New stealth attack found against personal firewalls
Posted by me101 on 30 April 2002 - 13:55 · 11 comments & 515 views
About the Author
Full name: Unknown
Forum name:
me101
Contact: via forum PM
Submissions: Normal · Headline
Full name: Unknown
Forum name:
me101Contact: via forum PM
Submissions: Normal · Headline
Slashdot It!
Submit to reddit
Submit to blinklist
Bookmark on del.icio.us
Add to furl
Share on Facebook
Add to Windows Live
Add to Google
Symantec have said that it is an "interesting proof of concept," but poses no risk to users of Norton Internet Security, which includes Norton AntiVirus.
The program, named Backstealth, is a demonstration program that bypasses the outbound data filters in firewalls from Symantec, McAfee, and other firms.
According to Backstealth's author, Paolo Iorio, the program is designed to access a remote Web site and download a harmless text file without detection by the user's firewall.
Iorio said Backstealth's network connections are invisible to many firewalls because it operates in the same space in the computer's memory that is allocated to the firewalls.
The utility is able to defeat outbound blocking by Kerio Personal Firewall, McAfee Personal Firewall, Norton Internet Security 2002, Sygate Personal Firewall Pro, and Tiny Personal Firewall, according to Iorio.
Firewalls not affected by this vunerability now include Tiny Software's Tiny Personal Firewall version 3, which was released last week, includes a new application "sandbox" feature, is not vulnerable to programs like this. Additionally, the popular ZoneAlarm personal firewall is also not susceptible to the attack, according to Iorio.
Last November, security researchers published several techniques for evading some firewalls' guards against unauthorized leaks. Tools named TooLeaky and FireHole demonstrated how attack programs could piggy-back on applications with approved access to the Internet.
Iorio said Backstealth is unique because it does not commandeer a trusted program, but instead uses a Windows function called VirtualAlloc to inject itself into the firewall's memory space.
"Hackers are always going to come out with new ways to get around firewalls. But they all rely on executing code on your system. And that means they can be detected by anti-virus software," if the programs perform malicious activity, said Symantec product manager Tom Powledge.
The first 28GHz auction, held in November 2000, saw only 16 of the 42 available licences taken up. A second auction of the remaining 26 licences has been running for some six months, and has failed to attract a single bid.
Despite this, the government is confident that a 3.4GHz auction would be a success. "We're already had a number of expressions of interest from the market," said a spokesman for the Department of Trade and Industry (DTI), who told ZDNet UK that the proposed auction was part of the government's commitment to promoting broadband in the UK.
"The 3.4GHz frequency band can be used to provide services for small and medium-sized businesses and high-end consumers at speeds similar to ADSL," the DTI spokesman said.
Similar comments were made by e-commerce minister Douglas Alexander last summer when he kicked off the second 28GHz auction. Alexander said that 28GHz would give small firms "fast, always-on access to the Internet and high capacity data transfer between offices and customers," and added that consumers would also benefit from being about to "access Internet services quickly and efficiently, with costs kept low." Telcos, though, do not appear to share Alexander's confidence.
It's unclear how much a 3.4GHz-based broadband service would cost, but to be commercially attractive it would have to be no more expensive than a satellite broadband service.
BT's satellite broadband package costs at least £60 ex. VAT per month, and also involves installation fees of at least £899 ex. VAT. A cheaper "one-way" satellite package is currently being trialled.
One company, Tele2, already offers wireless broadband services in a number of metropolitan areas of the UK, but while it plans to increase its presence, its services will remain confined to towns and cities.
Interested parties have until 30 May, 2002 to respond to the Radiocommunications Agency's plans.