Defeating Win OS Personal Firewalls

Hi guys Interesting thread...

Could some of you elaborate a bit on the notion of 'layer defense fw'? If I understood correctly, WXPFirewall is a level 3 and 4 layer fw, right?

How about the others? Do you know which firewalls offer level 2 and/or 1 filtering?

How about Kerio 2.15 (a dinosaur, but still very often used) and OutpostPro?

Thanks for comments and answers... Sorry to be so ignorant on the subject.

 

There are plenty of ways to disguise malware so that it slips past anti-virus software and every AV has specific weaknesses. AV software should therefore be considered as a method of detecting the most popular malware, never a 100% solution.

Firewalls with outbound filtering (and good leaktest detection) can not only block/alert you to suspicious network activity by undetected malware, but can also alert you to undesireable behaviour by "legitimate" software (e.g. phone-home behaviour, attempts to contact advertising servers) and can allow you to place limits on programs you only partially trust.

 

As interesting is this paper, it's still a marketing document for BufferXone (VigilantMinds product):" there's nothing new under the sun" about firewalls bypassing methods.
All what is explained in this paper is well known and well documented.
And most of all, if this paper is intended for professionals, it can be considered as incomplete: have they forget tunneling methods?

Tunneling are possible via most protocols (TCP/UDP/ICMP etc), and avanced methods also exist via proxies, DNS etc...
Many tools which demonstrate these methods are available for free; and for example, a recent POC has been recently published in a french magasine for illustrating some TCP weaknesses.

A legal example of SSH tunneling is available here: http://www.bypass.cc/overview.html

Just a word about Drvloader: this command line tool can be useful for unloading a driver (then disabling the application), but it's not a method for bypassing firewalls: since the attacker has admin. privileges and a remote command, the he can easily stop the firewall service, remove the registry key etc: no need Drvloader!

More over, a misconfiguration of a firewall is a paradise for bypassing a firewall: restrictions (unused ports and protocols) are as important as rules.
And too much "allow always" rules for applications (browser, Messenger etc) is really not a good idea: with a firewall which doesn't control components integrity, and with no HIPS in the line defense, a simple dll injection is enough.

Marketing papers are legitimate, but technically speaking, there's nothing new and impressive in this paper.

Regards

 

I think I read that someone left WF on, installed ZoneAlarm and then found WF turned off. This would be a benign situation (if it does happen).

 

Installing ZA turns off the Win FW.

 

The say can be said for any personal firewall, almost all can be uninstalled, therefore all are vulnerable, is that not so?

 

For someone to be able to uninstall your firewall, they would have had to hack into your system and then gain administrative rights. Once they had accomplished that, there is no need to uninstall your firewall. They would have already passed the stage where your firewall matters. The last thing they would want to do is uninstall your firewall and alert you to their presence. Once they were done doing whatever it is they wanted to do they may format your harddrive or some other such action, but removing your firewall would be pointless at that stage.

 

... the latter being unnecessary for probably 98% of all Windows computers!
Conclusion: The biggest hobby of these Windows users is obviously testing umpteen security software they wouldn't need if they'd pursue a sound security policy.

 

Trojan does not have to uninstall firewall, it just has to disable it (script, etc).
It is not that hard, it depends on protection programs, how they will handle it.
Lets say, that I want to disable Outpost Firewall, then I would have to do this:

Code:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Outpost Firewall"=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\OutpostFirewall]
"Start"=dword:00000004

It is just an example, maybe there have to be some other keys as well, but the basic is the same.

 

Here we go again. You need admin rights for doing this. As a restricted user you don't have write permission to HKLM. Any attacker needs to start an escalation of privilege attack.

 

Exactly, there are 2 things, which has to be done and even if it sounds easy, it is not:

Code:

1. Infection has to get into the PC.
2. Infection (malware, trojan or whatever) has to be run.

But lest just say, that the number of infected PCs these days show, that it can be bypassed.
But there are many people, who even do not have all Windows Updates, not to mentioned firewall.

 

Not because of the firewall.

Any firewall's job is to block unsolicited packets and WF does that as well as any. The add ons and the outbound blocking is another issue.

The vast majority of infections come through the browser, the usage of whch invites (solicited) packets.

It is the browser that users should be concentrating on securing.

If that is done with the firewalls that block malware from executing once on the system, or block ActiveX and scripting, well and good.

Regards - Charles

 

The most efficient way to do this is using Firefox with the extension Noscript.