Did you know this secret to break windows firewall

Everybody knows what a personal firewall does. It controls inbound/outbound access to the internet/network. Well, though many prefer third part software like ZoneAlarm Pro and so on, many still stick to Windows Firewall. Not configuring windows firewall properly is one of the simple ways to crash windows quickly.

Basically, firewall

• asks user permission whether or not to allow a program to communicate remotely
• asks user permission whether or not to allow ports opening for remote communication

Windows default firewall does so by generating a pop-up, asking user for confirmation whether or not to grant internet access to the application. This might seem that applications are under control and covert communications are prevented, but beware, there is a secret to break windows firewall without letting the user know about it. Your computer can be controlled from elsewhere with a trojan installed.

The secret to break windows firewall is by using 'netsh' command. You can use netsh to open a port as well as add or delete a firewall rule for a program. If I place a trojan in your computer and execute it, the trojan would be programmed to open its default port as well as add itself to the firewall rule to allow it to communicate to the internet. The user would be completely unaware of this fact. And also, the trojan can be executed covertly by advanced startup methods as discussed in my previous article. You can also view the detail syntax of 'netsh' command by typing "netsh firewall /?" in the command prompt.

All in all, your computer can be controlled remotely via internet without you knowing anything. And any trojans today can be passed easily to your computer via emails. They can be made so small that they can be passed via so many ways.

So, while selecting firewalls, do not select those that can be controlled via command shells. Always use those that needs human clicks. Very important!

Example of 'netsh' command (Full syntax):

To change the firewall rule to accept a program 'file.exe', we can write something like

• netsh firewall add allowedprogram C:\file.exe testfile ENABLE

Similarly, to open a port 4444,

• netsh firewall add portopening TCP 4444 testport

Hidden Startup Methods

• How many kinds of hidden startup methods do you know?
• Do you just rely upon 'Run' and 'Run once' value in the registry?
• Or do you look for Startup folder in the Start Menu?

Yes, most of the windows users feel that by guarding the startup folder and Run value in the registry, spywares and trojans can be controlled.

An advanced user may even search in the services list to see if any suspicious service is running.
A time comes when a virus like ravmon hits the computer and no matter where you see, you don't wherefrom that culprit runs from.

Well, nowadays, newer viruses use other registry places as hidden startup methods. In the HKLM\Software\microsoft\windowsNT\Winlogon, they tend to use two keys, viz., 'shell' and 'userinit'. By adding own executables with a comma seperation in the userinit key, the virus runs again and again. Also the default value for 'shell' is explorer.exe. Viruses often modify them as 'explorer.exe virus.exe'.

This is so effective for common users that they have no choice but to backup important files and format the hard drive.

Sometimes, these little tips helps a lot to avoid a lot of time lost in formatting.

That is just a simple method for startup. Even complex startup methods include hiding itself from the registry by hooking registry handling APIs. They even hide themselves from process list and services list by hooking the respective APIs. Identifying them is not easy though. You have to be pretty sharp. I will cover this topic in detail on my next post. Bye till then.