Broadband Tech > Security > Security > Analysis of Backstealth technology

reply to Steve

Re: Analysis of Backstealth technology

said by R2:

---

is ZoneAlarm immune to this vulnerability -- or just immune to this demonstration of the vulnerability?

---

One source of the reference was ZoneLabs, but I would like to have a third-party source verify this...

Clearly, testing "backstealth" on a system using ZoneAlarm is not going to be a useful endeavor. Thanks.

reply to Steve
Steve,

If we've been reading the same comments, we've been seeing a bit of inductive reasoning. To wit:

Statements that Zone Alarm is not affected by BackStealth,
which is then used to conclude that Zone Alarm is invulnerable to BackStealth.

All of which, of course, would be true by definition.

However, it continues to beg the question as to whether Zone Alarm can be exploited based on this vulnerability demonstrated by BackStealth.

I don't know one way or the other and I won't pretend that I do. What I would like to see is a definitive statement (one way or the other) as to whether ZA/ZAP (by version) on a particular OS is or is not vulnerable to the fundamental vulnerability upon which the BackStealth vulnerability demonstrator is based. I've been waiting for about 48 hours now, but still haven't seen any such definitive statement (again, one way or the other).
--
Regards, Joseph V. Morris

I agree completely.

Which begs the next question -- did the creator of backstealth purposefully not attempt test ZA??

Again, I also have no bloody idea, but I am interested only from a security standpoint. If ZA is vulnerable, but the vulnerability is not tested, Zonelabs will have no 'pressure' to 'fix' ZoneAlarm...

I would relish a definitive answer.

reply to jvmorris
I did my best to answer this question for you in this thread = »New Stealth Attack Found Against Personal Firewall Where yourself & others asked the same exact question.
"I've sent an email to ZoneLabs on the subject. Waiting for a reply. Hopefully I'll have an answer soon. Speaking of. Just checked my email again. The official word from ZoneLabs on this = "We tested Backstealth ourselves to confirm that we successfully block it. Basically, it attempts to make a Telnet connection to 127.0.0.1 (the NIC, actually) without being recognized by the firewall. ZA and ZAP were designed to prevent just this sort of unauthorized connection." Hope that is of some help."
--
*IGGYZ* *TeamZ*

I'm working on a reverse-engineered version of backstealth that we can use to test it on any other program we care to. May take a day or two, but we should be able to try it on ZA with only minor effort.

But I'm perfectly clear that it's not even remotely attempting to try ZoneAlarm on its own, and this is from looking at the disassembly and not just from the strings.

Steve
--
Stephen J. Friedl • Security Consultant • Tustin, California USA • »www.unixwiz.net

reply to IGGY
Iggy,

I appreciated your post. I think what I'm apparently not doing a very good job of explaining is that (while what Zonelabs is saying may well be technically true) it doesn't answer the question I'm asking here (or there, for that matter).

If BackStealth doesn't even attempt to exploit Zone Alarm, well then, rather obviously "...we successfully block it ...".

Steve's analysis is quite specific: Zone Alarm products are not even being probed by the BackStealth vulnerability demonstrator. Under these circumstances, of course they pass!

My concern (and it was better expressed by R2), is that I can't tell if Zone Alarm is susceptible to this vulnerability until it's expressly (and adequately) challenged by an exploit demonstrator similar to BackStealth. That ZoneLabs quotation above rather skillfully fails to answer my question.
--
Regards, Joseph V. Morris

reply to Steve
Steve,

Thank you. I didn't want to make you feel obligated to try this yourself, but I do appreciate your efforts. Indeed, it sounds like you may well be on the way to producing a more authentic vulnerability demonstrator. (But I'm still not gonna run it myself! )
--
Regards, Joseph V. Morris

reply to jvmorris
I've fired off another email. With a link to this thread. Maybe ZoneLabs will offer. Some more technical reasoning. To support the information I've previously provided.
My personal thought. Is that maybe the author of the "proof of concept". Was aware that the concept wouldn't work for ZAP. So they didn't code to try & exploit the software. The author fully stated on there site. That the software wouldn't work with ZoneLabs products. Or maybe the author couldn't code to exploit the software. Also wasn't it stated that this "proof of concept" was similar in nature to FireHole? ZAP 3 is no longer susceptible to this. So that could be. Another reason this new "proof of concept". Won't in fact work with the ZAP product. Just thinking out loud. Some or none of this. May in fact have merit.
"The security in ZoneAlarm Pro 3.0 has been hardened further to protect against recently discovered security flaws including vulnerabilities with Microsoft® Windows® XP Universal Plug and Play (UpnP), the well-publicized 'Firehole' issue and email attachment vulnerabilities in Microsoft Outlook®."

--
*IGGYZ*
*TeamZ*
[text was edited by author 2002-05-02 20:40:35]

[text was edited by author 2002-05-02 20:41:32]

[text was edited by author 2002-05-02 20:42:35]

IGGY - I agree with your assessment -- I just don't know and I am therefore skeptical.

I was hoping there would be a source other than the program's author and other than ZoneLabs that could state conclusively that ZA is not vulnerable.

Let us assume that ZAP 3.0 is patched and fixed. There are a lot of users who use ZA (free) and ZAP 2.6 -- and it would be nice to test these as well. But since the program specifically does not try to test them, I have to wonder why. Just having ZoneLabs say that ZA is "safe" is simply not that satisfying of an answer...

