 Zhen-XjellProlific BunnyPremium,VIP,ExMod 2001-04
join:2000-10-08
Bordentown, NJ | New Stealth Attack Found Against Personal Firewall A new technique for defeating personal firewall software has been discovered. But at least one firewall vendor said the trick poses little risk to computer users.
Backstealth is a tool which bypasses outbound restrictions of personal firewalls by embedding a http client in a dll. Bypasses Kerio Personal Firewall, McAfee Personal Firewall, Norton Internet Security 2002, Sygate Personal Firewall Pro, and Tiny Personal Firewall.
Zone Alarm is not vulnerable.
»piorio.supereva.it/backstealth.htm?p
»www.newsbytes.com/news/02/176213.html
--
Join a Distributed Computing Team at DSLR Today! Cure AIDS, Cancer, Diabetes, Alzheimer's and more! |
|
 SueNPremium
join:2000-08-22
Lost | Thanks for the heads up Jeddy..... keep us posted if ya hear anything else!!! |
|
| reply to Zhen-Xjell
said by Zhen-Xjell:
Zone Alarm is not vulnerable.
Is that ZAP 3, or is ZA 2.6.362 also not vulnerable?? |
|
| reply to Zhen-Xjell
does it use a technique similar the one TooLeaky uses? |
|
| reply to Zhen-Xjell
Re: New Stealth Attack Found Against Personal Fire I posted this a few days back. It can get around Zone Alarm as to my understanding. It got around my firewalls. But if you have a sandbox tool, you should be fine.
--
Hmm... They have the Internet on computers now ~ Homer Simpson |
|
|
|
Zhen-XjellProlific BunnyPremium,VIP,ExMod 2001-04
join:2000-10-08
Bordentown, NJ | said by Hey3777:
I posted this a few days back. It can get around Zone Alarm as to my understanding. It got around my firewalls. But if you have a sandbox tool, you should be fine.
I haven't tested it yet, but that contradicts what the author writes on his site. Also, I searched the forum on "stealth" and "backstealth" before I posted and found nothing. Subsequently after your post here, I searched your profile for any posts you made in Security in the past 14 days and haven't found anything.
--
Join a Distributed Computing Team at DSLR Today! Cure AIDS, Cancer, Diabetes, Alzheimer's and more! |
|
| reply to Zhen-Xjell
Hmmm... You're right, I can't find it. Thats odd, I am sure I posted it. Maybe it was removed or something. Bah, who knows.
--
Hmm... They have the Internet on computers now ~ Homer Simpson |
|
 Lurkers incDon't Call Me Doink
join:2001-10-13
Seattle, WA | reply to Randy Bell
Re: New Stealth Attack Found Against Personal Firewall said by Randy Bell:
said by Zhen-Xjell:
Zone Alarm is not vulnerable.
Is that ZAP 3, or is ZA 2.6.362 also not vulnerable??
Looks like no Z/A products are vulnerable in this demonstration. It checks a list of firewalls and Zone Alarm is not on the list.
Paul, |
|
 jvmorrisI Am The Man Who Was Not There.Premium,MVM
join:2001-04-03
Reston, VA | said by Lurkers inc:
... Looks like no Z/A products are vulnerable in this demonstration. It checks a list of firewalls and Zone Alarm is not on the list.
Paul,
Lemme make sure I understand you correctly. You're saying it doesn't raise havoc with ZA/ZAP because it doesn't even bother to check to see if they're installed. Is that correct? If so, that's rather interesting.
--
Regards, Joseph V. Morris |
|
 MeeToo7You Too?Premium
join:2000-10-18
Ardmore, PA | said by jvmorris:
Lemme make sure I understand you correctly. You're saying it doesn't raise havoc with ZA/ZAP because it doesn't even bother to check to see if they're installed. Is that correct? If so, that's rather interesting.
No, ZA is not affected because the author of Backstealth says it isn't vulnerable to the way the program works.
