As Trojan, Backdoor non-stop development, the firewall itself is also in constant development, which is a spear and shield and relationships, know how to escape through the firewall for the control of a system is very important.
Due to the firewall of development, today, many firewalls are based on the drive load, the core part is the drive there, retain an interface to the user to go to Settings, this interface program acts as a bridge role, the traditional kill the firewall process in order to achieve control to the system The method has been is failure, and this is also not a good way(think Admins find the firewall icon is gone. what will be the reaction). The following is the talk to method.
Prerequisites:
You on the remote system has sufficient permissions.
You have from the ipc or mssql or other to give the system permission, but because no matter with ipc or with the mssql operation, are not such as to give directly a cmd Shell operation to obtain a fast and convenient!
Method 1: Do not allow the firewall to load your own
Using a variety of tools, pslist, a sc.exe, reg. exe, etc. to find the firewall where loaded, if it is in run that load, then, with reg. exe to remove it; if it is a service started, with sc. exe service to manual or disable, and then restart that system, so the system reboots the firewall will not be able to load your own. This method does not allow the firewall to run, relatively easy to be the administrator found.
Method 2: forcibly tied into the firewall to allow the port
A system, if there is some service, such as pcanywhere, the sev-u, iis, mssql, mysql and other words, the firewall to always allow these applications open ports is the outside of the connection, and these application open ports can be a backdoor or Trojan horse program itself to open the port again forcibly strapped into. For example pcnayhwere open port or serv-u to open the port can be re-tied into iis and mssql, etc. it sometimes can, but sometimes fails for unknown reasons. Since those apps is to get the firewall authorization and trust, so the back door or Trojan horse will be tied to the mouth forcibly tied into the rear, you can avoid the firewall, but this method is for those more advanced firewall, such as Zonealarm, etc., or not, because Zonealarm is not only monitored port, and monitor what programs try to tie into a port, if the back door didn’t get Zonealarm authorization while the same is not tied into that port.
Method 3: Icmp Protocol or custom Protocol backdoors or Trojans
For some the firewall is effective, but if the firewall is to detect a network connection the app is not in the firewall trusted, then this method will fail, because such a firewall allows does not allow the program to connect to the network is based on whether the user let the program connected, and not just look at the Protocol or port.
Method 4: Backdoor or Trojan into the other processes running
System certain programs, 99.9999%of users will be allowed, like IE, if the user does not allow IE to connect to the network, then it is very rare. Because IE is generally the firewall to trust the application, so long as the backdoors inserted into IE running, then the firewall is generally not stopped. As long as the firewall allows IE to connect to the network, then inserted into the IE running the back door can accept outside connection. Such backdoors is generally based on the Dl is loaded into the IE running directly to an executable program will a thread injected into the IE running can also, but far not the DLL injection so stable. This method can avoid the majority of firewalls, but for some will not only check out bound, and will check the in bound Connection Firewall will sometimes fail. But overall, this is a good and convenient way(have been testing).
Method 5: The backdoors inserted into IE to run, and the use of reverse connection
The above method 4 has been described IE is typically the firewall to trust the application, so the back door is inserted into the IE running is a good method, because some firewalls will also check in bound connection(from the outside connected to the system connection), will cause the method 4 fail, because the firewall is possible to notify the user whether to allow this connection, as long as the user refuses, then the method 4 fails. But if the back door into IE to run, and let the back door automatically to the outside world for a specific IP connection(reverse connection), so while almost 9 9 percent will be successful, because the firewall is already allowed IE outwardly connected, so once the backdoor connection on the specified IP, the attacker can get a cmd under Shell.
The above mentioned several methods, the methods 1, 2, 3 to the application surface is very narrow, and can not be considered a good method; method 4, 5 is a more advanced method, and the administrator is generally difficult to find generally no one will suspect that your IE is people to insert backdoors in the running, I believe most of the Internet users do not know these methods, but these methods are relatively difficult to detect out. Of course there will be other methods.