 Lurkers incDon't Call Me Doink
join:2001-10-13
Seattle, WA | reply to Randy Bell
Re: New Stealth Attack Found Against Personal Firewall said by Randy Bell:
said by Zhen-Xjell:
Zone Alarm is not vulnerable.
Is that ZAP 3, or is ZA 2.6.362 also not vulnerable??
Looks like no Z/A products are vulnerable in this demonstration. It checks a list of firewalls and Zone Alarm is not on the list.
Paul, |
|
 jvmorrisI Am The Man Who Was Not There.Premium,MVM
join:2001-04-03
Reston, VA | said by Lurkers inc:
... Looks like no Z/A products are vulnerable in this demonstration. It checks a list of firewalls and Zone Alarm is not on the list.
Paul,
Lemme make sure I understand you correctly. You're saying it doesn't raise havoc with ZA/ZAP because it doesn't even bother to check to see if they're installed. Is that correct? If so, that's rather interesting.
--
Regards, Joseph V. Morris |
|
|
|
 MeeToo7You Too?Premium
join:2000-10-18
Ardmore, PA | said by jvmorris:
Lemme make sure I understand you correctly. You're saying it doesn't raise havoc with ZA/ZAP because it doesn't even bother to check to see if they're installed. Is that correct? If so, that's rather interesting.
No, ZA is not affected because the author of Backstealth says it isn't vulnerable to the way the program works.
Quote from Newsbyte:
"The popular ZoneAlarm personal firewall is also not susceptible to the attack, according to Iorio.
Last November, security researchers published several techniques for evading some firewalls' guards against unauthorized leaks. Tools named TooLeaky and FireHole demonstrated how attack programs could piggy-back on applications with approved access to the Internet.
Iorio said Backstealth is unique because it does not commandeer a trusted program, but instead uses a Windows function called VirtualAlloc to inject itself into the firewall's memory space. "
Give another brownie point to ZA. I don't code, but I'd guess that the reason is because of ZA's vector technology. What do you people think?
--
Find a cure! Join Team Helix, and find ET so he can help us find a cure, Join SETI |
|
jvmorrisI Am The Man Who Was Not There.Premium,MVM
join:2001-04-03
Reston, VA | said by MeeToo:
. . .No, ZA is not affected because the author of Backstealth says it isn't vulnerable to the way the program works.
Yeah, got that part; my question is rather as to whether it's simply that BackStealth wasn't coded to work with the ZA/ZAP firewall. After all, last year, we did see some exploits that worked with ZA/ZAP; that required the requisite programming to work with their firewall architecture.
Consequently, the above statement begs the question as to whether it's not doable or simply "wasn't done" -- so far.
quote:
Quote from Newsbyte:
. . . .
Last November, security researchers published several techniques for evading some firewalls' guards against unauthorized leaks. Tools named TooLeaky and FireHole demonstrated how attack programs could piggy-back on applications with approved access to the Internet.
What I find interesting in the above is the omission of any mention of those Leaktest programs that do work against ZA/ZAP.
quote:
Iorio said Backstealth is unique because it does not commandeer a trusted program, but instead uses a Windows function called VirtualAlloc to inject itself into the firewall's memory space. "
Give another brownie point to ZA. I don't code, but I'd guess that the reason is because of ZA's vector technology. What do you people think?
The technique that appears to be utilized by BackStealth is rather different; indeed, it looks more like the 'DLL insertion' technique (that doesn't exactly 'commandeer' a program, either) that was first described about a year ago, if I recall correctly.
Just trying to get a coherent description of the situation here; that's all.
--
Regards, Joseph V. Morris |
|
MeeToo7You Too?Premium
join:2000-10-18
Ardmore, PA | said by jvmorris:
Just trying to get a coherent description of the situation here; that's all.
I understand, and you're raising a very good question. I'm poking around to find some answers. And I want to understand something about how TrueVector works, and how this VirtualAlloc function works. I'm digging on that too.
