Broadband Tech > Security > Security > New Stealth Attack Found Against Personal Firewall

reply to Zhen-Xjell

Re: New Stealth Attack Found Against Personal Firewall

reply to Zhen-Xjell
So hey where can i download a test ? I'm running Norton Internet Security 2002 am i ok ?

Mentioned else where in the thread but here it is again (2 Locations):

»packetstormsecurity.nl/filedesc/···zip.html
»piorio.supereva.it/backstealth.htm?p

Ok, make sure that NIS is not set to AutoConfigure rules without prompting you. Then make sure your Security settings are high. After you double click the .exe in about a few seconds after you select ok NIS will prompt you for Creating a rule for IAMAPP.EXE to access the internet. Tell it to always block access. Now look over your system for "retrieve.dat." Make sure it is a zero byte file, which according to what I read of Gwion's post means it didn't make a connection. Please see Gwion's post below for explanation.

Now what you could do is delete the rule you just created in NIS. Reboot the mahine or log off and delete the "retrieve.dat" file. Then enable Auto Configure rules in NIS and adjust your settings to medium. This will test what the firewall does in its Default configuation. You probably won't get a zero byte file.

Please post both results.
--
Just my 2 bits.

[text was edited by author 2002-05-03 23:32:55]

[text was edited by author 2002-05-04 01:18:26]

reply to Zhen-Xjell
No. In Kerio it definitely operates by stopping DNS. There's an implicit rule in Kerio giving the firewall outbound access to remote port 80 on "any" remote host, and preventing it from logging itself. Not a great discovery. However, it can block DNS requests, which it alerts on. It stops the file from filling by not allowing the demo to resolve the URL. That's it. If you used an IP address, you could probably circumvent the rule entirely.

Alas, it's not even much of a bandaid. Looking at Steve's analysis, what we have is a classic application layer exploit. There's pretty much no single thing one can do to anticipate a hostile, wild version of this. The good side is that this is a rather tough thing for some script kiddie to pull off. Remember, Paolo's app is a demo. Blocking it is like aspirin for a cold. You can't anticipate how a wild version would be implemented. The only thing I could do that actually stopped it from running was run it in a user account, instead of an admin, and it doesn't have the required privileges to do what the app does... which Steve's done a great job of describing that.

So, the answer is, there's no answer. We have a graphic demonstration of the fact that windows platforms are vulnerable right at the platform level. Not news. We also have a graphic demonstration of why application layer solutions are needed. While I don't see a cracker taking time to do this against home systems, I can see where it might be worth the trouble, aiming for a corporate system, or even as an ad/spyware trick.

In perspective, I think the threat level is currently fairly low. But the marginal observations this app has brought to our attention are interesting. Nothing's perfect, but we have to really think about how imperfect we're willing to accept. Packet filters like Kerio genuinely need to address the issue of a firewall trusting itself too much. That's unacceptable to me. Users need know that a software firewall starts with a sound packet filter and a stark, tight implicit trust policy, fully disclosed to the user. sers also need to know that everything has limitations, and code is hard to perfect. They have to be conscious that there are multiple, discrete layers of protection involved in firewalling. A packet filter is the most familiar and pervasive feature in PC firewalls. That's what the primary expectation should be from that part.

Windows security permissioning and sandboxing are a separate layer in the security model. They provide the protection against rogue apps on the local system. Packet filters don't stand a chance if the threat can't be defined in the port, protocol terms they understand. They don't know a "hook" from a "handle." They aren't supposed to, because that's not network traffic at all. Tiny has the only software firewall, right now, that I'm aware of, that incorporate a functional, full featured sandbox in a seemingly clear way, and the Trojan Trap works with any firewall. NT permissions are even more arcane, but at least the nominal effort of changing the ubiquitous "everyones" in user manager to "authenticated users", and surfing out of a user account instead of as admin is a great idea, really...
--
Forget and forgive. This is not difficult, when properly understood. It means you are to forget inconvenient duties, and forgive yourself for forgetting. In time, by rigid practice and stern determination, it comes easy.- Mark Twain

Thanks Gwion I am glad you corrected me.:)

I had only looked at the your first post in the Kerio Tiny Forum, and hadn't had a chance to follow it or Steve's analysis of BackStealth.

I looked at Tiny and was confused as to whether it is still free for personal use. Is it????
--
Just my 2 bits.

reply to Zhen-Xjell
Sygate has released a new build for testing that is supposed to protect from this BackStealth type of attack. »Sygate 5.0 Pro Build 1116 Released for Testing!
In case anyone wants to try it.
--
Landscapes West | Proxomitron Web Filter

said by jabbawest:

---

Sygate has released a new build for testing that is supposed to protect from this BackStealth type of attack.

---

it's gonna be a long weekend

reply to Zhen-Xjell
2.x versions still are, but the current 3.0 is 39 dollars, but there's an evaluation... I would steer towards 3.0, myself. 2.0.15 is essentially an older version of Kerio, and had an app masquerade issue I'm not sure is patched. 3.0 is a two layered shared GUI packet filter / Trojan Trap hybrid. Looks interesting, and I want to try it out, soon, on one of my machines, but they're SMP's, and I don't know how the status of the SMP incompatability's going, yet. I really wish they would work that out ... I'm excited as all hell about a good sandbox, but I don't want to have a compatability issue, either... and those are the machines I really want to protect, and work on often enough to be able to review the firewall combo for whatever my opinion's worth.

Anyway, glad you gave me a chance to explain that again. Yes, w're a lot clearer, now, on what we're dealing with, and we've made some interesting observations along the way. More to come. I intend to keep tinkering with this.
--
Forget and forgive. This is not difficult, when properly understood. It means you are to forget inconvenient duties, and forgive yourself for forgetting. In time, by rigid practice and stern determination, it comes easy.- Mark Twain

reply to paranoidxe

said by paranoidxe:

---

Humm well using Tiny Firewall 3.0 produced the results below:
looks like to me that the person that is looking to exploit the machine would need to know what firewall the person is running.

---

reply to gwion
I wonder if in principle it is possible to inject the code into the memory of another running process which is allowed by the firewall rather than to the firewall itself.