Many home users rely on a software firewall to protect them from malicious hackers on the outside. While many firewalls do a reasonable job on blocking the outside attacker, most are quite weak at protecting the user from a malicious program that is intended to provide a backdoor into your system.

Such programs could include remote logins (telnet style), ircbots (to form part of a botnet) and ftp servers (to allow the attacker to use your computer to host illegal content).

The typical firewall works by suspending execution of programs you run, right at the moment the program requests use of the function WSAStartup (the winsock function that initialises use of the socket library (sockets are used for communication)).

It then presents the user with a dialog asking if it is ok that this program accesses the internet. Of course, this sounds quite safe, but what if the malicious program is able to hide itself within another existing application, that already has internet access...iexplorer, for example...

If that were possible, your software firewall would not be of much help.

Unfortuntely, it is possible, primarily using a windows api called "CreateRemoteThread". This ingenious invention of Microsoft allows you to create a new thread in another application. I am sure it has legitimate uses, but imho it is a dangerous api that should be subject to greater security priviledges.

Anyway, using this api command it is possible to "inject" any type of application into an already running application. This means the attacker can inject all of their ircbots, ftpservers and backdoors into a trusted process, and bypass most firewalls.

It also has the added advantage for the attacker that the end user will be oblivious to the extra applications that are running when they look on the taskmgr.

Anyway, I gotta head off to work.

Tonight, I will give some example code of how this actually works.