Most personall firewall application fail in a very basic (and essential) aspect of their operation: giving the user a clear and concise way of identifying the software that is trying to access the network.
Even though this is widely known and has been discussed to death, it never really struck me until I installed the ADSL modem I recently got for free, courtesy of my telephonephone line operator.
The windows 2000 version of the modem driver starts up and greets me with this nice dialog box as soon as I log in into my computer:
Allowing “rundll32.exe” to always connect to the web is to be considered a safe practice or not?
How many users, when pestered with this annoying dialog popping up every day, are savvy enough not to dismiss it once and forever?
Please note that the standard version of the dialog message gives even less details about the outgoing connection than the screenshot pasted here, and only identifies the offending executable by filename: no path information, no version information, no nothing.
How many will take the time to properly configure the firewall to only let the offending driver connect to the local subnet?
Now, this is arguably a bad design decision on the part of the writers of the modem driver, but there is a much simpler and cleaner way for wannabe virus writers to bypass any security measure that personal firewalls provide blocking outgoing connections: simply use the web browser to connect to the web. Both IE and firefox are powerful enough to provide support for a variety of web protocols, as well as easy scripting interfaces, and one of those two has been durely flagged as “connect to the net without asking consent”, most likely both.