Re: Virus/trojan tunnel out from behind firewall?
From: Rich Puhek (rpuhek@etnsystems.com)Date: 02/25/02
- Previous message: Jason Dixon: "Re: Checking for rootkits"
- Maybe in reply to: David Carmean: "Virus/trojan tunnel out from behind firewall?"
- Next in thread: Ben Efros: "Re: Virus/trojan tunnel out from behind firewall?"
- Next in thread: Mike Shaw: "Re: Virus/trojan tunnel out from behind firewall?"
- Next in thread: Ryan Russell: "Re: Virus/trojan tunnel out from behind firewall?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 25 Feb 2002 01:37:24 -0600 From: Rich Puhek <rpuhek@etnsystems.com> To: David Carmean <dlc@halibut.com>
David Carmean wrote:
>
> On Sun, Feb 24, 2002 at 10:22:12PM -0600, Rich Puhek wrote:
> > David Carmean wrote:
>
> > > Have there been any cases of a trojan/virus/etc tunnelling out from
> > > behind a firewall and thus providing an attacker a way into the
> > > "chewy center"?
> >
> > Do you mean a trojan/virus that actively establishes a tunnel through
> > SSH, etc to an outside machine as a method of bypassing a stateful
> > firewall?
> >
> > Or do you just mean that a trojan/virus/etc has provided an opening
> > despite the firewall?
> >
> > I'd also consider the gray areas in between, like worms/trojans that
> > transfer into (passwds, etc) back through SMTP, HTTP, or IRC.
>
> I was thinking more of the first example, an ssh/stunnel/other tunnel
> out from the infected host to some other compromised box, which would
> give an attacker a wormhole into the center of a corporate network.
> In realtime.
>
> For sites which allow unrestricted outbound connections, it would
> probably be impossible to detect if the trojan did nothing else
> destructive to arouse suspicion.
That would be a challenge, especially if the outside box was listening
on say, port 80. I'd assume that the outside box was basically the
"host" or master machine, probably running on a less secure network (one
that allowed incoming connections to privileged ports).
Next defense would be noticing odd traffic (excessive data transfer,
excessive length of connection between the two machines if the tunnel
was kept up instead of discrete transactions like innocent HTTP, etc.).
--Rich
_________________________________________________________
Rich Puhek
ETN Systems Inc.
2125 1st Ave East
Hibbing MN 55746
tel: 218.262.1130
email: rpuhek@etnsystems.com
_________________________________________________________
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: Jason Dixon: "Re: Checking for rootkits"
- Maybe in reply to: David Carmean: "Virus/trojan tunnel out from behind firewall?"
- Next in thread: Ben Efros: "Re: Virus/trojan tunnel out from behind firewall?"
- Next in thread: Mike Shaw: "Re: Virus/trojan tunnel out from behind firewall?"
- Next in thread: Ryan Russell: "Re: Virus/trojan tunnel out from behind firewall?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
