Cy ber Se c urit y F un d a m en ta l s
69
fwProfile->get_GloballyOpenPorts(&fwOpenPorts); // Create an instance of an open port. CoCreateInstance( __uuidof(NetFwOpenPort), NULL, CLSCTX_INPROC_SERVER, __uuidof(INetFwOpenPort), (void**)&fwOpenPort ); // Set the port number. fwOpenPort->put_Port(portNumber); // Set the IP protocol. fwOpenPort->put_Protocol(ipProtocol); // Allocate a BSTR for the friendly name of the port. fwBstrName = SysAllocString(name); // Set the friendly name of the port. fwOpenPort->put_Name(fwBstrName); // Opens the port and adds it to the collection. fwOpenPorts->Add(fwOpenPort);
Exhibit 1-36â•… Programmatically opening a port through the Windows Firewall.
Waledac, however, does not directly modify the Windows registry. Instead, Waledac uses the Windows Firewall API to open firewall ports. Exhibit 1-36 illustrates the Microsoft example for programmatically opening a port in the Windows Firewall. Antivirus vendors may detect a modification to the firewall settings of Windows Firewall. When malicious code needs to remain stealthy, modifying the Windows Firewall settings to connect to the command-and-control (C&C) server may prove problematic. Many families of malicious code, notably the BBB group B family from 2008,48 use programs such as Internet Explorer to circumvent the Windows Firewall restrictions. As mentioned previously, Windows Vista does not give Internet Explorer access to the Internet by default. With the prevalence of Internet Explorer, many attackers assume that victims have given Internet Explorer access to the Internet by adding the application to the Windows Firewall–authorized programs list. Windows XP systems, on the other hand, automatically allow Internet Explorer network requests to traverse the Windows Firewall, regardless of whether or not the user explicitly lists the browser in the authorized application list. Attackers can exploit this fact by injecting code into a running Internet Explorer instance. The Windows © 2011 by Taylor & Francis Group, LLC