Re: Tunnelling

[Bill_Royds () pch gc ca]

I have been struggling with an insidious tunnel/trojan for the last week. A
company called Conducent (also called TimeSink) packages various MS Windows
freeware programs with a  shell that pops up ads while the program is running.
This is not too bad but I found a recent wrinkle that provides some problems.
     When one of their packages is installed it also installs (without informing
the user) a start up program in the Windows Registry at
 HKLM/Software/Microsoft/Windows/CurrentVersion/Run  of
TimeSink="C:\Progam Files\TimeSink\AdGateway \TSADBOT.EXE"

   Here is the top of that directory.

 Volume in drive C is DRIVE-C
 Volume Serial Number is 062F-1EEA

Directory of C:\Program Files\TimeSink\AdGateway

.              <DIR>        10-14-99 12:55p .
..             <DIR>        10-14-99 12:55p ..
TSADBOT  EXE        90,624  10-14-99 12:55p TSADBOT.EXE
PROFILES       <DIR>        10-14-99 12:55p Profiles
ADS            <DIR>        10-14-99 12:55p Ads
USERS          <DIR>        10-14-99 12:56p Users
         1 file(s)         90,624 bytes
 (started at boot time) which monitors the usage of software on the machine and
regularily POST's systems statistics to a Conducent website. This website then
returns information about which ad to display to the user. If you block access
to those monitoring IP addresses, the programs gets frantic and starts retrying
as fast as it can (10-20 /second) and then tries telnetting and several other
protocols.
  As far as I know, there is no poison in the returned data from monitoring
site, but it is base 64 encoding all kinds of data inside <html> <body></body>
</html> tags so it appears innocuous to any HTTP proxy. Since the POST data has
no scripts, no Java, and is coming from a Conducent supplied program, no one is
the wiser. What is does do is increase by Internet bandwith use by about 8% with
privacy breaches as bonus.





pgut001 () cs auckland ac nz (Peter Gutmann) on 99/11/05 23:48:00

Please respond to pgut001 () cs auckland ac nz (Peter Gutmann)

To:   firewall-wizards () lists nfr net
cc:    (bcc: Bill Royds/HullOttawa/PCH/CA)
Subject:  Re: Tunnelling



Donald Ramsbottom <donald () ramsbottom co uk> writes:

> Remember the tunnelling software I mentioned a few weeks back, well there is
> not a lot on it but firewall Guru PJ has a little more on it see below. He
> has mentioned if any one is having difficulty they can email him. His email
> is paul_jennings () vnet ibm com.
>
> I know its off topic but it is a security risk which has the potential to
> bypass conventional security, and is therefore legitimate.
>
> It appears from the last post that BT may be one of the culprits! Some of the
> posts have been repeated.

It's not just BT, quite a number of companies are quietly using this trick to
get data past firewalls because it's the only practical way to do it.  The
reasoning which leads to its use is something like:

- Our product relies on being able to move (audio/video/EDI/database
  transactions/authorisation data/whatever) in and out of customer sites.
- Most of them are running firewalls which block anything other than mail,
  HTTP, and possibily very limited FTP.
- Doing it the way you're supposed to will require getting every user to
  reconfigure their firewalls and whatnot.  Most of them don't even know what
  the firewall is apart from "that box with the blinky lights which someone
  set up for us last year".

-> We'll use HTTP to tunnel it through and it won't be a problem.  Even as yet
   undiscovered tribes in the jungles of Borneo can handle HTTP.

Attachment: att1.eml
Description: