[FW-1] firewall exploit and stateful packet inspection

["Grobe, Gary" <Gary_Grobe@FW1-NOSPAMBMC.COM>]

Anyone have any ideas about how the effects of the "firewall" exploit would
effect a stateful packet analyzer firewall. Something like NetGears FR314,
etc...

---
Below is taken from the article
http://www.theregister.co.uk/content/55/22788.html
---

Security researchers have highlighted a potential shortcoming
with personal firewall products.

To alert users of the presence of a Trojan or privacy threatening
program running on their systems, personal firewalls have been
adapted so they monitor and block outbound traffic (as well as
blocking inbound network traffic).

If a malicious program becomes active a user will be alerted and
the application will be blocked by a personal firewall (unless a
user is daft enough to agree that it should be able to access the
Internet, of course).

This would normally stop a Trojan sending out data (which might
be your passwords) disguised as HTTP traffic on port 80.

However if a malicious program modifies a DLL used by Internet
Explorer to make an outbound connections to port 80 on its behalf
then this protection is bypassed.

Security researcher Robin Keir, has developed a proof-of-concept
tool, called FireHole, which illustrates how the trick can fool
personal firewalls (such as Zone Alarm, Norton Personal Firewall
and Black Ice Defender).

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================