RES: HTTP based trojans

[AQBARROS () BKB com br]

Good question! It's just what I want to know, but it seems that my question
did not raise a discussion. 

People has been using HTTP based trojans for some years, but only after the
Sensepost Black Hat presentation about Setiri it has become a major point of
discussion.

I didn't see nobody sharing ideas about detecting (or even blocking) this
stuff. I can imagine a couple of Snort rules to try to detect it, based on
filenames and paths, like cmd.exe, \winnt, etc, but it would find a lot of
false positives and wouldn´t be effective on cases using SSL. So, perhaps
the point is on HIDS; But how can we detect the abnormal behaviour if the
trojan is getting out through a IE window? Which adverse effects there will
be if we block the use of invisible IE windows?

Regards,

Augusto


-----Mensagem original-----
De: s.wun [mailto:s.wun () thales-is com hk]
Enviada em: quarta-feira, 6 de novembro de 2002 0:27
Para: AQBARROS () BKB com br; focus-ids () securityfocus com
Assunto: Re: HTTP based trojans


Hi,

What other open-source tool do you use to detect this attack?

Sam.
----- Original Message -----
From: <AQBARROS () BKB com br>
To: <focus-ids () securityfocus com>
Sent: Thursday, October 31, 2002 8:46 PM
Subject: HTTP based trojans


> As I saw on the last messages about detecting trojans through flow-based
> analysis, I thought if someone already made anything to detect trojans
that
> use Internet Explorer controls to communicate with the client, even on
> networks that allow only proxied (even authenticated) http connections.
Did
> anyone try to do such kind of thing?
>
> Regards,
>
>
> Augusto.