Broadband Tech > Security > Security > New Stealth Attack Found Against Personal Firewall

reply to gt7697c

Re: New Stealth Attack Found Against Personal Firewall

Jv, and others no need to worry about my system. I have GoBack alive and well. And have already reverted my main hard drive back to before I did any of this. Then I deleted the file on my other hard drive.

I may test it again this time with no connection to the internet, very easy to do on Win 2k and see what happens.

If I do test it again what programs do y'all recommend for me to download to watch what happens???? (Freeware please, and only programs that work with Win 2k.;))
--
Just my 2 bits.

reply to Zhen-Xjell

KERIO USERS: Please read!

Gwion,

Oh, that was worth a big wet one! Unfortunately, the dog just got through eating and has since been doing something else, so I think you'll probably pass.
--
Regards, Joseph V. Morris

reply to Zhen-Xjell

Re: New Stealth Attack Found Against Personal Firewall

reply to gwion

Re: KERIO USERS: Please read!

said by gwion:

---

Naturally, I guess this precludes using update notification, though I guess you could still resolve DNS, if you like, by putting it below your DNS rule(s)...

---

reply to gwion

Re: New Stealth Attack Found Against Personal Firewall

reply to Zhen-Xjell

reply to Vampirefo
If you guys would get a REAL firewall, you would not have to fool around with Italian Utilites to call out.

How to Manually Open Ports in Internet Connection Firewall in Windows XP (Q308127)
SUMMARY
This article contains the steps to manually open ports in Internet Connection Firewall (ICF) in Windows XP.

MORE INFORMATION
Programs may potentially require ports to be manually opened so that they function properly when ICF is in use either on the local computer or on the gateway computer. You may have to use this procedure if there is a service that is running on a computer that has ICF enabled that you want to make available to users on the Internet.

»support.microsoft.com/default.as···;Q308127

___________________________________________________________

Programs Require Manual Port Configurations with Internet Connection Firewall (Q307554)
This article lists some programs that require you to manually open ports so that the programs can work correctly. To work correctly, some programs need to have specific ports open so that traffic can pass through the Internet Connection Firewall.

»support.microsoft.com/default.as···;Q307554

___________________________________________________________

Identity of this poster has been "stealthed" to prevent any dog from licking his face or "passing" anything without opening up all the Windows in this place no matter what M$ OS of your choosing.

reply to Zhen-Xjell
I use a real firewall, on my host Look N Stop, I use TPF and kerio on my client for outbound protection mainly, also I have System Safety Monitor which catches everything. It caught this exploit as well, but I chose to let the exploit run and test it to see if XP or MS was as fault, and it's not the firewall is 100% to blame.

This hole is opened, and would have gone unnoticed without this exploit, so I did enjoy the exploit. One can learn a lot from these type of test.
--
TrojanHunter Stands For Privacy!!!!!!!

reply to Zhen-Xjell

reply to Vampirefo
"This hole is opened, and would have gone unnoticed without this exploit, so I did enjoy the exploit. One can learn a lot from these type of test."

I enjoy them also.

But the first rule in Security is an exploit does not exist unless you allow it in the first place.

The second rule is if you allow everything and know how to "contain it" an exploit does not exist.

I you can not obey the first rule and the second is your only alternative make sure you contain it off your system and away from the software.

reply to jvmorris
Jv, I have tested this .exe again. It is is a rip off. I disabled my connection and it still said it had successfully penetrated my firewall and made a connection.

How could it do this with my Network Card Disabled???? Which means nothing is getting out of my computer or in to my computer. (Love Win 2k for this little feature.:))

I also tested Gwion's rule which is the same for NIS 2002, NIS 2002 as I have already verified prompts you to create a rule for it to access the Internet. (The .exe is different, but the rest is the same.) Now if you don't have it set to prompt you for a rule creation then....it of course would configure allowed access to the net. However, for anyone who posts here in this forum that would be a no no, so as long as you have it set to prompt you for creation you control what your firewall does.