--
Find a cure! Join Team Helix, and find ET so he can help us find a cure, Join SETI |
|
jvmorrisI Am The Man Who Was Not There.Premium,MVM
join:2001-04-03
Reston, VA | Okay, that's cool with me; I'm up to my neck in alligators at the moment anyway.
Just let us know what you find, okay?
--
Regards, Joseph V. Morris |
|
MeeToo7You Too?Premium
join:2000-10-18
Ardmore, PA | reply to MeeToo7
Some answers to my own questions above:
What is TrueVector: Simply stated, TrueVector(tm) is patented technology by ZoneLabs, it is the main engine of ZoneAlarm. How this engine works, I couldn't find an answer, but since it's patented, ZoneLabs probably keeps it very secret.
What is VirtualAlloc: (from Microsoft's MSDN Library) This function reserves or commits a region of pages in the virtual address space of the calling process. Memory allocated by VirtualAlloc is automatically initialized to zero.
There is very little about Backstealth anywhere, only 3 sites came up; Orio's website, Newsbyte and a download site recommended by Orio. It seems Backstealth came out April 24, so too new to have much dissiminated info by security experts.
The download has this description: Backstealth is a tool which bypasses outbound restrictions of personal firewalls by embedding a http client in a dll.
So my conclusion is; let the games begin! 
--
Find a cure! Join Team Helix, and find ET so he can help us find a cure, Join SETI |
|
 cosmicvoidInfinity Or Bust
join:2001-01-02
Kingston, WA
 ·CenturyLink
| said by MeeToo:
What is TrueVector: Simply stated, TrueVector(tm) is patented technology by ZoneLabs, it is the main engine of ZoneAlarm. How this engine works, I couldn't find an answer, but since it's patented, ZoneLabs probably keeps it very secret.
Just a thought... patents are public information. You can look them up and read about it, although I'm guessing that the "principle" is patented, and the method of implimenting the principle is probably not revealed.
--
S@H: 2500 WUs and counting |
|
IGGYNo Guru Just Here To HelpPremium,MVM
join:2001-03-30
Chatham, IL | reply to jvmorris
The latest version of ZoneAlarm Pro. Does in fact fix previous "flaws". "The security in ZoneAlarm Pro 3.0 has been hardened further to protect against recently discovered security flaws including vulnerabilities with Microsoft® Windows® XP Universal Plug and Play (UpnP), the well-publicized 'Firehole' issue and email attachment vulnerabilities in Microsoft Outlook®."
--
*IGGYZ* *TeamZ* |
|
| Odd. Whenever I try to download from the homepage, I just get redirected to the Italian page. Whenever I download from Packet Downloads, I get a corrupt archive. Anyone wanna help lil ole me out so I can test TT with it.
Feivel |
|
 Time Out$Premium
join:2002-04-28
North Myrtle Beach, SC | Well since you asked nice..you can try to download it here...
»packetstormsecurity.nl/filedesc/···zip.html
Backstealth is a tool which bypasses outbound restrictions of personal firewalls by embedding a http client in a dll. Bypasses Kerio Personal Firewall, McAfee Personal Firewall, Norton Internet Security 2002, Sygate Personal Firewall Pro, and Tiny Personal Firewall.
Or you could e-mail him and ask why you are having problems.
I think you will find that now attention has be set by this group......he does not want the business..
piorio@yahoo.com
|
|
IGGYNo Guru Just Here To HelpPremium,MVM
join:2001-03-30
Chatham, IL
| The download here = »packetstormsecurity.nl/filedesc/···zip.html
Gives me a corrupt zip file. The main site »piorio.supereva.it/backstealth.htm?p Gives me the same info as the previous user mentioned. I think the webhost may have pulled the file. Or has a download limit set. So until I get a working copy of the software. I can't play with it. Using ZAP 3. I've also sent an email to ZoneLabs. So hopefully they will drop by. Or at least add some info. As to why ZoneAlarm ( PRO ) wouldn't be exploited by this. The Astalavista download has a good copy of it. So looks like. Later today I will have to play.
--
*IGGYZ*
*TeamZ*
[text was edited by author 2002-04-30 01:31:00] |
|
