Rootkits: Attacking Personal Firewalls presented at BlackhatUSA 2006

by Alexander Tereshkin,

Summary : Usually, a personal firewall and an antivirus monitor are the only tools run by a user to protect the system from any malware threat with any level of sophistication. This level significantly increases when malware authors add kernel mode rootkit components to their code in order to avoid easy detection. As rootkit technologies become more and more popular, we can clearly see that many AV vendors begin to integrate anti-rootkit code into their products. However, the firewall evolution is not so obvious. Firewall vendors widely advertise their enhancements to the protection against user mode code injections and similar tricks, which are used by almost any malware out there to bypass more simple firewalls, keeping much less attention to the kernel mode threats. In fact, just a few vendors evolve their kernel mode traffic filter techniques to pose an obstacle for a possible kernel rootkit.
This presentation will focus on the attacks which may be performed by an NT kernel rootkit to bypass a personal firewall in its core component: the traffic hooking engine. Starting from the brief overview of the entire NT network subsystem, the talk will demonstrate both simple and advanced methods firewalls use to hook in-out traffic. Every firewall trick will be examined in details, and an antidote will be offered to each. It will also be shown that it is possible for a rootkit to operate at a lower level than current firewalls by using only DKOM techniques. The presentation will be accompanied by a live demo of the proof of concept rootkit which is able to bypass even the most advanced personal firewalls available on the market. Finally, a possible solution for hardening firewalls against discussed attacks will be presented.