Firewall Wizards mailing list archives
Re: httptunnel
From: youngk () ttc com
Date: Wed, 24 Mar 1999 11:26:28 -0500
(I've been waiting for something like BackOrifice to use HTTP instead of UDP for its remote control session.)
A couple of network test engineers and myself designed something exactly like this. The "protocol" would even go past firewall virus scanners and proxies designed to prevent this. We were even trying to figure out how to have a morphing trojan horse to get past the same scanners. We decided not to continue due to problems if the program slipped out into the public and malicious "things" were done with it (can anyone say lawsuit??). Of course, this app would have had nothing to do with our company, but we didn't even want to take the chance that it might be associated with it...
We currently do not use proxy authentication for HTTP requests which originate internally. May change that. I presume that that could help thwart a covert trojan program trying to get out w/ HTTP. Thoughts?
Simple... just have the trojan horse wait a couple of seconds after Netscape/IE is opened. By that time, the user would have authenticated with the firewall. Since most people have a time window before they have to re-authenticate, the trojan horse would be able to run during this time. Even single-use password systems would be vulnerable due to that time frame. Only firewalls which authenticate every time you retrieve a file from outside the domain which you authenticated against would be safe. However, I think that due to the fact that many web pages now have links to graphics on advertisement networks (which would cause you to re-authenticate several times as it downloads the different graphics), very few people have this kind of setup. --Keith -youngk () ttc com
Current thread:
- httptunnel Ken Hardy (Mar 23)
- <Possible follow-ups>
- Re: httptunnel Steven M. Bellovin (Mar 24)
- Re: httptunnel youngk (Mar 24)
- Re: httptunnel Wyllys Ingersoll (Mar 25)
- Re: httptunnel John Lines (Mar 26)
- Re: httptunnel Wyllys Ingersoll (Mar 25)