IDS mailing list archives
RES: HTTP based trojans
From: AQBARROS () BKB com br
Date: Wed, 6 Nov 2002 09:56:51 -0300
Good question! It's just what I want to know, but it seems that my question did not raise a discussion. People has been using HTTP based trojans for some years, but only after the Sensepost Black Hat presentation about Setiri it has become a major point of discussion. I didn't see nobody sharing ideas about detecting (or even blocking) this stuff. I can imagine a couple of Snort rules to try to detect it, based on filenames and paths, like cmd.exe, \winnt, etc, but it would find a lot of false positives and wouldn´t be effective on cases using SSL. So, perhaps the point is on HIDS; But how can we detect the abnormal behaviour if the trojan is getting out through a IE window? Which adverse effects there will be if we block the use of invisible IE windows? Regards, Augusto -----Mensagem original----- De: s.wun [mailto:s.wun () thales-is com hk] Enviada em: quarta-feira, 6 de novembro de 2002 0:27 Para: AQBARROS () BKB com br; focus-ids () securityfocus com Assunto: Re: HTTP based trojans Hi, What other open-source tool do you use to detect this attack? Sam. ----- Original Message ----- From: <AQBARROS () BKB com br> To: <focus-ids () securityfocus com> Sent: Thursday, October 31, 2002 8:46 PM Subject: HTTP based trojans
As I saw on the last messages about detecting trojans through flow-based analysis, I thought if someone already made anything to detect trojans
that
use Internet Explorer controls to communicate with the client, even on networks that allow only proxied (even authenticated) http connections.
Did
anyone try to do such kind of thing? Regards, Augusto.
Current thread:
- RES: HTTP based trojans AQBARROS (Nov 06)
- Re: HTTP based trojans s.wun (Nov 07)
- RE: HTTP based trojans Rob Shein (Nov 07)
- <Possible follow-ups>
- RES: HTTP based trojans AQBARROS (Nov 08)
- Re: HTTP based trojans s.wun (Nov 07)