New Stealth Attack Against Personal Firewalls

_________________________________
"...with Zone Alarm unaffected"
_________________________________

Who uses any of those other ones anyway!?

You are not seriously deluding yourself into thinking that this is not going to be aproblem with ZA are you? This is a harbinger...

said by SquarePants:

---

You are not seriously deluding yourself into thinking that this is not going to be aproblem with ZA are you? This is a harbinger...

---

SpongeBob...
My motto is "ignorance is bliss.." .. now hushup and dont ruin it for me!!

TearAbyte, sorry to burst your bubble I just couldn't resist.

From Neowin.net:

"On a side note, it might interest you to know that our research department has uncovered the real reason Zonealarm is "not vulnerable" to Backstealth. This is because the Zonealarm program is not even referenced within the Backstealth code. Our internal testing with the modified Backstealth tool confirms that Zonealarm is indeed vulnerable to the same type of proof of concept vulnerability."

So Zone Alarm is also vulnerable - but just not with this version of the exploit eh! Well thats a nice little revalation for us isnt it!

Actually I think you may want to take a look at this thread = »Analysis of Backstealth technology And ZoneLabs has sent a further reply = "Backstealth is not a complicated program and there actually isn't much else I can say about it. Sorry! We block it because we block untrusted communication with the NIC." You may want to keep in mind. That some have said Backstealth is similar in nature to Firehole. ZAP 3 has added fixes against the Firehole "proof of concept". So this may be another reason why ZAP isn't vulnerable to Backstealth.

The official word from ZoneLabs on this = "We tested Backstealth ourselves to confirm that we successfully block it. Basically, it attempts to make a Telnet connection to 127.0.0.1 (the NIC, actually) without being recognized by the firewall. ZA and ZAP were designed to prevent just this sort of unauthorized connection." Hope that is of some help.

DLL injection is more of an OS attack than an attack against any particular product. Its possible to work around it by keeping a list of 'approved' threads and rejecting any not on the list.

I've used them all and Tiny Personal Firewall has always come out on top in my tests. Zone Alarm always caused major slowdown on my local lan. It was fine for low speed (3mbit or so) internet traffic, but it couldnt handle the load at FD-100mbps.

If your running 2k or XP just do what Microsoft says, and don't use the admin account unless needed. I know it's a pain but this little trick can't get through unless your running as admin, or that's what I read not that I've tested it.

I'm such a hypocrite as I type this logged in as an administrator.

Of course, most trojans are more of a social engineering attack anyway, and people will gladly switch accounts to unwittingly install one.

Dohp!

"On a side note, it might interest you to know that our research department has uncovered the real reason Zonealarm is "not vulnerable" to Backstealth. This is because the Zonealarm program is not even referenced within the Backstealth code. Our internal testing with the modified Backstealth tool confirms that Zonealarm is indeed vulnerable to the same type of proof of concept vulnerability."
Read the article at »www.neowin.net

echo ... echo ... echo ...

What about Black Ice?

Black Ice does not monitor outbound traffic. Steve Gibson used to make a big stink about this every time it came up.

Personally, I don't need an outbound monitor. If I'm stupid enough to install a trojan/backdoor/whatever, I don't expect my firewall to save me.

said by Anony_mouse:

---

If I'm stupid enough to install a trojan/backdoor/whatever, I don't expect my firewall to save me.

---

Why not? It could very well do just that.

Their latest release actually has an outboundtrafiic scaning agent similar to what ZA (I hate that proggy) and Tiny offer. I honestly can't stand this portion and have disabled it as I am not prone to install garbage that will try to take over my system!

The new Black Ice ISS does indeed monitor outbound traffic

If you get a virus or a backdoor your firewall is useless as they could be deleted or disabled by a virus\backdoor, firewalls are useless!!!

They are all useless. Don't get a backdoor in the first place. Virus scanner is all you need.

These days, with every kid trying to be a hacker [cracker] everyone with a internet connection (doesn't have to be cable/dsl/satellite although they are the most vunerable, being potentially "always on") needs some kind of firewall.
Corporations that have may/may not have servers have a lot to loose, so they protect themselves every way they can. But homes, especially with cable routers with built in switches for multiple connections have as much to loose
if they store their financial data there & somebody hacks into it, steals the data & makes use of it

Just my 2 sense

said by wriley:

---

They are all useless. Don't get a backdoor in the first place. Virus scanner is all you need.

