Re: Virus/trojan tunnel out from behind firewall?

From: David Carmean (dlc@halibut.com)
Date: 02/25/02 

Date: Sun, 24 Feb 2002 23:07:15 -0800
From: David Carmean <dlc@halibut.com>
To: Rich Puhek <rpuhek@etnsystems.com>

On Sun, Feb 24, 2002 at 10:22:12PM -0600, Rich Puhek wrote:
> David Carmean wrote:

> > Have there been any cases of a trojan/virus/etc tunnelling out from
> > behind a firewall and thus providing an attacker a way into the
> > "chewy center"?
>
> Do you mean a trojan/virus that actively establishes a tunnel through
> SSH, etc to an outside machine as a method of bypassing a stateful
> firewall?
>
> Or do you just mean that a trojan/virus/etc has provided an opening
> despite the firewall?
>
> I'd also consider the gray areas in between, like worms/trojans that
> transfer into (passwds, etc) back through SMTP, HTTP, or IRC.

I was thinking more of the first example, an ssh/stunnel/other tunnel
out from the infected host to some other compromised box, which would
give an attacker a wormhole into the center of a corporate network.
In realtime.

For sites which allow unrestricted outbound connections, it would
probably be impossible to detect if the trojan did nothing else
destructive to arouse suspicion.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Quantcast