Defeating Win OS Personal Firewalls

Here's a great read in PDF about the capabilities and methods of malware, including rootkits, to bypass firewalls. As well as some tests you may recognise and could have already tried, there are 3 methods that i wasn't aware of before. I have listed these further down.

I've posted just a sample of what's available in there.

. . .

Quoting from the PDF.

This section explores the security capabilities provided by each processing layer, as well as their advantages and disadvantages.

http://img363.imageshack.us/img363/7500/filtwnl19vu.png


Firewall-hook drivers and the Windows XP Firewall

Microsoft added support for firewall-hook drivers with the release of Windows 2000. These drivers work similarly to filter-hook drivers, the main difference being that more than one filter can be applied at a time.

With the release of Windows XP, Microsoft added a built-in firewall with stateful filtering capabilities. This firewall was designed to be an easy to use lightweight firewall, and was implemented as a firewall-hook driver called IPNat.sys. As the name suggests, the firewall is also capable of performing Network Address Translation (NAT). To configure and manage this firewall from user mode, Microsoft added the Internet Connection Firewall (ICF) API, which was replaced by the Windows Firewall API in Service Pack 2.

The Windows XP Firewall can perform filtering based on limited layer 3 and 4 information, such as IP addresses and ports. Rules can also be created to allow or deny certain network activity by specific applications. It provides incoming filtering of TCP, UDP, and ICMP traffic, with the ability to open ports by adding applications that use them to an exceptions list, or by creating port mappings to be used by NAT. It is important to note that the only outbound filtering that is offered through the Windows Firewall API is for the ICMP protocol.

The Windows XP Firewall was in no way intended to be a heavy-duty firewall, and therefore it is lacking in a number of areas, the most obvious of which is the ability to filter outbound traffic. The firewall also provides an API for applications to silently open ports and add programs to the exception list, as well as the capability to disable the firewall altogether. The Windows Firewall API allows filtering rules to be based on a very limited amount of information, and since it filters at a higher level it exposes more of the operating system’s TCP/IP stack to potentially malicious traffic. For Microsoft’s documentation on the Windows Firewall API, see [6] and [7].


Firewall Tests


1 - Parallel Stack - Bypass

This attack involves attempting to bypass filtering that is performed at higher layers by communicating directly with the NDIS interface. If the firewall performs filtering at a layer higher than NDIS, then it will not be able to see this communication. The attack works by using its own Network protocol layer driver, so it could be prevented by either monitoring the loading of protocol drivers or performing filtering at the NDIS layer.

Winpcap and Nemesis http://www.winpcap.org and http://www.packetfactory.net

2 - Unloading Drivers - Disable

This attack is performed by attempting to disable any drivers that are associated with the firewall using a simple driver loading/unloading utility. Note that there are more complex methods of unloading drivers that could be more successful than the simple method used for this test.

Drvloader http://www.toolcrypt.org

3 - LSP - Stealing Information

This attack attempts to install an LSP, which could be used for a variety of malicious purposes such as information theft. This attack could be detected or prevented by monitoring the installation of LSPs, which can be accomplished by hooking API calls or watching the portion of the registry that stores LSP information.

Komodia LSP http://www.komodia.com

Table 2: Results of performing attacks listed in Table 1 against various software firewalls.

http://img363.imageshack.us/img363/2641/fwpf10qm.png


http://www.vigilantminds.com

Defeating Windows Personal Firewalls by Chris Ries

http://www.vigilantminds.com/files/defeating_windows_personal_firewalls.pdf


StevieO

 

Hi,
Windows Firewall should not be even tested as it doesn't have outbound protection.
As to others - it stills comes down to downloading and executing the code on your computer. You can do that with any which security you have.
Mrk

 

Outbound protection wasn't tested for so I don't see a problem with including the XP firewall.

 

Hi,
If you download a file to your computer and execute it - how's that not outbound?
Mrk

 

No, it's only outbound depending of the file you download and execute.
The best antivirus/antispyware/firewall should be between the chair and the keyboard.

 

I was reading it as the malware finding its way onto your system, not its actual execution. Sorry.

