Security Incidents mailing list archives
Re: Virus/trojan tunnel out from behind firewall?
From: David Carmean <dlc () halibut com>
Date: Sun, 24 Feb 2002 23:07:15 -0800
On Sun, Feb 24, 2002 at 10:22:12PM -0600, Rich Puhek wrote:
David Carmean wrote:
Have there been any cases of a trojan/virus/etc tunnelling out from behind a firewall and thus providing an attacker a way into the "chewy center"?Do you mean a trojan/virus that actively establishes a tunnel through SSH, etc to an outside machine as a method of bypassing a stateful firewall? Or do you just mean that a trojan/virus/etc has provided an opening despite the firewall? I'd also consider the gray areas in between, like worms/trojans that transfer into (passwds, etc) back through SMTP, HTTP, or IRC.
I was thinking more of the first example, an ssh/stunnel/other tunnel out from the infected host to some other compromised box, which would give an attacker a wormhole into the center of a corporate network. In realtime. For sites which allow unrestricted outbound connections, it would probably be impossible to detect if the trojan did nothing else destructive to arouse suspicion. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Virus/trojan tunnel out from behind firewall? David Carmean (Feb 24)
- RE: Virus/Trojan tunnel out from behind firewall? Bill Royds (Feb 25)
- Re: Virus/trojan tunnel out from behind firewall? Rich Puhek (Feb 25)
- Re: Virus/trojan tunnel out from behind firewall? David Carmean (Feb 25)
- Re: Virus/trojan tunnel out from behind firewall? Rich Puhek (Feb 25)
- Re: Virus/trojan tunnel out from behind firewall? Ben Efros (Feb 26)
- Re: Virus/trojan tunnel out from behind firewall? Mike Shaw (Feb 25)
- RE: Virus/trojan tunnel out from behind firewall? M.Verba (Feb 26)
- Re: Virus/trojan tunnel out from behind firewall? David Carmean (Feb 25)
- Re: Virus/trojan tunnel out from behind firewall? Ryan Russell (Feb 25)