Computer Security - Disabling Firewall Possible ?

01-15-2004, 05:44 PM

Hello,

I've set an administrator password on my Kerio Personal Firewall 2.1.5. I've
heard that some 'malicious' code, be they viruses or trojans, can disable a
firewall.

When I try and shutdown the firewall manually, I'm asked for the password.
Failure to input the correct password results in the firewall program
remaining active.

Would a virus or trojan have the same problem ? Or do they use some 'system
call' to stop the service and so make the password entering redundant ? I
don't know if 'system call' is the right phrase, sorry.

Egrads,

Pete.

Raw Sex

01-16-2004, 01:43 AM

On Thu, 15 Jan 2004 17:44:04 +0000, Raw Sex
<> wrote:

>Hello,
>
>I've set an administrator password on my Kerio Personal Firewall
2.1.5. I've
>heard that some 'malicious' code, be they viruses or trojans, can
disable a
>firewall.
>
>When I try and shutdown the firewall manually, I'm asked for the
password.
>Failure to input the correct password results in the firewall program
>remaining active.
>
>Would a virus or trojan have the same problem ? Or do they use some
'system
>call' to stop the service and so make the password entering redundant
? I
>don't know if 'system call' is the right phrase, sorry.
>
>Egrads,
>
>Pete.

A system call can do it. The password is mainly to prevent an
unauthorized employee, spouse, kids, etc. from shutting it down. There
is malware that can do this although it is not terribly common;
Mosucker supposedly will target well-known firewall and anti-virus
applications.

Various firewalls and other security applications have methods of
dealing with this, from hooking the calls and APIs used to terminate
processes and threads to more exotic measures.

FWIW, I have examined and deliberately run a lot of malware, and never
had one kill the firewall. KPF2 is slighly off the beaten path anyway.
Frankly, since most people use Windows and most Windows users use
Internet Explorer, which is a giant open door onto Windows systems,
nuking the firewall is largely unnecessary.

Sponge
Sponge's Secure Solutions
www.geocities.com/yosponge
My new email: yosponge2 et yahoo dot com

01-16-2004, 05:16 AM

On 15 Jan 2004 17:43:52 -0800, whilst in NewsFroup alt.computer.security,
(sponge) articulated the following sentiments :

<snip>

>A system call can do it. The password is mainly to prevent an
>unauthorized employee, spouse, kids, etc. from shutting it down. There
>is malware that can do this although it is not terribly common;
>Mosucker supposedly will target well-known firewall and anti-virus
>applications.
>
>Various firewalls and other security applications have methods of
>dealing with this, from hooking the calls and APIs used to terminate
>processes and threads to more exotic measures.
>
>FWIW, I have examined and deliberately run a lot of malware, and never
>had one kill the firewall. KPF2 is slighly off the beaten path anyway.
>Frankly, since most people use Windows and most Windows users use
>Internet Explorer, which is a giant open door onto Windows systems,
>nuking the firewall is largely unnecessary.

Many thanks Sponge for the information.

Egrads,

Pete.

01-18-2004, 01:29 PM

There are a slew of infectors that can disable AV software and FireWall software. Over the
past year this has become almost a standard to be performed by an infector.

Some examples...
W32/Magistr.b@MM - http://vil.nai.com/vil/content/v_99199.htm
W32/AceBot.worm - http://vil.nai.com/vil/content/v_99402.htm
W32/Yaha.k@MM - http://vil.nai.com/vil/content/v_99918.htm
W32/Kindal@MM - http://vil.nai.com/vil/content/v_100207.htm

Dave

"Raw Sex" <> wrote in message
news:...
| Hello,
|
| I've set an administrator password on my Kerio Personal Firewall 2.1.5. I've
| heard that some 'malicious' code, be they viruses or trojans, can disable a
| firewall.
|
| When I try and shutdown the firewall manually, I'm asked for the password.
| Failure to input the correct password results in the firewall program
| remaining active.
|
| Would a virus or trojan have the same problem ? Or do they use some 'system
| call' to stop the service and so make the password entering redundant ? I
| don't know if 'system call' is the right phrase, sorry.
|
| Egrads,
|
| Pete.
|

