New Stealth Attack Against Personal Firewalls
Most common personal firewalls affected
Written by Karl Bode

A new stealth technique for defeating outbound traffic protection in many personal firewall applications has been discovered. Dubbed "Backstealth" the tool essentially exists as a proof of concept and currently is considered low risk, but has the ability to penetrate personal firewalls from several major league manufacturers.

According to the tool's author, Paolo Iorio, The exploit has the capability to defeat outbound blocking by Sygate Personal Firewall Pro, McAfee Personal Firewall, Norton Internet Security 2002, Kerio Personal Firewall, and Tiny Personal Firewall, with Zone Alarm unaffected. The proof of concept version simply connects to a remote web site and downloads a meaningless text file without detection, though the concept could be modified for more malicious purposes.

Unlike many firewall-bypassing tools that simply hijack a "trusted" application to gain access to the outside world, Iorio's tool hijacks the firewall application itself to do this. The BACKSTEALTH.EXE application searches the system for a firewall process, allocates a chunk of memory in that process, loads a small bit of "bootstrap" code, and remotely launches a worker thread.

The firewall application is entirely unaware that all of this is going on right under its nose, so when the worker thread starts to talk to the Internet, the firewall assumes that itself is trusted and gives it a pass. The included BACKDLL.DLL is simply a sample bit of code that fetches a single text file, but it could do most anything. The proof of concept code is in the EXE, not the DLL.

You can find an outstanding and detailed analysis of the Backstealth technology by security consultant Steve Friedl in our forums, as well as ideas on how to protect yourself if you are a Kerio user. Additional discussion can of course be found in our security forum. It should be noted that like most malicious (or potentially malicious) code, its success relies on having code run on the affected pc to begin the ball rolling. Common sense and safe computing practices should be your first line of defense.

-- Read it with links at [url]*7***[/url]