Re: Trojan Horses Popular To The Malicious Hackers

From: Karl Levinson [x y] mvp (levinson_k@excite.com)
Date: 11/19/02 

From: "Karl Levinson [x y] mvp" <levinson_k@excite.com>
Date: Tue, 19 Nov 2002 14:17:12 -0500

There are some known trojan tools which can disable your personal firewall
software while making it appear to continue working.

For firewalls like Zone Alarm and Sygate which can block certain .EXE file
names from accessing the network, there are known trojans and methods which
can make the communication appear to come from a generally trusted
executable such as IEXPLORE.EXE Other firewalls don't watch the name of
the file generating the traffic, so as long as the trojan is not using a
restricted port, these firewalls would let the trojan right out.

None of these issues apply to external firewall devices like firewall
hardware. However, your hardware firewall is almost certain to have key
common ports open outbound, such as TCP 80, and [except for proxy servers]
have no ability to know which .EXE file is generating the traffic or whether
the content of that data is really appropriate for TCP 80. Adding an
external intrusion detection device to your network [in addition to
antivirus, host-based firewall, network firewall and/or proxy server] is one
way to attempt to eliminate some of these theoretical holes.

For example, if your firewall permits outbound ICMP like ping / traceroute
traffic, there are some old known trojan tools that can open a covert
channel outbound that is disguised as ICMP or HTTP web traffic.

And, as you may already know, neither hardware nor software firewall are
very effective today against incoming trojan / virus infections that are
delivered through email, through a vulnerable chat client like IRC or AIM
which can be exploited for remote control, etc.

These tools and methods are not terribly common today, but a hacker could
use them, and they could become more common in the future.

On the other hand, using one or more properly configured firewalls in
addition to antivirus and other third party tools still remains pretty
effective at blocking most intrusions and remaining pretty safe. Most
hackers out there target "low hanging fruit," so that as long as your home
computer or network is harder to hack than someone else's network, you're
probably pretty safe. [If you're a well-known public entity like Microsoft
that attracts targeted attacks, this statement is no longer true.]

"Bill Sanderson" <Bill_Sanderson@msn.com.plugh.org> wrote in message
news:OWRq2K$jCHA.2216@tkmsftngp12...
> You're not the first person I've heard say this, so I believe you, but say
a
> bit more? It is always tempting to recommend a "simple" solution. A
> software firewall seems a reasonable protection against malware targeting
> open ports.
>
> You are saying that it ISN'T protection against a sophisticated trojan,
> correct?
>
> Can you say enough about why that is to help convince folks not to run
code
> from dubious sources?
>
> "Me" <no_address_for_stinking_spammers_to_abuse@x-ray.gs> wrote in message
> news:ibqktugr41pe1nd9m62i9pa501uep5af13@4ax.com...
> > On Tue, 19 Nov 2002 21:10:05 +1100, "S. Pidgorny [MVP]"
> > <slavickp@yahoo.com> wrote:
> >
> > >...and personal firewall offers reasonable protection against all of
the
> > >below, isn't it?
> >
> > Yes, against those listed, but a properly coded custom bug will waltz
> > right past a software firewall without a hiccup.
>
>

Relevant Pages

  • Re: Windows 2000 users accounts get locked out
    ... it looks like a trojan that came into my ... >Typically that sounds like an outside the network attack ... >consider is the possibility a machine on your network has ... >firewall configured with a default block all outbound ...
    (microsoft.public.win2000.security)
  • Re: Trojans and ADWARE / NORTON
    ... | I just installed Norton Personal Firewall 2002 recently and under ... | Firewall/Internet Access Control there's a Configure button where I find ... open one of the default Trojan rules and take a good look at it. ... subsequently shows up as "Unused Port Blocking" or "Implicit Block Rule", ...
    (comp.security.firewalls)
  • Re: Trojans and ADWARE / NORTON
    ... > | I just installed Norton Personal Firewall 2002 recently and under ... open one of the default Trojan rules and take a good look at it. ... > security alert pop-out) if someone 'appears' to be attempting to do this. ... > list you used to get to the Trojan Block rule settings). ...
    (comp.security.firewalls)
  • Re: Advice Needed, Best Practices to Elim. XP Virus
    ... Backdoor is a trojan not a virus... ... Enable the Windows XP Internet Connection Firewall... ... Delete your cookies and temporary internet files after each session. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Trojan Horses Popular To The Malicious Hackers
    ... > There are some known trojan tools which can disable your personal firewall ... > names from accessing the network, there are known trojans and methods ... > And, as you may already know, neither hardware nor software firewall are ...
    (comp.security.misc)