Penetration Testing mailing list archives
Re: [PEN-TEST] penetrating trojan
From: Pierre Vandevenne <pierre () datarescue com>
Date: Sun, 3 Dec 2000 19:39:22 +0100
On Sun, 3 Dec 2000 12:35:52 +0300, Kazennov Vladimir wrote:
I think that normal defense for workstation is firewall that have rules in which you may define name of application (f.e @guard). For example only your mailer can setup outbound connection to 25 port of only your
It could probably help if the situation gets worse. But there are a few things to keep in mind : if the protection is hard to manage (and @guard is in a corporate environment), it won't be managed. If a few easy to manage solutions emerge as standards, the fact that the trojan gets to execute at one point will mean that it is able to disable or reconfigure these local protections, just as early virus writers learned to disable resident anti-virus. In that respect, a bottleneck on a secured server will be more secure but of course will have to leave some doors open. Now, if one steps back a bit and look at the larger picture, one must also remember that trojans functions can be _very_ obfuscated. Any attacker with some resources can, for example, launch a nice free screen saver, download accelerator (whatever utility likely to attract a large public) containing an obfuscated trojan part, or a part that can update itself to a trojan later ( à la Hybris for example ) - definitely something to consider if you are worrying about the security of a critical organization. IMHO, it is impossible to properly address the risk of mobile code within the bounds of the current operating systems. We are confronted to a problem that has, for now, no totally satisfying technical answer. We are forced to look at the human side of the problem : I know this is extremely hard to achieve in practice, but a reasonnable and lucid penetration resistance assessment should include an evaluation of the target organization's average user computing practices and eventually recommend user education (eventhough we know that the results are limited at best) and sounder computing practices. Many organizations spend fortunes hardening themselves without taking that factor into account :-( --- Pierre Vandevenne - DataRescue sa/nv Home of the IDA Pro Disassembler - Version 4.14 now available ! http://www.datarescue.com/idabase/ida.htm
Current thread:
- [PEN-TEST] penetrating trojan Sven Bruelisauer (Dec 02)
- Re: [PEN-TEST] penetrating trojan Deus, Attonbitus (Dec 02)
- Re: [PEN-TEST] penetrating trojan Conor Crowley (Dec 02)
- Re: [PEN-TEST] penetrating trojan Arthur Clune (Dec 03)
- Re: [PEN-TEST] penetrating trojan Tom Vandepoel (Dec 03)
- Re: [PEN-TEST] penetrating trojan van der Kooij, Hugo (Dec 04)
- Re: [PEN-TEST] penetrating trojan Arthur Clune (Dec 03)
- Re: [PEN-TEST] penetrating trojan Kazennov Vladimir (Dec 04)
- Re: [PEN-TEST] penetrating trojan Pierre Vandevenne (Dec 04)
- Re: [PEN-TEST] penetrating trojan Jean-Christophe Touvet (Dec 05)
- Re: [PEN-TEST] penetrating trojan Darbean (Dec 06)
- Re: [PEN-TEST] penetrating trojan Darbean (Dec 06)
- <Possible follow-ups>
- Re: [PEN-TEST] penetrating trojan Randall, Mark (ISSCalifornia) (Dec 05)
- Re: [PEN-TEST] penetrating trojan Simon Waters (Dec 06)
- Re: [PEN-TEST] OT: Lotus Notes name service (was: penetrating trojan) Michael Rowe (Dec 06)
- Re: [PEN-TEST] OT: Lotus Notes name service (was: penetratingtrojan) Simon Waters (Dec 07)
- Re: [PEN-TEST] penetrating trojan Simon Waters (Dec 06)
- Re: [PEN-TEST] penetrating trojan Sven Bruelisauer (Dec 07)
- Re: [PEN-TEST] penetrating trojan Guy Cohen (Dec 07)