Quote from Newsbyte:
"The popular ZoneAlarm personal firewall is also not susceptible to the attack, according to Iorio.
Last November, security researchers published several techniques for evading some firewalls' guards against unauthorized leaks. Tools named TooLeaky and FireHole demonstrated how attack programs could piggy-back on applications with approved access to the Internet.
Iorio said Backstealth is unique because it does not commandeer a trusted program, but instead uses a Windows function called VirtualAlloc to inject itself into the firewall's memory space. "
Give another brownie point to ZA. I don't code, but I'd guess that the reason is because of ZA's vector technology. What do you people think?
--
Find a cure! Join Team Helix, and find ET so he can help us find a cure, Join SETI |
|
jvmorrisI Am The Man Who Was Not There.Premium,MVM
join:2001-04-03
Reston, VA | said by MeeToo:
. . .No, ZA is not affected because the author of Backstealth says it isn't vulnerable to the way the program works.
Yeah, got that part; my question is rather as to whether it's simply that BackStealth wasn't coded to work with the ZA/ZAP firewall. After all, last year, we did see some exploits that worked with ZA/ZAP; that required the requisite programming to work with their firewall architecture.
Consequently, the above statement begs the question as to whether it's not doable or simply "wasn't done" -- so far.
quote:
Quote from Newsbyte:
. . . .
Last November, security researchers published several techniques for evading some firewalls' guards against unauthorized leaks. Tools named TooLeaky and FireHole demonstrated how attack programs could piggy-back on applications with approved access to the Internet.
What I find interesting in the above is the omission of any mention of those Leaktest programs that do work against ZA/ZAP.
quote:
Iorio said Backstealth is unique because it does not commandeer a trusted program, but instead uses a Windows function called VirtualAlloc to inject itself into the firewall's memory space. "
Give another brownie point to ZA. I don't code, but I'd guess that the reason is because of ZA's vector technology. What do you people think?
The technique that appears to be utilized by BackStealth is rather different; indeed, it looks more like the 'DLL insertion' technique (that doesn't exactly 'commandeer' a program, either) that was first described about a year ago, if I recall correctly.
Just trying to get a coherent description of the situation here; that's all.
--
Regards, Joseph V. Morris |
|
MeeToo7You Too?Premium
join:2000-10-18
Ardmore, PA | said by jvmorris:
Just trying to get a coherent description of the situation here; that's all.
I understand, and you're raising a very good question. I'm poking around to find some answers. And I want to understand something about how TrueVector works, and how this VirtualAlloc function works. I'm digging on that too.
--
Find a cure! Join Team Helix, and find ET so he can help us find a cure, Join SETI |
|
jvmorrisI Am The Man Who Was Not There.Premium,MVM
join:2001-04-03
Reston, VA | Okay, that's cool with me; I'm up to my neck in alligators at the moment anyway.
Just let us know what you find, okay?
--
Regards, Joseph V. Morris |
|
| reply to Zhen-Xjell
I would be interested to know if TDS-3 would be able to find such an infection when TDS-3 rummages thru the memory after login.
kirby |
|
 gwionwild colonial boyPremium,ExMod 2001-08
join:2000-12-28
Pittsburgh, PA
kudos:1 | reply to Zhen-Xjell
My understanding of firehole was that it was very similar, except that it hooked and inserted itself in IE's space; from the sound of this, it would seem it's hooking and/or inserting itself in the firewall's space, so it becomes a standalone application layer exploit. That is, by commandeering the hook to IE, the Firehole exploit depends on IE being present, and a rule being active on the firewall to permit IE to send outbound packets to port 80. In effect, firehole "becomes" IE. It actually cons the real IE into asking for a connection, in a manner of speaking.
This would seem to impersonate or otherwise take over the firewall app, instead of one of its allowed apps. I can't say it surprises me, though, whatever it is and however it works. It's just the next logical step after firehole...
