[prev in list] [next in list] [prev in thread] [next in thread] 

List:       isn
Subject:    [ISN] New Stealth Attack Found Against Personal Firewalls
From:       InfoSec News <isn () c4i ! org>
Date:       2002-04-30 9:03:15
[Download RAW message or body]

http://www.newsbytes.com/news/02/176213.html

By Brian McWilliams, Newsbytes
FLORENCE, ITALY,
29 Apr 2002, 2:41 PM CST
 
A new technique for defeating personal firewall software has been
discovered. But at least one firewall vendor said the trick poses
little risk to computer users.

Backstealth, a demonstration program that bypasses the outbound data
filters in firewalls from Symantec, McAfee, and other firms, was
posted last week to Packetstorm, a popular security tools site.
 
According to Backstealth's author, Paolo Iorio, the program is
designed to access a remote Web site and download a harmless text file
without detection by the user's firewall.

Iorio said Backstealth's network connections are invisible to many
firewalls because it operates in the same space in the computer's
memory that is allocated to the firewalls.

The utility is able to defeat outbound blocking by Kerio Personal
Firewall, McAfee Personal Firewall, Norton Internet Security 2002,
Sygate Personal Firewall Pro, and Tiny Personal Firewall, according to
Iorio.

A representative of Tiny Software said Tiny Personal Firewall version
3, which was released last week and includes a new application
"sandbox" feature, is not vulnerable to programs such as Backstealth.

The popular ZoneAlarm personal firewall is also not susceptible to the
attack, according to Iorio.

Last November, security researchers published several techniques for
evading some firewalls' guards against unauthorized leaks. Tools named
TooLeaky and FireHole demonstrated how attack programs could
piggy-back on applications with approved access to the Internet.

Iorio said Backstealth is unique because it does not commandeer a
trusted program, but instead uses a Windows function called
VirtualAlloc to inject itself into the firewall's memory space.

According to Symantec product manager Tom Powledge, Backstealth is an
"interesting proof of concept," but poses no risk to users of Norton
Internet Security, which includes Norton AntiVirus.

"Hackers are always going to come out with new ways to get around
firewalls. But they all rely on executing code on your system. And
that means they can be detected by anti-virus software," if the
programs perform malicious activity, said Powledge.

A representative of ICSA Labs, which last year certified four of the
vulnerable products, said the testing firm was still evaluating
Backstealth.

Backstealth is available from
http://piorio.supereva.it/backstealth.htm

Packet Storm's page on Backstealth is at
http://packetstormsecurity.nl/filedesc/backstealth.zip.html



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo@attrition.org with 'unsubscribe isn'
in the BODY of the mail.
[prev in list] [next in list] [prev in thread] [next in thread]