IDS mailing list archives
RES: HTTP based trojans
From: AQBARROS () BKB com br
Date: Fri, 8 Nov 2002 09:51:02 -0300
Exactly. It seems to me that the only way to detect it is through some kind of behaviour analysis. The data flow, in this case, would be inverted (more data leaving the client than arriving). Could it be used to detect the trojan? Augusto. -----Mensagem original----- De: Rob Shein [mailto:shoten () starpower net] Enviada em: quinta-feira, 7 de novembro de 2002 13:59 Para: 's.wun'; AQBARROS () BKB com br; focus-ids () securityfocus com Assunto: RE: HTTP based trojans Yes, except that in Setiri, for example, the communication adheres to HTTP standards. It's not just a trojan using port 80 to slip through firewalls and IDS systems unnoticed; it actually uses Internet Explorer as a component of itself, so that even local app-aware firewalling like ZoneAlarm, Norton Internet Security or BlackIce won't see anything unusual.
-----Original Message----- From: s.wun [mailto:s.wun () thales-is com hk] Sent: Wednesday, November 06, 2002 9:13 PM To: AQBARROS () BKB com br; focus-ids () securityfocus com Subject: Re: HTTP based trojans I think this so-called flow-based IDS is about analyse each end-to-end connection based on what protocol the connection is using. For example, if protocol is 6, it should follow standard TCP communication standard, anything other than that will be regarded as Potential hack. That's why in http connection, it detected communication is not belong to http, so it should be able to raise alarm. One can create this kind of analyse with simple programming, not neccessary to purchase StealthWatch if we understand the principle of it. sam
Esta mensagem, incluindo seus anexos, pode conter informação confidencial e/ou privilegiada. Se você recebeu este e-mail por engano, não utilize, copie ou divulgue as informações nele contidas. E, por favor, avise imediatamente o remetente, respondendo ao e-mail, e em seguida apague-o. Este e-mail possui conteúdo informativo e não transacional. Caso necessite de atendimento imediato, recomendamos utilizar um dos canais disponíveis: Internet Banking (www.bankboston.com.br), BankBoston por telefone (www.bankboston.com.br/bpt) ou agência/representante de atendimento de sua conveniência. Agradecemos sua colaboração. This message, including its attachments, may contain confidential and/or privileged information. If you received this email by mistake, do not use, copy or disseminate any information herein contained. Please notify us immediately by replying to the sender and then delete it. This email is for information purposes only, not for transactions. In case you need immediate assistance, please use one of the following channels: Internet Banking (www.bankboston.com.br), BankBoston by phone (www.bankboston.com.br/bpt) or branch/relationship manager at your convenience. Thank you for your cooperation.
Current thread:
- RES: HTTP based trojans AQBARROS (Nov 06)
- Re: HTTP based trojans s.wun (Nov 07)
- RE: HTTP based trojans Rob Shein (Nov 07)
- <Possible follow-ups>
- RES: HTTP based trojans AQBARROS (Nov 08)
- Re: HTTP based trojans s.wun (Nov 07)