---

Exactly how many threads are you going to spam?

Enough already...

As long as people keep debating with me

How can we debate someone who obviously doesn't understand the issue.

said by wriley:

---

As long as people keep debating with me

---

Debating implies that you know something about the topic you are talking about, which apparently YOU do not.

Why do you say that?

Uhm no, unless you've never experienced being packetted by some ahole on irc. And firewalls do help secure windows. Thank god XP is more secure than 9x.

If you have all the latest service packs you are safe. FIrewalls don't do anything about packet or Dos attacks.

oh ya firewalls are useless.....that is y every corporation on the planet has them out the ying yang. As far as having all the patches and you think u are safe you are a fool. How do u think ppl find a hole....by having an open machine that is patch to the level at the time.

If you don't know what you are talking about...just don't post. You are so clueless if you think a firewall does nothing for your network and that all you need is a fvirus scanner.

You don't know what You are talking about. Corporations run servers. servers require firewalls. How pc's without a server don't. But thanks anyway kid

Let's here it for all those OpenBSD, NetBSD, FreeBSD, Linux, etc firewalls out there... Once again, proof that if you are going to do it... Do it right.

Oh brother. Is this going to turn into a thread of useless Microsoft vs. Linux badgering?

Shall I summon the Comic Book Store Guy and Joe Friday??

No... Unless you happen to be only of those blinded Microsoft zealots.

The truth is that personal firewalls really don't offer NEAR the level of protection that UNIX or Cisco firewalls offer. When you run your protection on the same machine you are trying to protect, then its a total gamble from a system security standpoint. People who really know security use the method I stated, you setup a dedicated system or appliance.

You say "if you are going to do it... Do it right."

OK... Why not spell with the correct form of the word for listening. It is NOT spelled +here+ (which is a term for "a place" but is spelled +hear+.

You should talk... Or not!

Any dogma, is just that: A dog-MA.

Who is to say what "doing it right" is? You?

No easy answers. Except one, and that is free discussion, with a little bit less dogma, please.

Heh, you know a thread is going downhill fast when the attacks over grammar and spelling begin.

What was that cool law about the amount of time in a thread before "Nazi" or Hitler comes up? "________ 's Law" or something... It's hilarious!

I forgot what it's called, someone read this and remind us all.

said by signmeuptoo:

---

You say "if you are going to do it... Do it right."

OK... Why not spell with the correct form of the word for listening. It is NOT spelled +here+ (which is a term for "a place" but is spelled +hear+.

You should talk... Or not!

Any dogma, is just that: A dog-MA.

Who is to say what "doing it right" is? You?

No easy answers. Except one, and that is free discussion, with a little bit less dogma, please.

---

Had nothing intelligent to add to the discussion ? Please, when you start FLAMING people about grammar, it shows a total lack of intelligence and NO understanding of the subject matter, sort of like creationists versus physics, mathematics, and the whole slew of other sciences. Nit pick whining.

As for doing it right, do you want to disagree with what is a general concensus in the security community? Dedicated systems and appliances are a standard in the industry which provide much higher levels of security than the personal firewall.

I have ran linux firewalls for a couple business's, never used one at home though. I'm curious how any firewall could do anything against DOS attacks? Here at work when our routers, irc server or game server get dos attacked there is nothing to do but suffer with the limited bandwidth till the attack dies.

I hate to have to do it but now mght be the time to get new firewall software.

We have Radlight spyware deleting the Adaware proggy, Blackstealth crawling inside firewall software, Kazaa's Brilliant trojan about to take over 100 thousand computers next week.

What's the big deal with personal firewalls? If you maintain a dynamic IP address, a router with a hardware firewall, keep all of your system patches plus your virus program and ad-aware signature files up to date, and run scans every week, just what do you gain from one of these? Most of them sound like they are more of a headache than they are worth, particularly ZA 3.0.

Zone alarm 3.0 or before doesn't work very well in xp. It works for a while then after a few hours the internet will not work unless you shut it down. So how about that!

Thats why PIX HARDWARE firewalls are $5000 and up.
Software F/W are ALL Junk. So do your self a favor and spend the money on the Hardware wall and you wont need to read threads like this.
And I have to Flame this guy B/C he has NO None clue

Dude !!! You have No Idea what you are talking about.
And I'm gonna leave it at that ....
Yea SP's thats all we need

wriley

Posts: 349
Joined 08-30-2001
Location: Edmonton, AB
Re: firewalls useless?
If you have all the latest service packs you are safe. FIrewalls don't do anything about packet or Dos attacks.

are they talking about hardware firewalls or just software? huh? because I know that the 2wire homeportal has a hardware firewall.

