Articles related mostly to programming and scene content. You may suggest content (or your article) by emailing us too! You will have your nickname displayed in the article, telling it who the author was, or who suggested it

Actual Situation of the Firewall Bypass technology - July 11th 2008 - Author: caesar2k
A couple of years ago, malware had a new technology to aid it to become harder to find, confusing to the user, and for the old school technicians that never seen it before, thinking about a DLL being the intruder was out of question. The term firewall bypass or FWB appeared right along with the LAN bypass name. Even though the LAN bypass is kinda shaggy, it wouldn't really bypass the LAN, but instead, make an outbound connection.
But the term firewall bypass seemed to be exactly 'it'. It would literally bypass the firewalls restriction on programs, and not warning the user about this suspicious activity. All you would see is that Explorer was already using the internet, and was connected somewhere. That was firewall bypass and it did work that way, bypassing the software firewall, and some hardware firewalls. Today, we still see the name FWB, but it should be changed, at least in my point of view. It's really misleading, to people that are new to this whole scene, to see the term and immediately think that the program will go unoticed by the user and by the today's firewalls.
The thing is, it won't. Not anymore. Firewalls have evoluted much faster than malware, and this time, it's pretty hard to gain the battle. Most firewalls today use kernel drivers, that we can call it the base of Windows OS. If the OS base is under watch, how would you expect that a superficial program (a RAT or a keylogger), running on the top part of the OS, would go unoticed from the firewall? It's just not possible anymore, not with the actual 'usermode' programs.
There's, of course, ways to create equally based malware, that would be, using kernel drivers as well. Rootkits do this since a long time. But how many coders have the knowledge to code and create a solid driver, that won't BSOD the OS forever, crashing and bogging down everything. Even AV companies can't do it, create a solid driver, that is. Even though rootkit programmers are usually more experienced than the average trojan coder, and even more experienced than the AV companies coders, they manage to harden their code, to actually hide stuff, and not to signal they are there.
One escape from using a kernel driver is naming the technique something else. Sometimes I call it, "User Bypass". What the heck does this mean? It means that, you can code the program making it look legitimate. So when the user sees a nice name on his firewall warn, such as "Ipconfig.exe is trying to access the internet, what would you want to do?" and Ipconfig looks exactly like ipconfig.exe from system32 folder, with all the version and stuff, being from Microsoft. The user goes "Hmm this program is from Microsoft, and the ISP guy once asked me to type it in Start > Run, so I guess it's ok to let it do the connection". Done, you bypassed the user.
Think the average computer user, who sees annoying firewall warnings every 3 minutes. Either he will shut down or decrease the warning level, or allow everything that has "microsoft" written on it. It's commom sense, and a totally possible solution. I don't intend to mess with drivers yet, even though I'm tempted to do so since sometime now. But for now, sticking with the User Bypass technique is showing to be a worthy technique so far.
Social Bookmarks
Archive