Re: Virus/trojan tunnel out from behind firewall?

[David Carmean <dlc () halibut com>]

On Sun, Feb 24, 2002 at 10:22:12PM -0600, Rich Puhek wrote:
> David Carmean wrote:

> > Have there been any cases of a trojan/virus/etc tunnelling out from
> > behind a firewall and thus providing an attacker a way into the
> > "chewy center"?
>
> Do you mean a trojan/virus that actively establishes a tunnel through
> SSH, etc to an outside machine as a method of bypassing a stateful
> firewall?
>
> Or do you just mean that a trojan/virus/etc has provided an opening
> despite the firewall?
>
> I'd also consider the gray areas in between, like worms/trojans that
> transfer into (passwds, etc) back through SMTP, HTTP, or IRC.

I was thinking more of the first example, an ssh/stunnel/other tunnel 
out from the infected host to some other compromised box, which would 
give an attacker a wormhole into the center of a corporate network.  
In realtime.

For sites which allow unrestricted outbound connections, it would 
probably be impossible to detect if the trojan did nothing else 
destructive to arouse suspicion. 




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com