Har Har I love my zonealarm!

Anyhoo it wont matter unless your silly enough to install it. Software firewalls are no good unless you have a hardware firewall as well. Cisco and Linux or even Unix lol those are hardly secure and the only way for any of those to be secure is to be stripped bare naked or unplugged from the Inet. I always see some lamer post about linux or unix and all the other distros about security. Truth is they have more holes than Microsoft products and yes Microsoft makes good products and bad ones. Let us think about how fast MS puts out a patch...Fast. I rest my case. I also want to point out that NT is on a UNIX variant kernel lol. Truthfully let the unix linux lamers talk about how theirs is secure just jump on any bugtraq list and laugh at the little linux newbies. Most compromised NT systems (not 98 or xp or even winme they aren't OSes in my opinion) are due to patches and updates and even sp's not being applied. 9 times out of ten a person will use something that was fixed months or even years ago to compromise. Cisco is even better considering I know tons of people that use cisco routers as bnc's for irc hehe. Alright well I have said enough.

Hasta

Amazing people still use Windows, what with all the vulnerabilities and problems.

Hmmmmm, Sam Spade can't seem to find hide nor hair of any real entity resembling wriley's alleged IP address. Looks like he was smart enough to make one up, or he has a pretty darn good personal firewall, you know, like ZA Pro 3.x. The same one by the way that Linksys is bundling (for free) with some of their routers. Yes, the ones with the 'hardware' firwalls built in, specifically the BEFSR41 . . .

Yea, I'm real curious about the Win32 services also - anyone have any info, please post!

said by aitech:

---

Yea, I'm real curious about the Win32 services also - anyone have any info, please post!

---

Suggest you post your inquiry in the Microsoft Forum and you should get some responses. The very short answer is that Win32 Services is to Windows XP what the winsock is to Windows 95/98.

Good luck!

unfortunatly too many people on DSLR are brainwashed by GRC and will burn you alive if somebody will say you don't need a firewall.
i had this argument on DSLR b4, and i posted my ip w/o running any firewall and nothing happened to my puter short of some port scans.
IF YOU HAVE ALL PATCHES AND YOU DISABLED ALL UNNEEDED SERVICES YOU DON'T REALLY NEED A FIREWALL. ALL YOUR PORTS WILL BE CLOSED! CLOSED PORTS=NO HACKING.
i really like BlackICE becuase it's not like ZA which is like a freakin xmass tree that start to blind every time somebody ping your system or you try to access some java applet. BlackICE work more like a IDS(look it up if you don't know what it is). it's far better to have good IDS that will show you what's going on and research on your own then blindly trusting ZA.

Sygate, in response to the backstealth exploit have released a new version of their firewall.

"On May 1, 2002 after accelerated testing, we released a preview version of our Sygate Personal Firewall PRO software that addresses the Backstealth vulnerability. Yesterday evening we made this build#1116 available to the general public for those who are concerned about this proof of concept vulnerability. Users are welcome to download and try the preview release. The preview release is available only through our Product Forums."

This is the more interesting part of the email :

"On a side note, it might interest you to know that our research department has uncovered the real reason Zonealarm is "not vulnerable" to Backstealth. This is because the Zonealarm program is not even referenced within the Backstealth code. Our internal testing with the modified Backstealth tool confirms that Zonealarm is indeed vulnerable to the same type of proof of concept vulnerability."

»forums.sygatetech.com/sh ··· did=1087

Interesting. Must mean that the authors had ZA running on their machines and didn't want to be open to attack. Or , its just sloppy programming. Doesn't ZA have a greater market penetration than most home "firewalls" ?

It could easily be a posibility that the creators specifically excluded ZA for the initial proof of concept. What better way for someone to prove that their idea works and make their intended targets feel safe.

If it becomes well known that ZA is not affected then the ZA users, well the ones that wouldn't otherwise notice a trojan, would be prime targets for the attack. Why would it be smart to scare off your prime targets during the test run?

I'm glad that the ZA people took the threat seriously and checked anyway.

Its norton personal firewall doing something about this or the already did and i have to just update it any one can help me?

