Firewall Wizards mailing list archives
Re: Tunnelling
From: Bill_Royds () pch gc ca
Date: Fri, 5 Nov 1999 21:08:04 -0500
I have been struggling with an insidious tunnel/trojan for the last week. A company called Conducent (also called TimeSink) packages various MS Windows freeware programs with a shell that pops up ads while the program is running. This is not too bad but I found a recent wrinkle that provides some problems. When one of their packages is installed it also installs (without informing the user) a start up program in the Windows Registry at HKLM/Software/Microsoft/Windows/CurrentVersion/Run of TimeSink="C:\Progam Files\TimeSink\AdGateway \TSADBOT.EXE" Here is the top of that directory. Volume in drive C is DRIVE-C Volume Serial Number is 062F-1EEA Directory of C:\Program Files\TimeSink\AdGateway . <DIR> 10-14-99 12:55p . .. <DIR> 10-14-99 12:55p .. TSADBOT EXE 90,624 10-14-99 12:55p TSADBOT.EXE PROFILES <DIR> 10-14-99 12:55p Profiles ADS <DIR> 10-14-99 12:55p Ads USERS <DIR> 10-14-99 12:56p Users 1 file(s) 90,624 bytes (started at boot time) which monitors the usage of software on the machine and regularily POST's systems statistics to a Conducent website. This website then returns information about which ad to display to the user. If you block access to those monitoring IP addresses, the programs gets frantic and starts retrying as fast as it can (10-20 /second) and then tries telnetting and several other protocols. As far as I know, there is no poison in the returned data from monitoring site, but it is base 64 encoding all kinds of data inside <html> <body></body> </html> tags so it appears innocuous to any HTTP proxy. Since the POST data has no scripts, no Java, and is coming from a Conducent supplied program, no one is the wiser. What is does do is increase by Internet bandwith use by about 8% with privacy breaches as bonus. pgut001 () cs auckland ac nz (Peter Gutmann) on 99/11/05 23:48:00 Please respond to pgut001 () cs auckland ac nz (Peter Gutmann) To: firewall-wizards () lists nfr net cc: (bcc: Bill Royds/HullOttawa/PCH/CA) Subject: Re: Tunnelling Donald Ramsbottom <donald () ramsbottom co uk> writes:
Remember the tunnelling software I mentioned a few weeks back, well there is not a lot on it but firewall Guru PJ has a little more on it see below. He has mentioned if any one is having difficulty they can email him. His email is paul_jennings () vnet ibm com. I know its off topic but it is a security risk which has the potential to bypass conventional security, and is therefore legitimate. It appears from the last post that BT may be one of the culprits! Some of the posts have been repeated.
It's not just BT, quite a number of companies are quietly using this trick to get data past firewalls because it's the only practical way to do it. The reasoning which leads to its use is something like: - Our product relies on being able to move (audio/video/EDI/database transactions/authorisation data/whatever) in and out of customer sites. - Most of them are running firewalls which block anything other than mail, HTTP, and possibily very limited FTP. - Doing it the way you're supposed to will require getting every user to reconfigure their firewalls and whatnot. Most of them don't even know what the firewall is apart from "that box with the blinky lights which someone set up for us last year". -> We'll use HTTP to tunnel it through and it won't be a problem. Even as yet undiscovered tribes in the jungles of Borneo can handle HTTP.
Attachment:
att1.eml
Description:
Current thread:
- Re: Tunnelling Peter Gutmann (Nov 05)
- <Possible follow-ups>
- Re: Tunnelling Bill_Royds (Nov 06)