Black Hat Briefings, Las Vegas 2006 [audio] Presentations From The Security Conference

"Usually, a personal firewall and an antivirus monitor are the only tools run by a user to protect the system from any malware threat with any level of sophistication. This level significantly increases when malware authors add kernel mode rootkit components to their code in order to avoid easy detection. As rootkit technologies become more and more popular, we can clearly see that many AV vendors begin to integrate anti-rootkit code into their products. However, the firewall evolution is not so obvious. Firewall vendors widely advertise their enhancements to the protection against user mode code injections and similar tricks, which are used by almost any malware out there to bypass more simple firewalls, keeping much less attention to the kernel mode threats. In fact, just a few vendors evolve their kernel mode traffic filter techniques to pose an obstacle for a possible kernel rootkit. This presentation will focus on the attacks which may be performed by an NT kernel rootkit to bypass a personal firewall