From what I gather, they say that Norton Internet Security is not affected by this. Norton Internet Security is Norton Personal Firewall and Norton Antivirus bundled together. Hope this helps.

Sounds more like Norton is spinning a story for now.

Every time you download stuff or open ANY email with attachments you open your self to virui, Sheese, you can even get hosed clicking on links on pages :-(.
My lan runs through a 5260 into a linksys router. It currently goes out there to all my pc's, a win 98 box with NIS 2k and neowatch, a 2k/mandrake box( the 2k has both NIS 2002 and neowatch) and the Mandrake will be getting SNF. I also have a netware server running Bordermanager. None of my machines has EVER been hacked or taken down by a virus. I'd guess that between the NAT, dual firewalls, Norton AV has made my static ip more secure than most. Not suggesting that I'm hack proof, just more secure than most. Future plans call for inserting the Mandrake box as a proxy server between the linsys and the lan. I guess the best defense is a good offense. I 86 99% of the attachments that I get and do not open ANY programs without scanning them first.
Making sure that you keep you AV dats updated, running both hardware AND software firewalls in addition to having your servers/pc's patched is the best way to protect yourself.
[text was edited by author 2002-05-05 14:55:58]

Well I've read everthing posted on this so far. Based soleley upon that it doesn't seem to me that the average home user especially needs firewall. I think one post summed up the issues best and asked some questions but before it could be responded to the whole thread it was in was locked. Since it covers most of my questions it said:

"I'd like to here some real practical reasons....why the average home user needs a firewall. I don't disagree....that they do--I am not sophisticated enough in computer knowledge....to have an informed opinion. I am just sophisticated enough with computers to understand enough to learn from other people and to discuss computer issues. I use a firewall "just to be safe" as having it also doesn't hurt anything or cost anything. But given the following scenario who do I really have to fear? (FYI I run XP)

1. I have all the patches and a good virus program as well as Ad-Aware and the such.

2. I have disabled file sharing, etc.

3. Dynamic IP

4. I don't leave the computer connected online for extended periods of times where I am away from it.

5. As a rule I don't store highly sensitive data on my machine--no credit card numbers, my social security number, etc.

6. DSLR Security Scans show a scoreof -2 without firewall enabled and 0 with it up. No big difference.

As I said I use ZA because I am not an expert and better safe than sorry.

But why specifically do you think I would be at risk without a firewall?

Oh, one last thing, lets eliminate unreasonable risk. For instance even though I live in an extremely safe and quiet neighborhood should I carry a gun with me on long late night walks just in case someone tries to rob me or accost me. No, not really because although the possibility definitely exists the likelihood is so small it doesn't justify the gun. I bring this up in the context of yes there is always the possibility that the average home user my get hacked but what is the probability? Is it enough to merit having a firewall. I don't know. What do you say?"

Do you run IE? Do you know that it can be run without a window by another program without you knowing it? Also, do you know that while running Netscape from time to time calls for its home page without you asking for it? You won't know about these activities without your firewall.

CyberNational,

FYI: I have posted a new topic regarding the same discussion here (as the previous thread, »go wriley, was locked, and I did not see your post first). It appears that you might have quoted 'Lost in Space' without recognition.

I have quoted his/her material also. Anyway, I welcome you to join in the discussion here:
»A firewall is good enough insurance for me
It appears we are on the same side.
[text was edited by author 2002-05-06 22:35:37]

In response to 'Lost-in-space' regarding my message of:
'A firewall is good enough insurance for me',

Thanks for your message. I always appreciate your opinion, as you are often good source of debate. I Don't understand why the previous thread where you posted this, was locked, without explanation - too bad - it diminishes the value of dslreports' forums.

I will start out by saying although I have been a Program Manager and Network Architect for very large LANs and WANs, including a registered Class A), and know a hell of a lot about Networks, TCP-IP, security, etc.; I am not a Network Security person by profession, and would leave that up to the security experts on our staff. I also know little about the internals of XP. That being said, I will share my educated opinions related to your discussion below. I will approach this from what I know best; WIN98, and NT4.0.

Lost writes: "provide practical reasons - given the following scenario who do I really have to fear?" [Note that the numbered paragraphs and items nest to the '>' mark are Lost's text, with my response following each paragraph, after dashes.]

>1. I have all the patches and a good virus program as well as Ad-Aware and the such.

