RE: Detecting trojans on random ports with encrypted traffic...

From: Carey, Steve T ISD (steve.carey@redstone.army.mil)
Date: 10/24/02 

From: "Carey, Steve T ISD" <steve.carey@redstone.army.mil>
To: 'Clint Byrum ' <cbyrum@spamaps.org>, "'focus-ids@securityfocus.com '" <focus-ids@securityfocus.com>
Date: Wed, 23 Oct 2002 21:08:47 -0500

 One of the things I have noticed is that for any encryption the initial phase
is unencrypted and normally has enough information to identify the program,
whether a Trojan or a normal program. If you miss that first set of pushes, then
you can't tell bad (Trojan) traffic from good (normal) traffic.

-----Original Message-----
From: Clint Byrum
To: focus-ids@securityfocus.com
Sent: 10/23/2002 3:55 PM
Subject: Detecting trojans on random ports with encrypted traffic...

Ok so, we can obviously see sub7 on port 27374 with its known signature
patterns. But then they go and run it on a different port. And then they
go and encrypt things(I don't know if sub7 can do this, but for instance
BO or something else).

The scenario is, a user brings a floppy disk with a trojan on it to the
location, and puts the trojan on another user's computer. They then sit
back and watch the keylogging/passwords/etc.etc.

So, is this what SPADE is supposed to handle? I mean.. currently the
only solution I have come up with is to designate subnets that are not
supposed to be talking to eachother, and alert on peer to peer traffic.
But this isn't always possible, and this doesn't cover traffic where the
trojan is on a server.

Is there any hope to detect this situation?

Relevant Pages

  • Detecting trojans on random ports with encrypted traffic...
    ... we can obviously see sub7 on port 27374 with its known signature ... patterns. ... But then they go and run it on a different port. ... a user brings a floppy disk with a trojan on it to the ...
    (Focus-IDS)
  • Re: PGPcoder Trojan
    ... > trojan drops a batch file which - after the encryption of all target ... > files - will delete the trojan. ... the write-ups was wether the key used to encrypt the files was generated ...
    (microsoft.public.security.virus)
  • Re: PGPcoder Trojan
    ... Read Symantec's and/or Trend Micro's description. ... trojan drops a batch file which - after the encryption of all target ... files - will delete the trojan. ...
    (microsoft.public.security.virus)
  • Re: How to setup trust between 2003 SP1/R2 and MIT 1.4.3 ?
    ... It works when I change the encryption types in krb5.conf to only ... to opensuse.suse.home (no port 88 traffic) ... Protocol: IP ... NOT a forwarded ticket ...
    (comp.protocols.kerberos)
  • Re: Using a home T-1 line to evade company filtering
    ... She just simply set the listening ports on her machine to port ... to outwit the boss. ... uses SSL/SSH encryption between her machine and my computer in Australia. ...
    (comp.security.firewalls)