Edit: Actually, I still think it's appropriate to include the XP firewall. The malware's ability to call home isn't the only issue discussed. Shutting down the firewall drivers without the user's knowledge, opening backdoors, preventing definition updates for anti-virus/trojan/spyware apps, etc. were also brought up.

Edit #2: Let me state what I think the main issue discussed is and see if you agree. StevieO is not talking about a firewall's ability to protect the computer from the malware. He's talking about a firewall's ability to protect itself from such malware. Am I correct?

 

Interesting article to read.
He is talking about outbound protection and also disabling the firewall, all from the malicious software installed in your computer.
I like that the results are quite new. Not really understanding myself so much, but made a bookmark of the link.

Surprisingly McAfee firewall was not so good.

 

Fail or not, WinXP firewall has the best inbound protection. Period.
Man, i'm seing firewalls that can't even properly stealth all ports, let alone other stuff. Kerio and BitDefender firewall were the biggest dissapointments ever. And those are considered to be good firewalls. There is loads of others that simply fail to stealth properly. Who cares about outbound then anyway!?

 

RejZor,

For inbound, CHX also stealths and if you can write filters, can make some real protective rules for anti spoofing etc.

 

Rejzor, Kerio or any firewall should stealth you.
Needs only some configuration.
You run those port scan tests and block what is needed. Anyways you should get a prompt when someone is trying to make a remote connection with your computer's program.

I could not stealth Norman (not Norton) firewall, but propably because I could not understand it.

 

Hi,
All those files listed in the document: How do you suppose they run?
You need to donwload them. And then execute them. XP Firewall does not monitor execution nor outbound connections. It has nothing to do on that test along with others.
Mrk

 

First of all, to say that a firewall that does not have application aware outbound filtering is useless, is complete nonsense. In fact the numerous ways shown above to defeat firewalls is testimony to the principle that you have to keep the bas stuff off your machine in the first place.

What folks keep forgetting is a reasonable cost benefit analysis of the benefits of using a firewall as a last ditch detection method when some new worm communicates with its owner. And new is the operative word, if it is not a zero day attack, your AV is going to catch it, if it is any good. It takes a lot of effort to set up a firewall for all the possible applications and combinations of application A launching process B to spoof application A's permission to communicate out. The chances of something going wrong during this process are actually very high and beyond the ability of most users to implement themselves or most IT departments to manage in a large organization.

Most malware need inbound communication to function. All firewalls block this. Malware that does not need inbound communication traditionally would have needed a fixed address to contact which made discovery of the scheme very easy. Many writers of malware have approached this problem by having the outbound communication with a public IRC server. This is easy to prevent by blocking ports 6660-6669, 7000 and 7777. Did I miss any? Guess why Kaspersky considers Mirc to be riskware and McAfee blocks these ports by default in its Enterprise AV?

The most recent development used in one of the Sober variations is to use an algorithm that tells where the worm to communicate based on the date. The owner of the worm is able to register that domain in advance. The encryption for this worm was recently broken. While only a FW with application aware outbound filtering would have a chance of catching this one you can be pretty sure the experts are looking for this kind of stuff and this one (or anything like it) will make it into the AV data bases very fast.

Go ahead and use something like Tiny, if you can understand it, but also realize that as a practical matter the threat that it deals with (as compared to a good non application aware FW like CHX or 8Signs) is very small. Your effort might be better sent somewhere else, like learning how to use the very fine free utilities from Sysinternals.

 

I think that's irrelevant. I think what the main focus of this discussion is, and what the .pdf should have stuck to, is a malware attack on the firewall's expected function itself. We're well aware that Windows Firewall doesn't have outbound protection. But what if a malware could disable its inbound protection without you being aware that anything's wrong? You could be open to a conscious, directed attack.

Unfortunately, the .pdf also talks about changing hosts files to prevent software updates, worms that inject themselves into explorer.exe, etc. They obscure the main point, I think.

Outbound vs. inbound. App-based vs. non-app-based. None of that matters if the firewall has been compromised.

 

Hi,
Hello?
You have a functional firewall. While using functional firewall you download and execute crap that bypasses your firewall. That's very relevant.
Like asking, what will bullets do once they are inside your body.
Mrk

 

And what if you thought the bullet was just a muscle ache? That's how this class of malware works.