[text was edited by author 2002-05-02 20:52:38]

I agree with your points. And it is nice to have double ( or even triple ) confirmation. Your point about ZoneAlarm ( free version ) is another good point to consider. If ZoneLabs is willing to provide more info. This may answer some of these questions more fully. I for 1. Am glad to see a "debate" on the subject. If just for the fact. That it increases the learning experience. For some of us.
--
*IGGYZ* *TeamZ*

Further reply from Zonelabs = "Backstealth is not a complicated program and there actually isn't much else I can say about it. Sorry! We block it because we block untrusted communication with the NIC." And I have tested this on ZAP 3. And I clearly posted my results in another thread. If for some reason. The way I tested isn't up to standard. Or someone has other ways to test. I'd be more than happy to do so. But from my testing. The software engineers at ZoneLabs are correct. This proof of concept is a dud. I've tested this on ZAP 3. I've not tested this on ZA Free. But have sent an email reply to Corey. Asking for confirmation. That all current versions of ZoneLabs products are immune to this.
--
*IGGYZ*
*TeamZ*
[text was edited by author 2002-05-04 01:41:27]

said by IGGY:

---

Further reply from Zonelabs = "Backstealth is not a complicated program and there actually isn't much else I can say about it. Sorry! We block it because we block untrusted communication with the NIC."

---

Considering I have mine set for manual update. I would definitely not allow the firewall to connect. And would do further investigation as to why it wants to connect. As you & others have stated. The whole point of this. Is to be aware of what is on your machine. And what you have downloaded. If you don't run this exe. There isn't a chance of your pc being compromised. But couldn't someone create an automated exploit? Similar to the behavior of say Klez? I'm thinking out loud again. My point may not be valid. But it seems. That we're seeing newer exploits. Where the user doesn't have to do much. For the exploit to in fact run & cause harm.
--
*IGGYZ*
*TeamZ*
[text was edited by author 2002-05-04 01:50:50]

reply to Steve

said by Steve:

---

It's not clear that ZoneAlarm is entirely immune from this (still researching), but I'll ask this question of the group: of most of you saw a popup from ZoneAlarm saying that the firewall itself wanted to talk to the internet, would you allow it?

---

A few things here...

1. ZA is coming up as immune because it isn't in the code to look for it, so of course the exploit won't work.

That said....Iggy or anyone else believing ZA immune(ZAP too) are you testing with a modified backstealth by Steve which will look for ZA/ZAP? If not then you are just getting false results. If the code doesn't know ZA exists (which is really why it is passing) then of course it won't penetrate ZA. When testing your security programs you have to make sure your control environment is proper so as not to just get false results which will create false sense of security which is worse than running no security programs at all IMHO.

Why ZA/ZAP is not in the code still puzzles me. Look how quickly Steve picked this simple code apart. To me, the author intentionally left certain firewalls out. So what if ZA/ZAP is immune? What is the harm in putting it in the code anyway so everyone can see it is immune for themselves?

2. In response to how this thing can be handled because ANY program in the OS can be targeted by this exploit....

I like the way Sygate works. Many down DLL authentication and the general way Sygate operates. Guess it is just too thorough and too much information for some people. DLL authentication isn't perfected yet, but AFAIK if Backstealth didn't target smc.exe then it would be stopped by Sygate still. Sygate uses MD5 and every other type of security measure to insure program and connection integrity. Hopefully they can perfect these techniques to be extremely hard to exploit.

3. So Steve, would you make a Backstealth and put IE, ZA, ZAP in it? This would not only test ZA/ZAP but also lead into my next point and teach people a lesson....

4. NEVER ALLOW ANY PROGRAM, NEVER TRUST ANY PROGRAM! I'm sure most follow this already, but I know much more are lazy so they just allow IE or their email client or whatever full access. If your firewall can't be tightened down to only allow a program client or server access, ICMP or not, restrict it to IP's, restrict ports and protocols, then it is lacking in security. Just allowing or blocking programs is obsolete...we have to be able to control what they do once they are out to the net and back in to our systems now. This should be a standard for ALL firewalls.

5. Auto updates = security hole, sad but true. Manual is the way to go. Automate nothing, if you are compromised and are otherwise improperly secured inbound and outbound then something can ride your automated updates in and out. This goes again to restricting programs to only the ports, protocols, and IP they need.

It is unreasonable to restrict your browser by IP's, putting them in one at a time, so make sure you never allow them full access since EVERYONE has a browser 90% using IE which is the most insecure program on earth, then the bad guys have an easy time just by targeting M$ products. Last point...

6. System security can be strengthened just by not using M$ products. Sure you are stuck with the OS, tweak it to make it work for you and not the other way around.
- Get rid of OE/OL M$ office and M$ anything else, there are alternatives...most of them free
- Don't use IE! You would be surprised how many exploits are IE specific, so what do I do? IE on my system can't act as server or client, and when I do use it, I like the sport and dport with the only IP I go to windowsupdate since Opera can't do that thanks to RadioactiveX.

These are just some of my opinions...sorry for being so lengthy just a lot to comment on around here. Hopefully some of this babble makes sense to someone...
--
Soy el reyModerator@»www.morelerbe.com/cgi-bin/ubb-cg···tebb.cgi »yahoo- sucks.hypermart.net/cg...s/ikonboard.cgihttp://forums.sygatetech.com

reply to Steve

quote:

---

It's not clear that ZoneAlarm is entirely immune from this

---

said by OzarkMan:

---

quote:

---

It's not clear that ZoneAlarm is entirely immune from this

---

It is very clear for at least one user of ZAP 3.0 as posted earlier here that Zone Labs is not mentioned neither in the string values OR from looking at the disassembly.

---