Security Crusader Punches Holes in Firewalls

PC security gadfly Steve Gibson has released a simple Trojan horse program that masquerades as a "trusted" application and gains unrestricted access to a PC's Internet connection, slipping past most software firewalls.

In response, firewall vendors are scrambling to plug the holes detected by Gibson's Trojan, dubbed LeakTest, or are clarifying their software's capabilities.

LeakTest, available as a free download from Gibson Research, exploits what Gibson claims is a common weakness in most firewalls: the way they exempt "trusted" Internet applications from firewall restrictions.

Only one major firewall vendor--ZoneAlarm--does not use a method that Gibson claims LeakTest can exploit. Other vendors, including Symantec, McAfee.com, and Sygate, say they're working on modifications now.

Identifying Friendly Programs

The problem is in the common approach firewall programs use to block unauthorized communications and unapproved applications. Typical attacks come from hackers trying to access user files, or to fell a machine by flooding it with meaningless data--known as a denial-of-service attack. (See "How It Works: Personal Firewalls.")

Most often, firewalls identify approved applications by name and their choice of ports. That's not enough, Gibson says. Like its mythical namesake, a Trojan horse program attacks from within, breaching a PC's defenses by simple trickery. Similar to viruses, Trojans masquerade as harmless or even useful programs that people exchange by e-mail or download. Once installed, Trojans open specific Internet connections, called ports, that hackers can exploit.

Since many legitimate programs--such as Web browsers, e-mail clients, and instant messengers--also open ports, the firewall's job is to distinguish trustworthy applications from nefarious ones. Gibson maintains any Trojan horse can easily be renamed and choose appropriate ports to disguise itself as a trusted application.

"There was no protection against one program pretending to be another just by changing the file name," Gibson says. He says he proves it with LeakTest, inviting anyone to download the 26K program and rename it from a list of programs trusted by Symantec's Norton Personal Firewall. When run, LeakTest initiates a connection with Gibson's server to test whether data escapes the firewall. The communication only confirms the firewall's vulnerability and does not transmit any personal data from the tester's PC, Gibson says.

Gibson Got 'Em, Vendors Say

Gibson's test indeed exploits a weakness in firewall products, say representatives of several major vendors.

Norton Personal Firewall 2001 can't distinguish between the real version of a program like Microsoft Internet Explorer and a renamed Trojan, such as the infamous Back Orifice 2000, says Tom Powledge, Symantec's senior product manager for consumer products.

"In this case, [Norton Personal Firewall] would not block it," says Powledge of LeakTest and any similar Trojans.

McAfee.com's security architect Sam Curry agrees that McAfee.com Personal Firewall could also be fooled, since it "simply looks at the name of the executable." Both Powledge and Curry say they do not know of any actual malicious attacks based on Gibson's model. "But yes, it could be done," Curry says.

He adds that his company's firewall is based on the same architecture as the McAfee Firewall, sold by McAfee.com's former parent company, Network Associates.

Unlike the McAfee and Norton programs, Sygate Personal Firewall 2.1 does not have a built-in list of approved applications. However, one provision allows any applications through certain ports generally (but not necessarily) reserved for "legitimate" activities.

Representatives of another popular vendor, Network ICE, acknowledge that its intrusion detection/blocking program BlackICE Defender would also fail Gibson's test, although they claim it would not fall prey to a truly malicious program.

BlackICE Defender was not designed to identify programs that access the Internet, says Greg Gilliom, chief executive officer. Instead, it checks content of the actual data packets passing to and from the computer. BlackICE Defencer would permit LeakTest, because it is not doing anything harmful, Gilliom says.

"LeakTest is just a normal FTP client. As far as we're concerned, there's nothing malicious about that." But BlackICE Defender would block a program that transmits suspicious packets, he says. For example, Gilliom says BlackICE Defender can identify the encryption patterns of Back Orifice 2000.