![[SJF Logo]](../images/sjflogo.gif)
Steve Friedl's Research Projects
Unixwiz BackStealth Toolkit
I picked up an interest in the
"BackStealth"
technology developed by
Paolo Iorio, and have
reversed engineered his work and extended it. This web page
is the home of my more or less ongoing efforts, and I hope to
keep it up to date for those who care to follow the progress.
NOTE: none of this technology works on Windows 95, 98 or ME: some
key operating system calls are simply not present. Don't even bother.
I do all my testing on Windows NT 4.0 and Windows 2000: don't know about
XP yet.
What is BackStealth?
BackStealth is a technique for using DLL Injection on Win32
platforms to take over the process space of personal firewalls
to make outgoing connections that are undetected by those firewalls.
Using the system-debugger interface (which requires admin privs),
the infecting program locates the firewall, allocates memory inside
the firewall space, copies a bit of bootstrap code, and launches
a remote thread. This remote thread loads a DLL that does the real
work, and the firewall process is completely unaware that this is
going on.
Because the firewalls typically trust themselves, they do not
detect or report these outgoing connections, so any Backstealth-enabled
malware will be able to work with impugnity. The firewall vendors
have scrambled to deal with this in varying ways, but ultimately
I believe that
My running analysis of Backstealth can be found in
this
thread at DSL Reports, and my own development efforts are found
below.
Fetching and building the programs
Periodically I update the web site from my development snapshot, and
the files are available individually or in a single large bundle. The
bundle is built at the same time the file listing is.
All my development is done on a Windows 2000 Professional system at
the command line, with Microsoft Visual C/C++. I use GUI for neither
building nor running any of these tools: you need a CMD window
for everything. I use GNU Make for my work
because Microsoft's NMAKE is so lame.
Each of the EXEs in the file listings were built by me from the sources
you find there: I promise no shenanigans, though it's not clear why you
should believe this promise. I run these very EXEs on my own system.
List of firewall products currently detected
This is a web-ified version of the internal table that Backstealth
uses to detect personal firewalls: it runs through memory looking
for windows with the given names and/or classes, and the last one
found is probed for the vulnerability.
Inclusion in this list does not mean the product is vulnerable!
It merely means that the developers are trying to test it, and we
have been adding these descriptions as we find them.
| Firewall description
| Window "class"
| Window "title" |
| Black Ice Defender
| -none-
| BlackICE PC Protection |
| ZoneAlarm Pro Personal Firewall
| -none-
| ZoneAlarm Pro |
| ZoneAlarm Personal Firewall
| -none-
| ZoneAlarm |
| Sygate Personal Firewall
| #32770
| Sygate Personal Firewall |
| Sygate Personal Firewall Pro
| #32770
| Sygate Personal Firewall Pro |
| McAfee Personal Firewall
| McAfee_FwClientClass
| McAfee_FwClientClass |
| Tiny Personal Firewall
| #32770
| TinyPersonalFirewallMainWindow |
| Norton Internet Security 2002
| Symantec NAMApp Class
| -none- |
| Kerio Personal Firewall
| #32770
| KerioPersonalFirewallMainWindow |
|