After reading Gwion's follow up in the Kerio/Tiny forum, I found the retrieve .dat file. Sure enough it was a zero byte file. Which means no connection was made.

I have to agree with what has been said about these little programs to breach your firewall. It seems to me that they are only intended for the shock factor and that is all.
--
Just my 2 bits.

said by gt7697c:

---

I also tested Gwion's rule which is the same for NIS 2002, NIS 2002 as I have already verified prompts you to create a rule for it to access the Internet. (The .exe is different, but the rest is the same.) Now if you don't have it set to prompt you for a rule creation then....it of course would configure allowed access to the net. However, for anyone who posts here in this forum that would be a no no, so as long as you have it set to prompt you for creation you control what your firewall does.

---

reply to Zhen-Xjell
Backstealth does indeed connect, he just didn't spend a lot of time refining the code.

I ran the test after examining the code in a hex editor. There is a single http call. I changed the name of the test file to be downloaded and ran backstealth. The contents of an html file were written to received.dat. It was a 404 error document meaning the connection was made but the file could not be found. This was expected. Then I added "www.pc-facile.com" to my hosts file and gave it the address of localhost (127.0.0.1). I then ran backstealth again, knowing that eDexter (an ad blocker) would respond to the HTTP GET by serving up a small transparent gif. After this received.dat contained

HTTP/1.0 200 Okay
Content-type: image/gif

GIF89a...

So yes it most certainly is connecting. As stated before it is merely a proof of concept and the author simply didn't see the need to provide much in the way of error handling which is why it claims to connect even when you were physically disconnected.
[text was edited by author 2002-05-01 02:26:43]

reply to Zhen-Xjell
Our freinds at Wilders have some thought on this also.

»www.security-pro.co.uk/yabb/YaBB···20116524

reply to Zhen-Xjell
I'd like to ask a question if I may, these exploits that you are talking about, are they purely designed to exploit IE security weaknesses?

The reason that I ask is because I use Sygate PF on Windows98 Lite and many of these programs do not work, even the ones that are supposed to be able to penetrate Sygate PF.

A lot of them don't even install to my system because they seem to be looking for .dll's that aren't there (presumably relating to IE).

Keillor,

Well, technically, it might be better to refer to these utilities (being charitable here) as "vulnerability demonstrators" rather than "exploits". In very simple terms, many of these 'piggyback' on top of another application.

For purposes, of demonstration, a browser (and particularly Internet Explorer) is a logical choice -- after all, anybody who cares about this issue is likely to have some browser installed on their system!

BackStealth did something a little bit unusual; it 'piggybacked' on top of a software firewall (well, at least tried to) obtainable from one of several vendors. Not a bad idea, if one is attempting to demonstrate a potential vulnerability in the software firewall itself.

However, a real exploit relying on one of these vulnerabilities is in no way necessarily restricted to a browser or a software firewall. Browsers and firewalls are simply convenient for demonstration purposes.

We seem to have an implicit presumption that an exploit is going to go for some sort of 'mass kill'. This is not necessarily what's going to happen. Indeed, there's a potential advantage to doing the 'piggybacking' on top of some rarer (but not exactly obscure) Internet-enabled application. That has a tendency to make it a bit more difficult to diagnose.

Does that help at all?
--
Regards, Joseph V. Morris

Member looking to condense this thread.

Yes, John, I'm aware of Markus' thread, which I think is an excellent idea.

Unfortunately, neither Keillor's query nor my response is directly relevant to Markus' plea. In those circumstances, it seemed more appropriate (at least to me) to maintain the response in the current thread.

As I've said before, I won't test this app. And the more gwion writes about it in the Tiny-Kerio Forum, the less inclined I am to do so. Apparently, hpguru's also picking at it now.

GT says it really doesn't work with NIS/NPF (at least if set to High Security, but it says it does). On the other hand, a couple of my contacts at Symantec indicate that there is some problem, but they certainly haven't told me any details (at least not to date).

I dunno; I'm a spectator on this one. All I can do is ask questions that do not yet appear to have been addressed.
--
Regards, Joseph V. Morris