01-16-2004, 01:43 AM	#2
sponge Posts: n/a	Re: Disabling Firewall Possible ? On Thu, 15 Jan 2004 17:44:04 +0000, Raw Sex <> wrote: >Hello, > >I've set an administrator password on my Kerio Personal Firewall 2.1.5. I've >heard that some 'malicious' code, be they viruses or trojans, can disable a >firewall. > >When I try and shutdown the firewall manually, I'm asked for the password. >Failure to input the correct password results in the firewall program >remaining active. > >Would a virus or trojan have the same problem ? Or do they use some 'system >call' to stop the service and so make the password entering redundant ? I >don't know if 'system call' is the right phrase, sorry. > >Egrads, > >Pete. A system call can do it. The password is mainly to prevent an unauthorized employee, spouse, kids, etc. from shutting it down. There is malware that can do this although it is not terribly common; Mosucker supposedly will target well-known firewall and anti-virus applications. Various firewalls and other security applications have methods of dealing with this, from hooking the calls and APIs used to terminate processes and threads to more exotic measures. FWIW, I have examined and deliberately run a lot of malware, and never had one kill the firewall. KPF2 is slighly off the beaten path anyway. Frankly, since most people use Windows and most Windows users use Internet Explorer, which is a giant open door onto Windows systems, nuking the firewall is largely unnecessary. Sponge Sponge's Secure Solutions www.geocities.com/yosponge My new email: yosponge2 et yahoo dot com

01-16-2004, 05:16 AM	#3
Raw Sex Posts: n/a	Re: Disabling Firewall Possible ? On 15 Jan 2004 17:43:52 -0800, whilst in NewsFroup alt.computer.security, (sponge) articulated the following sentiments : <snip> >A system call can do it. The password is mainly to prevent an >unauthorized employee, spouse, kids, etc. from shutting it down. There >is malware that can do this although it is not terribly common; >Mosucker supposedly will target well-known firewall and anti-virus >applications. > >Various firewalls and other security applications have methods of >dealing with this, from hooking the calls and APIs used to terminate >processes and threads to more exotic measures. > >FWIW, I have examined and deliberately run a lot of malware, and never >had one kill the firewall. KPF2 is slighly off the beaten path anyway. >Frankly, since most people use Windows and most Windows users use >Internet Explorer, which is a giant open door onto Windows systems, >nuking the firewall is largely unnecessary. Many thanks Sponge for the information. Egrads, Pete.

01-18-2004, 01:29 PM	#4
David H. Lipman Posts: n/a	Re: Disabling Firewall Possible ? There are a slew of infectors that can disable AV software and FireWall software. Over the past year this has become almost a standard to be performed by an infector. Some examples... W32/Magistr.b@MM - http://vil.nai.com/vil/content/v_99199.htm W32/AceBot.worm - http://vil.nai.com/vil/content/v_99402.htm W32/Yaha.k@MM - http://vil.nai.com/vil/content/v_99918.htm W32/Kindal@MM - http://vil.nai.com/vil/content/v_100207.htm Dave "Raw Sex" <> wrote in message news:... \| Hello, \| \| I've set an administrator password on my Kerio Personal Firewall 2.1.5. I've \| heard that some 'malicious' code, be they viruses or trojans, can disable a \| firewall. \| \| When I try and shutdown the firewall manually, I'm asked for the password. \| Failure to input the correct password results in the firewall program \| remaining active. \| \| Would a virus or trojan have the same problem ? Or do they use some 'system \| call' to stop the service and so make the password entering redundant ? I \| don't know if 'system call' is the right phrase, sorry. \| \| Egrads, \| \| Pete. \|

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search

01-15-2004, 05:44 PM	#1
	Disabling Firewall Possible ? Hello, I've set an administrator password on my Kerio Personal Firewall 2.1.5. I've heard that some 'malicious' code, be they viruses or trojans, can disable a firewall. When I try and shutdown the firewall manually, I'm asked for the password. Failure to input the correct password results in the firewall program remaining active. Would a virus or trojan have the same problem ? Or do they use some 'system call' to stop the service and so make the password entering redundant ? I don't know if 'system call' is the right phrase, sorry. Egrads, Pete. Raw Sex