- patches and virus fixes only come out after they have been discovered - you could already be infected. (practical reason) As well, there are many problems that this software does not prevent; like trojan horses, keyboard capture programs, etc. for instance. These can be picked up by web surfing - something that you certainly do. (practical reason to have a firewall)

>2. I have disabled file sharing, etc.

- great idea; however, many users need and use file-sharing. (Practical reason)

>3. Dynamic IP

- little help here - you are online as long as your online, and can be attacked at any time, regardless of a changing IP address. As far as OOL goes, even though the IP address is dynamic, most users report that it rarely changes, even when the DHCP lease expires. This could only help if someone was specifically targeting you, rather than randomly searching for open computers (which is more typical). Even if they were targeting you, it would not be all that difficult to find you new IP address; this extra effort would only be necessary assuming it changed in the middle of their attack - unlikely. A firewall that provides you with 'stealth' will (hopefully) prevent your IP address from even being detectable - typically preventing all but a dedicated attack against you from being successful. (practical reason)

>4. I don't leave the computer connected online for extended periods of times where I am away from it.

- This is good, as probability is the factor here. However, you are only reducing your chances of an attempt or attack by maybe what - 1/2, 3/4? You are still vulnerable. As well, numerous applications require one's computer to be connected 24/7. (practical reason)

>5. As a rule I don't store highly sensitive data on my machine--no credit card numbers, my social security number, etc.

- This is also good; but again, you are limiting your use of the machine, losing some convenience. Another practical reason to have a firewall. If you ever shop online, however, chances are good that some of this info may have been stored in a cache file on your machine, anyway. (By the way, do you realize that data that has been deleted, and even written over, can still be had from your machine?)

>As I said I use ZA because I am not an expert and better safe than sorry.
-Yes, you are certainly right - I use it also. Therefore, I assume with your post, you are playing devil's advocate?

>But why specifically do you think I would be at risk without a firewall? Lets eliminate unreasonable risk. For instance even though I live in an extremely safe and quiet neighborhood should I carry a gun with me on long late night walks just in case someone tries to rob me or accost me. No, not really because although the possibility definitely exists the likelihood is so small it doesn't justify the gun. I bring this up in the context of yes there is always the possibility that the average home user my get hacked but what is the probability? Is it enough to merit having a firewall. I don't know. What do you say?

- While your metaphor is certainly amusing; it is apples and oranges. As well, you threaten to blow the whole thread by using the subject of guns - a very polarized political topic. I won't touch it, except to say that a neighborhood never robbed anyone, no matter safe or unsafe it may appear - all it takes is one individual with evil intent, and there are many out there; just as on the Internet. Especially if you are 'Lost'... (I had to throw one crack in there.)

-Now I will add some points. It is not too difficult to contract a problem (virus, trojan horse, script, or some kind of problem code) by the simple actions of emailing, or surfing the web. Although there are patches, and virus updates - these don't come out until it these beasts have been set free, and begun to 'infect' computers. It only takes one 'problem', gained accidentally, to make your computer wide open to many attackers. Prior to the fix coming out, and updating your own computer, contracting one of these problems, is a matter of probability. (It is also quite possible for this to happen, even if you think you have taken every last step to secure your computer, besides having a firewall. By the way, even security patches have been known to introduce security holes into your computer.) There are many ways to reduce your probability, such as Lost says; like not keeping connected 24/7. However, I believe that having a firewall (hardware or software), will seriously reduce the probability of a 'problem', much more so than any other method will. It will also seriously help to prevent any dedicated attacks. A firewall also enables you to be safer when running less secure services within or outside your own network, adding convenience, as discussed above. (Some of these services, that have been known to at times have gaping security holes - such as Java, ActiveX, cookies, etc - are very convenient to web browsing and email. Are you using any of these Lost?) To sum up, major practical reasons for owning a firewall, in my limited opinion (I figure there are many more):

- drastically reducing the probability of a 'problem'
- reduces the need and awareness to be extremely vigilant regarding patches, virus updates, etc.
- reduces the probability that you will have a 'problem' prior to updates being released
- seriously hampers dedicated attacks
- allows safer use of less secure services within your own network, and over the internet, providing convenience

Comments?
[text was edited by author 2002-05-07 00:08:58]

[text was edited by author 2002-05-07 00:11:28]

P.S. - sorry for the long-winded message.

Good post with plenty of excellent advice and pointers backed up with practical examples! You've convinced me!