm, a popular security tools site. According to Backstealth's author, Paolo Iorio, the program is designed to access a remote Web site and download a harmless text file without detection by the user's firewall. Iorio said Backstealth's network connections are invisible to many firewalls because it operates in the same space in the computer's memory that is allocated to the firewalls. The utility is able to defeat outbound blocking by Kerio Personal Firewall, McAfee Personal Firewall, Norton Internet Security 2002, Sygate Personal Firewall Pro, and Tiny Personal Firewall, according to Iorio. A representative of Tiny Software said Tiny Personal Firewall version 3, which was released last week and includes a new application "sandbox" feature, is not vulnerable to programs such as Backstealth. The popular ZoneAlarm personal firewall is also not susceptible to the attack, according to Iorio. Last November, security researchers published several techniques for evading some firewalls' guards against unauthorized leaks. Tools named TooLeaky and FireHole demonstrated how attack programs could piggy-back on applications with approved access to the Internet. Iorio said Backstealth is unique because it does not commandeer a trusted program, but instead uses a Windows function called VirtualAlloc to inject itself into the firewall's memory space. According to Symantec product manager Tom Powledge, Backstealth is an "interesting proof of concept," but poses no risk to users of Norton Internet Security, which includes Norton AntiVirus. "Hackers are always going to come out with new ways to get around firewalls. But they all rely on executing code on your system. And that means they can be detected by anti-virus software," if the programs perform malicious activity, said Powledge. A representative of ICSA Labs, which last year certified four of the vulnerable products, said the testing firm was still evaluating Backstealth. Backstealth is available from http://piorio.supereva.it/backstealth.htm Packet Storm's page on Backstealth is at http://packetstormsecurity.nl/filedesc/backstealth.zip.html - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Apr 30 2002 - 12:50:23 PDT