Trojans make firewalls futile

Security watchers have warned that personal firewalls may be an "exercise in futility" given the latest developments in Trojan techniques.

Just days after the security community advised that Trojans are increasingly using outbound connections to pick up commands and avoid port blocking and intrusion detection, experts have said that firewalls may be highly susceptible to such tricks.

Some personal firewalls may be "dangerously leaking your personal and private data onto the internet," warned Steve Gibson of the Gibson Research Corporation.

Following a report titled The Futility of Common Firewall Policies from the Department of Health Management and Informatics and the University of Missouri, experts have spent years researching the many ways to circumvent the outbound detection processes of personal firewalls.

Although personal firewall products such as Zone Alarm, Black Ice Defender, Norton Personal Firewall and Tiny Personal Firewall diversified from the concept of a firewall only blocking inbound network traffic by monitoring and blocking outbound traffic too, proof-of-concept tools show the outbound protection of such apps to be 'illusory' at best.

As vnunet.com pointed out recently, Trojan authors are increasingly commandeering or hijacking web browsers and forcing them to send out data, disguised as HTTP traffic, on behalf of the attacker.

Although by nature a Trojan must be able to get onto the system in the first place to cause damage, if this does happen, "then it's game over," said Robin Keir, author of proof-of-concept tool, FireHole.

"The rogue program has your computer completely under its control," he added.

Likewise, Bob Sundling, who created a similar tool, TooLeaky, said that his program "very clearly penetrates every firewall on the market, including Zone Alarm. It sends data out to a server and then retrieves data in response, completely bypassing your firewall," he said.

He added: "If a firewall is going to allow some program to transmit and receive data over the internet, and that program allows other programs to control its actions, then there's no point in blocking anything at all."

This reiterates the warning that admins need to lock down applications to quash such vulnerabilities, by specifying which programs on each machine are allowed access to the network, and checking for maliciously modified apps.

"Keep your antivirus program up to date, keep your email client locked down with correct security zone settings, never open attachments that can contain executable content, and maybe restrict the ports that your web browser and other commonly used applications can talk on," added Keir.