Toivo Talikka

Total Data Pty Ltd

Computer system installation, support and IT management consultancy

Forestville NSW Australia        tel 0410 532 923       email

Security, Firewalls and Rootkits


If you have installed a personal firewall product and dialed in to your ISP using a telephone line, you would have seen a number of probes recorded by the firewall in a matter of minutes.  During a dial-in connection you are using a dynamic IP address, allocated by the ISP for the duration of a single login session. If you are using a cable or ADSL (broadband) connection, your dynamic IP address is constantly bombarded with packets originating from worm infected PCs and servers in the far reaches of the Internet.

You ask "What does this probing have to do with me?" The purpose of the probes is to get a response from your PC and find out what type of a system you run and identify its weaknesses, ie. open ports and services which the attacker will target during the next step of the attack. This activity is often fully automated and there are numerous web sites accessible on the Internet with enough information to 'roll your own' hacking tools.


Malware like Trojan horse programs is the more sinister side of the security issues in personal computers. Malware and Trojan horse programs, or "key loggers" record user names and passwords we type in to log on to secure web sites. More importantly, credit card numbers and other personal information we store in the PC is at risk. When a key logger application has collected our user name and password or credit card number and expiry date, which we are always instructed to keep safe, the information is forwarded to malicious servers in the Internet, to be used for criminal purposes by the perpetrators of the intrusion to our computer.


If you have inadvertently installed an application like a web server on your PC (Personal Webserver can be installed by default) or if you have downloaded an application which acts as a Trojan, the attacker does not need to do much work to gain control.

A Trojan application or service running quietly in the background in your PC offers a backdoor to your system for zombi agent programs from the Internet. Your PC can then be compromised and used as a zombi client in a Distributed Denial of Service (DDoS) attack on an e-business site. In theory, you could be sued for negligence, together with other PC and server owners whose systems participated in the co-ordinated attack without their owners' knowledge.

Dancho Danchev's recent The Complete Windows Trojans Paper is a comprehensive account of what is happening in the Trojan front.


I feel more comfortable when I know that not just anyone has access to my PC from the Internet. Early versions of personal firewall products blocked access from the Internet to the PC but they did not monitor requests sent from the PC to the Internet. This allowed Trojan activities to go unnoticed.

Nowadays personal firewall applications prompt the user when a new application is trying to access the Internet. Even though some firewall products are designed to learn the characteristics and the behaviour of `the applications accessing the Internet and set the firewall rules with the minimum of user involvement, many computer users are happy to know what is involved and spend a few minutes to give the initial authorisation to newly installed programs - or new versions of established applications - to access the Internet. This is the chance to catch Trojan activities before they 'phone home'.

On the other hand, there are experts who do not think the 'Pro' versions of personal firewalls are worth the money. The author of has written a comment about personal firewalls , and their snake oil aspects.

Windows XP

The Microsoft Windows XP operating system, launched in 2001, contains Windows Firewall. Together with Microsoft AntiSpyware (Beta), it gives Windows users a level of security from external threats, assuming that the firewall is turned on and the Windows security updates have been done regularly.


One of the trick of the authors of Trojans is to hide their program files and processes from users who try to inspect the directories and list of processes in Task Manager. Because the idea originated from the Unix and Linux world where the superuser (Administrator in Windows terms) is called root, these devious applications are now called rootkits.

Because of their secretive purpose and methods also shared with spyware, rootkits have been notoriously difficult to detect and to get rid of. There are a number of applications which specialise in detecting rootkits, like the RootkitRevealer from Sysinternals. When you run RootkitRevealer, it generates a randomly named copy of itself to avoid detection by malware processes. As you can see, it is an all-out war there in the recesses of the CPU and memory.

It is becoming common for anti-virus software to have the capability to prevent the infection by known rootkits. F-Secure has a Beta version of their BlackLight product, using rootkit elimination technology, available free of charge. Blacklight will be part of the F-Secure Internet Security 2006 suite.

Therefore, when you select an anti-virus product, make sure you type in the word 'rootkit' into the search option in the software manufacturer's website and see that you get satisfactory results.

More information about rootkits and related tools is available from the article Hidden Backdoors, Trojan Horses and Rootkit Tools in a Windows Environment at by Bartosz Bobkiewicz.

Further Info

If you have the time and inclination to find out how your PC applications and servers exchange 'packets' and communicate through 'ports' with internet applications, here are a couple of references for starters:

ZoneAlarm - personal firewall from ZoneLabs.

TCPView and TDIMon - monitor TCP and UDP port activity and the process each port is linked with on the local PC, from Sysinternals

Well known and registered port numbers from IANA, Internet Assigned Numbers Authority

Well-known ports from Wikipedia

Internet Server Identification Utility - identifies the web server, from Gibson Research Corp

WatchGuard FireBox - from WatchGuard Technologies

Made With Cascading Style Sheets Valid CSS! Valid XHTML 1.1!