In an ideal world, no malware would ever get on your system. Then whatever strategy is used by it wouldn't matter.

When I say irrelevant, I mean the grounds for discussion is set. The malware is on your system. It is attacking your firewall. Can your firewall resist that attack? How can it be recognised and dealt with? How it got on your system is academic.

 

I didn't kill him, it was the bullets and the fall.

 

Quoting Brinn

" StevieO is not talking about a firewall's ability to protect the computer from the malware. He's talking about a firewall's ability to protect itself from such malware. Am I correct? "

Yes that's the way i was reading it.


StevieO

 

Hi,
Now you're talking.
Mrk

 

As well as stopping the bullets, dont forget we have the options:

Stop the gun being fired (trap the execution of the malware) and stopping the person being able to get hold of (not even have the option to run the malware) the gun (System Policies, Limited User accounts etc).

These both far more effective, as we dont actually have to understand how the malware will intrude (and the endless cat and mouse game of keeping up with the malware developers), we just have to deny it running in the first place.

As far as I understand, this one of the reasons coperate enviroments have never needed outbound protection, because they have the time and understanding to lockdown windows and user accounts so that they cant install anything, change system settings etc, basically not allowing the malware any entry points.

If there is a requirement for new software, update or patch, theres a controlled enviroment to monitor and test, before rolling out across the network.

This is very different to a lot of home users who will download off the net (and potentially download malware due to full rights), install (because they have the default rights to), run the program in 3 clicks and then potentially launch the malware, or even the malware has installed itself in the background through the browser.

IMHO, outbound protection just seems to wrong approach,where securing the OS with system/user policies is a tried and tested approach that works and does'nt require any extra bloat or need any understanding of how malware works, but there is also quite a lack of understanding how Windows NT security works (or be configured), and to be honest, is gonna be beyond a lot of home users I know. Compounded by the fact theres a lot of software about that installs assuming the user will have admin rights and Microsoft not willing to actually attempt to secure the OS and just give/sell us software to clean up the mess.

Sorry to go a bit off topic, but I just wanted to backup up the no outbound protection arguement.

 

I agree that ideally, outbound protection is not absolutely necessary (I use CHX). The last time my computer was infected with a virus was in the 90s when I knew next to nothing about security. Actually, no, I was repeatedly infected with the Sasser worm when I was reinstalling XP with my cable modem hooked up and, of course, had no firewall up. But I don't think that's the issue.

To beat the bullet analogy to death, most of us (that pay attention to security) won't get shot. But others will, so it's not a pointless activity to learn how these things work and how to deal with them.

 

Guess what? The Hacker Defender rootkit is open source. (Just to provide one prominent example.) Saying that your AV--whatever AV it is--or your "inbound-only" firewall is enough is complete nonsense. Saying "I'm smart as hell; only stupid n00bs like you could possibly get infected" is complete nonsense.

 

I'm sorry, but my av has NEVER been triggered in my entire live online (around six years). My "INBOUND-ONLY" firewall has been perfectly safe in protecting me. Granted, my surfing is very safe--security forums, linux and bsd websites, etc. I don't do any shady surfing, and I feel very safe. However, I am NOT saying that safe surfers don't get infected. I just mean to say that outbound firewalls are the last of the last resort. If your av/at/as/HIPS/other filtering software missed it, then the outbound firewall only minimizes the damage, IF the popup is answered correctly.

I also don't believe that the previous posters were calling people who got infected "stupid n00bs". They were just saying that there setup is sufficient for them (even if they do need a little education ). But don't we all?

Cheers,

Alphalutra1

 

A bad thing would be to have 'one of the best' firewall with in and outbound protection, and so feeling so secure and download every crappy and bad software.

 

Thank you for the PDF StevieO, it really helped me to decide. I was thinking about using WF, but it seems, that WF lacks in filtering inbound traffic more than I have ever imagined.

 

I do believe Windows Firewall is adequete for my needs.
Come to think of it, do you guys know of any legitamite software that will shutdown my WF, before my Antivirus detects it as malware anyway?! I don't think so.

Very indeed paranoid.