Bypassing Windows Firewall, XP SP2 example

Recently i found this way to by pass the windows SP2 inbuilt firewall. This is for educational purpose strictly. So, here it goes

We can bypass windows firewall using registry.

Just open regedit.exe and go to
[code:1]HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
[/code:1]

As you can see the sharedaccess service aka windows firewall contains the names of applications allowed for outbound connections.

Tto give access to the desired application we need to add similiar key:
[code:1]C:\\WINDOWS\\system32\\backdoor.exe"="C:\\WINDOWS\\system32\\backdoor.exe:*:Enabled[/code:1]

But then out "backdoor" will be listed in Firewall GUI allowed applications.

Anyway we may hide it by making this
[code:1]C:\\WINDOWS\\system32\\backdoor.exe"="C:\\WINDOWS\\system32\\backdoor.exe:*:Enabled:@xpsp2res.dll,-22019"[/code:1]

We can also open globally any port we want

[code:1]HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List

[/code:1]

by adding similiar value inside this registry key
[code:1]"1337:TCP"="1337:TCP:*:Enabled:Name"[/code:1]

Where "Name" is the name we want to be showed in the GUI

To hide port from listing in the GUI mode we may make something like that

[code:1]1337:TCP:*:Enabled:@xpsp2res.dll,-22003[/code:1]

an then the port will be hidden from listing (XP SP2)..



It works on XP SP2 i didn't tested it on any other os.

This method is used by some malware /spyware manufacturers and together with rootkit it may be reallly dangerous.

Ouch! That's worth knowing

Well, of course from an administrator account everything's possible! Firewall's rules had to be stored somewhere after all..
The above would not work in a limited account, since access to the registry is prohibited.

This is nice that you described though, if nothing else to demonstrate how easily can a malware reconfigure the Windows firewall to allow themselves out and how many more considerations there are to take when having logged in as an administrator!

I second nske's comments. I run all my users in non-admin mode at work and at home! This I believe is the major reason behind spyware infections. Obviously this problem mainly exists in the Windows world where people are not so familiar with the concept of root and limited user accounts.

Well, since Microsoft likes to push users to the direction it wants in everything (default software, default settings, etc), it would be a good idea to encourage this and some other security-conscious decisions during the installation.
After all, nobody would complain for having to relogin each time he needs to install some new software or configure something, as they complain now for having an unusable malware-infected system -besides, the procedure could be more transparent not requiring to disrupt a current login session.

PS. And afterwards they could even patent this idea and sue the Linux community for billions! :lol: