RES: HTTP based trojans

[AQBARROS () BKB com br]

Exactly. It seems to me that the only way to detect it is through some kind
of behaviour analysis. The data flow, in this case, would be inverted (more
data leaving the client than arriving). Could it be used to detect the
trojan?

Augusto.



-----Mensagem original-----
De: Rob Shein [mailto:shoten () starpower net]
Enviada em: quinta-feira, 7 de novembro de 2002 13:59
Para: 's.wun'; AQBARROS () BKB com br; focus-ids () securityfocus com
Assunto: RE: HTTP based trojans


Yes, except that in Setiri, for example, the communication adheres to
HTTP standards.  It's not just a trojan using port 80 to slip through
firewalls and IDS systems unnoticed; it actually uses Internet Explorer
as a component of itself, so that even local app-aware firewalling like
ZoneAlarm, Norton Internet Security or BlackIce won't see anything
unusual.

> -----Original Message-----
> From: s.wun [mailto:s.wun () thales-is com hk] 
> Sent: Wednesday, November 06, 2002 9:13 PM
> To: AQBARROS () BKB com br; focus-ids () securityfocus com
> Subject: Re: HTTP based trojans
>
>
> I think this so-called flow-based IDS is about analyse each 
> end-to-end connection based on what protocol the connection 
> is using. For example, if protocol is 6, it should follow 
> standard TCP communication standard, anything other than that 
> will be regarded as Potential hack. That's why in http 
> connection, it detected communication is not belong to http, 
> so it should be able to raise alarm.
>
> One can create this kind of analyse with simple programming, 
> not neccessary to purchase StealthWatch if we understand the 
> principle of it.
>
> sam


Esta mensagem, incluindo seus anexos, pode conter informação confidencial
e/ou privilegiada. Se você recebeu este e-mail por engano, não utilize,
copie ou divulgue as informações nele contidas. E, por favor, avise
imediatamente o remetente, respondendo ao e-mail, e em seguida apague-o.
Este e-mail possui conteúdo informativo e não transacional. Caso necessite
de atendimento imediato, recomendamos utilizar um dos canais disponíveis:
Internet Banking (www.bankboston.com.br), BankBoston por telefone
(www.bankboston.com.br/bpt) ou agência/representante de atendimento de sua
conveniência. Agradecemos sua colaboração.
This message, including its attachments, may contain confidential and/or
privileged information. If you received this email by mistake, do not use,
copy or disseminate any information herein contained. Please notify us
immediately by replying to the sender and then delete it. This email is for
information purposes only, not for transactions. In case you need immediate
assistance, please use one of the following channels: Internet Banking
(www.bankboston.com.br), BankBoston by phone (www.bankboston.com.br/bpt) or
branch/relationship manager at your convenience. Thank you for your
cooperation.