Defeating Win OS Personal Firewalls

Discussion in 'other firewalls' started by StevieO, Dec 21, 2005.

Thread Status:
Not open for further replies.
  1. dylanfan

    dylanfan Registered Member

    Joined:
    Feb 10, 2006
    Posts:
    187
    Hi guys ;) Interesting thread...

    Could some of you elaborate a bit on the notion of 'layer defense fw'? If I understood correctly, WXPFirewall is a level 3 and 4 layer fw, right?

    How about the others? Do you know which firewalls offer level 2 and/or 1 filtering?

    How about Kerio 2.15 (a dinosaur, but still very often used) and OutpostPro?

    Thanks for comments and answers... Sorry to be so ignorant on the subject.
     
  2. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    There are plenty of ways to disguise malware so that it slips past anti-virus software and every AV has specific weaknesses. AV software should therefore be considered as a method of detecting the most popular malware, never a 100% solution.

    Firewalls with outbound filtering (and good leaktest detection) can not only block/alert you to suspicious network activity by undetected malware, but can also alert you to undesireable behaviour by "legitimate" software (e.g. phone-home behaviour, attempts to contact advertising servers) and can allow you to place limits on programs you only partially trust.
     
  3. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    As interesting is this paper, it's still a marketing document for BufferXone (VigilantMinds product):" there's nothing new under the sun" about firewalls bypassing methods.
    All what is explained in this paper is well known and well documented.
    And most of all, if this paper is intended for professionals, it can be considered as incomplete: have they forget tunneling methods?

    Tunneling are possible via most protocols (TCP/UDP/ICMP etc), and avanced methods also exist via proxies, DNS etc...
    Many tools which demonstrate these methods are available for free; and for example, a recent POC has been recently published in a french magasine for illustrating some TCP weaknesses.

    A legal example of SSH tunneling is available here: http://www.bypass.cc/overview.html

    Just a word about Drvloader: this command line tool can be useful for unloading a driver (then disabling the application), but it's not a method for bypassing firewalls: since the attacker has admin. privileges and a remote command, the he can easily stop the firewall service, remove the registry key etc: no need Drvloader!

    More over, a misconfiguration of a firewall is a paradise for bypassing a firewall: restrictions (unused ports and protocols) are as important as rules.
    And too much "allow always" rules for applications (browser, Messenger etc) is really not a good idea: with a firewall which doesn't control components integrity, and with no HIPS in the line defense, a simple dll injection is enough.

    Marketing papers are legitimate, but technically speaking, there's nothing new and impressive in this paper.

    Regards
     
  4. Brinn

    Brinn Registered Member

    Joined:
    Aug 5, 2004
    Posts:
    181
    Location:
    Canada
    I think I read that someone left WF on, installed ZoneAlarm and then found WF turned off. This would be a benign situation (if it does happen).
     
  5. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    Installing ZA turns off the Win FW.
     
  6. squash

    squash Registered Member

    Joined:
    Mar 25, 2005
    Posts:
    313
    The say can be said for any personal firewall, almost all can be uninstalled, therefore all are vulnerable, is that not so?
     
  7. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    For someone to be able to uninstall your firewall, they would have had to hack into your system and then gain administrative rights. Once they had accomplished that, there is no need to uninstall your firewall. They would have already passed the stage where your firewall matters. The last thing they would want to do is uninstall your firewall and alert you to their presence. Once they were done doing whatever it is they wanted to do they may format your harddrive or some other such action, but removing your firewall would be pointless at that stage.
     
  8. tlu

    tlu Guest

    ... the latter being unnecessary for probably 98% of all Windows computers! ;)
    Conclusion: The biggest hobby of these Windows users is obviously testing umpteen security software they wouldn't need if they'd pursue a sound security policy.
     
  9. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    3,112
    Location:
    Slovakia
    Trojan does not have to uninstall firewall, it just has to disable it (script, etc).
    It is not that hard, it depends on protection programs, how they will handle it.
    Lets say, that I want to disable Outpost Firewall, then I would have to do this:
    Code:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirewallDisableNotify"=dword:00000001
    "FirewallOverride"=dword:00000001
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Outpost Firewall"=-
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\OutpostFirewall]
    "Start"=dword:00000004
    It is just an example, maybe there have to be some other keys as well, but the basic is the same.
     
  10. tlu

    tlu Guest

    Here we go again. You need admin rights for doing this. As a restricted user you don't have write permission to HKLM. Any attacker needs to start an escalation of privilege attack.
     
  11. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    3,112
    Location:
    Slovakia
    Exactly, there are 2 things, which has to be done and even if it sounds easy, it is not:
    Code:
    1. Infection has to get into the PC.
    2. Infection (malware, trojan or whatever) has to be run.
    But lest just say, that the number of infected PCs these days show, that it can be bypassed.
    But there are many people, who even do not have all Windows Updates, not to mentioned firewall.
     
    Last edited: May 30, 2006
  12. zcv

    zcv Registered Member

    Joined:
    Dec 11, 2002
    Posts:
    355
    Not because of the firewall.

    Any firewall's job is to block unsolicited packets and WF does that as well as any. The add ons and the outbound blocking is another issue.

    The vast majority of infections come through the browser, the usage of whch invites (solicited) packets.

    It is the browser that users should be concentrating on securing.

    If that is done with the firewalls that block malware from executing once on the system, or block ActiveX and scripting, well and good.

    Regards - Charles
     
  13. tlu

    tlu Guest

    The most efficient way to do this is using Firefox with the extension Noscript.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.