It's probably the single best way of calling attention to the inherent limitation of packet filtering firewalls... they run on the network layer, and they deal in network traffic... the enemy's figured out that the weak flank is the application layer. We need to take an offensive posture, here... abandon the purely reactive model and embrace a hybrid proactive/reactive model, using active behavior blocking and sandboxing techniques to augment conventional firewalling... or, at very least, firewalls have to be engineered to protect "themselves." As regulars in Kerio-Tiny might already know, I'm skeptical about all in one firewall and system sandbox solutions. However, I don't think, on deep thought, it's inappropriate for us to ask that a firewall be able to sandbox "itself" ... I already commented in the Kerio-Tiny forum, but I'll reiterate here, even if we aren't cracked, exploits like this undermine the integrity of our equipment and data. If a computer and its data isn't under our sole, exclusive control, it isn't "our" computer or data, anymore...
--
Adam was not alone in the Garden of Eden, however, and does not deserve all the credit; much is due to Eve, the first woman, and Satan, the first consultant.-Mark Twain, Notebook, 1867 |
|
MeeToo7You Too?Premium
join:2000-10-18
Ardmore, PA | reply to MeeToo7
Some answers to my own questions above:
What is TrueVector: Simply stated, TrueVector(tm) is patented technology by ZoneLabs, it is the main engine of ZoneAlarm. How this engine works, I couldn't find an answer, but since it's patented, ZoneLabs probably keeps it very secret.
What is VirtualAlloc: (from Microsoft's MSDN Library) This function reserves or commits a region of pages in the virtual address space of the calling process. Memory allocated by VirtualAlloc is automatically initialized to zero.
There is very little about Backstealth anywhere, only 3 sites came up; Orio's website, Newsbyte and a download site recommended by Orio. It seems Backstealth came out April 24, so too new to have much dissiminated info by security experts.
The download has this description: Backstealth is a tool which bypasses outbound restrictions of personal firewalls by embedding a http client in a dll.
So my conclusion is; let the games begin! 
--
Find a cure! Join Team Helix, and find ET so he can help us find a cure, Join SETI |
|
MeeToo7You Too?Premium
join:2000-10-18
Ardmore, PA | reply to Kirby Smith
said by Kirby Smith:
I would be interested to know if TDS-3 would be able to find such an infection when TDS-3 rummages thru the memory after login.
kirby
Excellent question! Is anyone brave enough to test this? 
--
Find a cure! Join Team Helix, and find ET so he can help us find a cure, Join SETI |
|
 VampirefoPremium,MVM
join:2000-12-11
Huntington, WV
kudos:1 | reply to Zhen-Xjell
Interesting easy to beat, rename persfw.exe to firewall.exe, go into services if using XP or W2K disable persfw.exe, now add a short cut of firewall.exe in startup folder, reboot, after reboot firewall.exe will ask to connect, click deny and make a rule to deny it.
Now run the test, Backstealth will lie and say it connected but it doesn't. Run a packet sniffer and you will see it doesn't connect. If you run a packet sniffer before doing this Backstealth does indeed connect and downloads a text file, but it lies the second time after the modification is made.
--
TrojanHunter Stands For Privacy!!!!!!! |
|
MeeToo7You Too?Premium
join:2000-10-18
Ardmore, PA | Your go-around sounds impressive, but it's not explained clearly enough for a clueless person such as me.
How would you go about beating Backstealth with a stand alone Win9x/ME machine? |
|
jvmorrisI Am The Man Who Was Not There.Premium,MVM
join:2001-04-03
Reston, VA | reply to Vampirefo
Vampirefo,
Thank you for that little tidbit.  Didn't this same scam get run about six months ago? I forget which leaktest alternative it was, but I do distinctly recall something saying it had connected, when in fact it had done no such thing.
(I'm not running this stuff anymore, so for the moment, I'll just take your word on this one.)
--
Regards, Joseph V. Morris |
|
