Testing for Trojans and Backdoors FAQ
From: Christopher Klaus (cwkpublic@iss.net)Date: 04/29/02
- Next message: Christopher Klaus: "WLAN 802.11b Security FAQ"
- Previous message: phirewall: "Re: Cannot Logon Locally, Can I create domain?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Christopher Klaus" <cwkpublic@iss.net> Date: Mon, 29 Apr 2002 14:21:17 GMT
Preface:
There is much discussion about personal firewalls and how they handle Trojan
applications. This FAQ document was put together to help educate people on
all the issues surrounding Trojan tests and possible ways that personal
firewalls can address the issue. Please send feedback to cwkpublic@iss.net.
Testing for Trojans and Backdoors FAQ
Version 1.5
With the growth of Trojans, backdoors, and hybrid threats, the need to protect
against these threats has emerged. Along came several tests that checked to
see if personal firewalls could handle a rogue application that connects
outward bound without alerting the user of the machine.
This document covers:
Rogue Application Testing
Current Limitations in Personal Firewalls
Multi-layered Security Approach
Solution Matrix for Personal Firewall Companies
Rogue Application Testing
LeakTest was the first Trojan test of its kind. It was a simple demonstration
of running an unknown application on an OS. The application would attempt to
connect outward bound, and determine if a personal firewall would alert and
stop it. Then along came FireHole and TooLeaky. They advanced the rogue
application test, by showing how a rogue application could easily masquerade as
a trusted application, like the Internet Explorer Browser, and check to see if
it could by-pass the personal firewalls.
The source code is available for these test tools and can be easily added to
enhance any new backdoor with these techniques. Here are the test tools and
their web pages:
Leak Test - http://grc.com/lt/leaktest.htm
Firehole Test - http://keir.net/firehole.html
Too Leaky Test - http://tooleaky.zensoft.com/
Internet Security Systems (ISS) found that TooLeaky had a bug in it that would
report that a connection succeeded even if it was blocked. The patched bug
sources have been sent to the author for updates. To obtain the patched
TooLeaky2 version and a more detailed README on the issue, go to
www.iss.net/security_center/tooleaky/
Current Limitations in Personal Firewalls
Most personal firewalls monitor for applications trying to connect outward
bound, ask the user if that should be blocked, and can stop the connection.
There are some limitations in this approach that should be pointed out.
* False Positives and False Alarms - Any unknown program that connects out,
despite whether it is good or bad, triggers an alert. Most of these programs
are legitimate programs, therefore, most of the alerts are false positives and
false alarms.
* End-user Reliance - Because most programs are legitimate, the user gets
conditioned into approving everything, regardless of good and bad programs.
The personal firewalls assume a user can discern good and bad applications
based on the process name. Backdoor writers can easily pick names that
resemble legitimate programs and the user really has no way to discern between
good and bad programs.
* Enterprise Cost - Because of the high number of false alerts that are
generated by the personal firewalls, users do not know what to do with these
alerts, and call up helpdesk or IT. This drives up technical support cost and
helpdesk cost. In a large enterprise, many users will approve a malicious
application because there is no easy method to discern between the good and bad,
which defeats the whole purpose of the personal firewalls intent in alerting.
* TCP/IP Header Examined Only - Both personal firewalls and network firewalls
determine their policy based on TCP/IP header information, including source
address, destination address, and port numbers. They do not examine the actual
content of the packets. If the policy allows access to certain services, like
a web server or Instant Message (IM) networks, both personal firewalls and
network firewalls do not examine the content of the packets going to the web
server or chat clients to look for an embedded attack. This is why the Code
Red worm was able to evade most firewalls.
* Vulnerability in Personal Firewalls - With FireHole and TooLeaky, and their
source code available, many of the personal firewalls do not address these
extended tests. These tests demonstrate how vulnerable many personal firewalls
are.
Multi-layered Security Approach
There is a need for a multi-layered security approach for rogue application
protection. There needs to be multiple methods and layers applied to get
around the limitations in personal firewalls.
* Personal Firewall Blocking - Examining inward bound and outward bound
connections, most personal firewalls and desktop protection programs can alert
on programs trying to connect out and prevent it.
* Communication Protection - By adding another layer of protection beyond
personal firewalls, communication by all applications can be examined, and
determined if the application is legitimate or whether it is just a rogue
application trying to masquerade as a trusted application. This protects
against TooLeaky and FireHole techniques.
* File based Protection - Beyond network connections, there needs to be
protection at the file based layer, against rogue applications writing and
modifying files they should not be.
* Anti-Virus Protection - Anti-Virus goes along way in finding viruses,
backdoors, and rogue applications on the file system. Antivirus should be
applied at the gateways, servers, and desktops.
* IDS protection - While personal firewalls examine only the TCP/IP header,
Intrusion Detect Systems go a long way in examining the content of the packets.
With extensive knowledge of backdoors and Trojans, IDS can easily find many
known rogue applications, regardless of TCP/IP header and port information,
using techniques like pattern matching, protocol analysis, and anomaly based
detection. IDS should be applied to at the servers and not just desktops.
Additionally, IDS should be applied at the network both passively and inline.
Inline IDS sits on the network, similar to a network firewall, and prevents the
actual attacks, unlike passive network IDS, that responds after the attack has
happened.
* Threat Knowledge Base - With IDS and by leveraging its extensive knowledge base
of attacks, backdoors, Trojans, hybrid threats, denial of service attacks, and
a growing number of new threats, it reduces the need for the user to identify
and discern between good and bad applications based on process name. This more
accurately identifies bad programs, thus reducing the chance of a user
approving a bad application. This helps reduce false alarms and false
positives, reduces end-user reliance, and helps the enterprise save on cost and
potential damage.
* Multi-Layered Protection - For enterprises, protection needs to be applied at
the network and servers, not just at the desktop. Companies should look for
solutions that can address networks, servers, and desktops. Most personal
firewall companies can only address desktops.
There is no silver bullet in security, but by applying multiple layers and an
in-depth strategy to security, many of the risks associated with rogue
applications, like Trojans and backdoors can be minimized.
Solution Matrix for Personal Firewall Companies
Internet Security Systems (ISS)
-------------------------------------------------------------------
Personal Firewall Blocking Yes, Footnote 1.
-------------------------------------------------------------------
Communication Protection. Yes, Footnote 1.
(Stops TooLeaky & FileHole.)
-------------------------------------------------------------------
File Based Protection Yes, Footnote 1.
-------------------------------------------------------------------
Anti-Virus protection Yes, Footnote 2.
-------------------------------------------------------------------
DeskTop IDS Yes.
-------------------------------------------------------------------
Threat Knowledge Base 100+ Trojan and Backdoor Signatures.
-------------------------------------------------------------------
Server IDS Yes.
-------------------------------------------------------------------
Network IDS Yes.
-------------------------------------------------------------------
GigaBit IDS Yes.
-------------------------------------------------------------------
In-line IDS Yes.
-------------------------------------------------------------------
Multi-Layer Protection Yes.
Approach For Enterprise
* Footnote 1, BlackICE PC Protection 3.5 has personal firewall capability,
outbound blocking, communication protection, file-based protection, and
advanced IDS with protocol analysis, anomaly detection, and pattern matching.
* Footnote 2, ISS offers managed antivirus gateway protection service.
****
Christopher W. Klaus
Founder and CTO
Internet Security Systems
Email: cwkpublic@iss.net
- Next message: Christopher Klaus: "WLAN 802.11b Security FAQ"
- Previous message: phirewall: "Re: Cannot Logon Locally, Can I create domain?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
