January 05, 2001, 9:35 AM — PC security gadfly Steve Gibson has released a simple Trojan horse program that masquerades as a "trusted" application and gains unrestricted access to a PC's Internet connection, slipping past most software firewalls.
In response, firewall vendors are scrambling to plug the holes detected by Gibson's Trojan, dubbed LeakTest, or are clarifying their software's capabilities.
LeakTest, available as a free download from Gibson Research, exploits what Gibson claims is a common weakness in most firewalls: the way they exempt "trusted" Internet applications from firewall restrictions.
Only one major firewall vendor -- ZoneAlarm -- does not use a method that Gibson claims LeakTest can exploit. Other vendors, including Symantec, McAfee.com, and Sygate, say they're working on modifications now.
The problem is in the common approach firewall programs use to block dangerous incoming traffic. Typical attacks come from hackers trying to access user files, or to fell a machine by flooding it with meaningless data -- known as a denial-of-service attack.
Most often, firewalls identify approved applications by name and their choice of ports. That's not enough, Gibson says. Like its mythical namesake, a Trojan horse program attacks from within, breaching a PC's defenses by simple trickery. Similar to viruses, Trojans masquerade as harmless or even useful programs that people exchange by e-mail or download. Once installed, Trojans open specific Internet connections, called ports, that hackers can exploit.
Since many legitimate programs -- such as Web browsers, e-mail clients, and instant messengers -- also open ports, the firewall's job is to distinguish trustworthy applications from nefarious ones. Gibson maintains any Trojan horse can easily be renamed and choose appropriate ports to disguise itself as a trusted application.
"There was no protection against one program pretending to be another just by changing the file name," Gibson says. He says he proves it with LeakTest, inviting anyone to download the 26K program and rename it from a list of programs trusted by Symantec's Norton Personal Firewall. When run, LeakTest initiates a connection with Gibson's server to test whether data escapes the firewall. The communication only confirms the firewall's vulnerability and does not transmit any personal data from the tester's PC, Gibson says.
Gibson's test indeed exploits a weakness in firewall products, say representatives of several major vendors.
Norton Personal Firewall 2001 can't distinguish between the real version of a program like Microsoft Internet Explorer and a renamed Trojan, such as the infamous Back Orifice 2000, says Tom Powledge, Symantec's senior product manager for consumer products.
"In this case, [Norton Personal Firewall] would not block it," says Powledge of LeakTest and other crafty Trojans.